fix(security): update csp with new rules

[pYassine]

No description provided.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[revu-bot]

This PR improves security by removing 'unsafe-inline' from CSP directives and adding modern security headers. However, there's a critical issue where media-src directive was removed from frontend CSP, which could break media functionality. The CSP rules are becoming complex and may need better organization for maintainability.

[revu-bot]

This PR improves security by removing 'unsafe-inline' directives from CSP headers and adding modern security headers. However, the complete removal of the media-src directive could potentially break media functionality if the application loads audio/video content from external sources.

[revu-bot]

Same issue as the frontend CSP - the media-src directive has been removed. The portail-usagers previously allowed media from 'https://domifaprod2.blob.core.windows.net/' and 'https://tally.so/'. If this portal loads any media content, it will be blocked without the media-src directive.

Suggested change

"Content-Security-Policy": "default-src 'none'; manifest-src 'self' https://*.gouv.fr; connect-src 'self' https://*.gouv.fr https://api.tally.so https://*.tally.so; font-src 'self' https://fonts.gstatic.com https://tally.so https://*.tally.so; img-src 'self' https://tally.so https://*.tally.so data:; script-src 'self' https://*.gouv.fr https://tally.so https://*.tally.so; frame-src 'self' https://*.gouv.fr https://tally.so https://*.tally.so; style-src 'self' https://*.gouv.fr https://tally.so https://*.tally.so"

"Content-Security-Policy": "default-src 'none'; manifest-src 'self' https://*.gouv.fr; connect-src 'self' https://*.gouv.fr https://api.tally.so https://*.tally.so; media-src 'self' https://domifaprod2.blob.core.windows.net/ https://tally.so/; font-src 'self' https://fonts.gstatic.com https://tally.so https://*.tally.so; img-src 'self' https://tally.so https://*.tally.so data:; script-src 'self' https://*.gouv.fr https://tally.so https://*.tally.so; frame-src 'self' https://*.gouv.fr https://tally.so https://*.tally.so; style-src 'self' https://*.gouv.fr https://tally.so https://*.tally.so"

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 65.41%. Comparing base (dbd3309) to head (e4b786b).
❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files

@@           Coverage Diff            @@
##           master    #3916    +/-   ##
========================================
  Coverage   65.41%   65.41%            
========================================
  Files         964      964            
  Lines       16469    16469            
  Branches     2286     2283     -3     
========================================
  Hits        10773    10773            
+ Misses       5509     5352   -157     
- Partials      187      344   +157     

see 67 files with indirect coverage changes

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update dbd3309...e4b786b. Read the comment docs.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[tokenbureau]

🎉 This PR is included in version 2.221.1 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀