change csp protection

betagouv · Aug 1, 2023 · e47d2f0 · e47d2f0
1 parent 8f26849
commit e47d2f0
Show file tree

Hide file tree

Showing 4 changed files with 28 additions and 23 deletions.
diff --git a/api/src/App.js b/api/src/App.js
@@ -67,7 +67,6 @@ export default class App extends AppBase {
       csp({
         enableWarn: true,
         policy: {
-          'default-src': ['none'],
           'connect-src': [
             'https://www.google-analytics.com/j/collect',
             "'self'",
@@ -79,16 +78,12 @@ export default class App extends AppBase {
           ],
           'font-src': ["'self'", 'https://fonts.gstatic.com', 'data:'],
           'img-src': ["'self'", 'data:', 'https://js-eu1.hsforms.net', 'https://api.hubspot.com', 'https://forms-eu1.hsforms.com', 'https://forms.hsforms.com'],
-          'script-src': [
-            "'unsafe-eval'",
-            "'self'",
-            "'unsafe-inline' https://js-eu1.hsforms.net",
-            "'unsafe-inline' https://www.google-analytics.com/analytics.js",
-            'stats.data.gouv.fr',
-          ],
+          'script-src': ["'report-sample' 'self'", 'https://*.hsforms.net', 'https://stats.data.gouv.fr'],
           'worker-src': ['blob:'],
           'style-src': ["'self'", "'unsafe-inline'"],
           'frame-src': ['https://docs.a-just.beta.gouv.fr', 'https://meta.a-just.beta.gouv.fr', 'https://forms-eu1.hsforms.com/'],
+          'base-uri': ["'self'"],
+          'form-action': ["'self'"],
         },
       }),
     ])

diff --git a/front/angular.json b/front/angular.json
@@ -70,6 +70,14 @@
           },
           "configurations": {
             "production": {
+              "optimization": {
+                "scripts": true,
+                "styles": {
+                  "minify": true,
+                  "inlineCritical": false
+                },
+                "fonts": true
+              },
               "budgets": [
                 {
                   "type": "initial",
@@ -91,6 +99,14 @@
               "outputHashing": "all"
             },
             "staging": {
+              "optimization": {
+                "scripts": true,
+                "styles": {
+                  "minify": true,
+                  "inlineCritical": false
+                },
+                "fonts": true
+              },
               "budgets": [
                 {
                   "type": "initial",
@@ -112,6 +128,15 @@
               "outputHashing": "all"
             },
             "sandbox": {
+              "optimization": {
+                "scripts": true,
+                "styles": {
+                  "minify": true,
+                  "inlineCritical": false
+                },
+                "fonts": true
+              },
+
               "budgets": [
                 {
                   "type": "initial",

diff --git a/front/src/app/app.component.ts b/front/src/app/app.component.ts
@@ -50,8 +50,6 @@ export class AppComponent implements AfterViewInit {
       document.body.classList.add('iIOS')
     }
 
-    this.onControlSSL()
-
     router.events
       .pipe(filter((event) => event instanceof NavigationEnd))
       // @ts-ignore
@@ -99,16 +97,6 @@ export class AppComponent implements AfterViewInit {
   ngAfterViewInit(): void {
     this.listenSelectElement()
   }
-  /**
-   * Control si on est en SSL ou non
-   */
-  onControlSSL() {
-    if (location.protocol !== 'https:' && environment.forceSSL) {
-      location.replace(
-        `https:${location.href.substring(location.protocol.length)}`
-      )
-    }
-  }
 
   /**
    * Suppression de l'alert et du texte dans le service

diff --git a/front/src/index.html b/front/src/index.html
@@ -11,9 +11,6 @@
   <link rel="preconnect" href="https://fonts.gstatic.com">
   <link href="https://fonts.googleapis.com/css2?family=Roboto:wght@300;400;500&display=swap" rel="stylesheet">
   <script charset="utf-8" type="text/javascript" src="https://js-eu1.hsforms.net/forms/embed/v2.js"></script>
-  <script charset="utf-8" type="text/javascript">
-    var iframe = null
-  </script>
 </head>
 
 <body title="">