Commit graph

51 commits

Author SHA1 Message Date
François Vantomme
eb812032e1 security(csp): whitelist amazon AWS for S3 storage 2023-01-11 12:59:19 +01:00
Paul Chavard
07173401de fix(graphql): load playground from CDN 2022-11-17 15:50:05 +01:00
François Vantomme
9bdce77faa
chore(csp): allow self-hosted Sentry 2022-11-08 09:49:45 +01:00
Paul Chavard
ea18c2b9ba chore(build): use vitejs 2022-06-23 15:22:54 +02:00
Paul Chavard
9e0b3b642f cleanup(sendinblue): remove sendinblue tracking 2022-05-06 11:14:44 +02:00
Paul Chavard
44c64669e9 Revert "Merge pull request #6787 from tchak/use-vite"
This reverts commit 5d572727b5, reversing
changes made to 43be4482ee.
2022-03-31 12:07:52 +02:00
simon lehericey
250b699664 remove duplicate csp 2022-03-29 16:27:08 +02:00
Paul Chavard
187e84a010 feat(assets): use vitejs to build javascript 2022-03-29 16:27:08 +02:00
Pierre de La Morinerie
3481d27cba config: block browser external connections during system tests
During system tests, we don't want the headless browser to load
external resources:

- It is faster (we don't wait for external resources to be loaded)
- It avoids leaking our test setup to external service

Fixes #6982
2022-02-22 17:24:25 +01:00
Pierre de La Morinerie
6d5f44d489 config: translate the CSP comments from french to english 2022-02-22 17:17:55 +01:00
Pierre de La Morinerie
c2729ab7e2 config: add Matomo to the frame_src Content Security Policy
Solves the Matomo iframe being blocked on `/suivi`. Fix #5868
2022-02-15 15:56:53 +01:00
Pierre de La Morinerie
3276db016f config: add Matomo to the connect_src Content Security Policy
Solves Matomo connections being blocked. Fix #6949
2022-02-15 15:56:53 +01:00
Pierre de La Morinerie
6fa52e8a5a config: report CSP violations to report-uri 2022-02-15 12:49:52 +01:00
Pierre de La Morinerie
0b2775a1a6 config: add back DS_PROXY_URL to CSP
Otherwise a bunch of "static.demarches-simplifiees.fr" domains would
be missing.
2022-02-15 12:49:52 +01:00
François Vantomme
d5f207d98c refactor(url): use env variables in content security policies 2022-02-15 12:49:52 +01:00
Pierre de La Morinerie
3e20ea13d8
Revert "Utilisation des variables d'environnement lors de la déclaration des Content Security Policies" 2022-02-08 22:20:08 +01:00
François Vantomme
8eaecd184a refactor(url): use env variables in content security policies 2022-02-08 15:15:55 +01:00
Pierre de La Morinerie
5990439ab7 app: update code to Rails 6.1 2021-03-25 13:24:53 +01:00
Paul Chavard
91be115c70 Add annuaire_education champ ui 2021-01-14 17:57:48 +01:00
kara Diaby
3d56b1d8b0 fix bootstrap cdn 2020-10-22 15:00:01 +02:00
Paul Chavard
f1cbc9846e Add carte ign 2020-07-30 16:58:20 +02:00
clemkeirua
db0d230531 add cdn.jsdeliver.net to the CSP 2020-07-27 16:54:46 +02:00
clemkeirua
7e085c657d specific deactivation of rubocop DS/ApplicationName rule 2020-07-23 16:20:16 +02:00
kara Diaby
2fc438ab65 Fix safari and firefox compatibility mapbox gl 2020-04-30 14:14:03 +02:00
kara Diaby
9aea1fffee Migrate the map editor to mapbox-gl with react component 2020-04-27 11:30:32 +02:00
Pierre de La Morinerie
37645d3df2 config: fix (again) the CSP when running a LiveReload server locally
When running the app using `bin/webpack-dev-server` (the external
(and fast) assets server), LiveReload is used. We need to explicitely
allow the LiveReload connections in the CSP policy.

Turns out we now need to specify the protocol explicitely.
2020-04-20 17:24:16 +02:00
kara Diaby
56e9834389 Revert "Revert "Revert "Revert "feat/4893 - migrate the mapReader to mapbox-gl with react""""
This reverts commit 473ed00b6c.
2020-04-09 11:01:20 +02:00
kara Diaby
473ed00b6c Revert "Revert "Revert "feat/4893 - migrate the mapReader to mapbox-gl with react"""
This reverts commit fe0b3c2215.
2020-04-07 18:14:07 +02:00
kara Diaby
fe0b3c2215 Revert "Revert "feat/4893 - migrate the mapReader to mapbox-gl with react""
This reverts commit 3e21b78142.
2020-04-07 18:11:11 +02:00
Pierre de La Morinerie
3e21b78142
Revert "feat/4893 - migrate the mapReader to mapbox-gl with react" 2020-04-07 15:32:14 +02:00
kara Diaby
aa56cfd7a0 migrate map to mapbox-gl with a react component 2020-04-02 15:39:47 +02:00
Pierre de La Morinerie
ea94ea05a0 config: configure CSP to allow live-reload requests
This avoids CSP errors when using the `bin/webpack-dev-server` external
assets compilation server.
2020-03-18 13:26:54 +01:00
Paul Chavard
14295db9ad Revert "Revert "Merge pull request #4552 from tchak/champ-communes""
This reverts commit 4373cb22cb.
2020-01-14 18:46:07 +01:00
clemkeirua
4373cb22cb Revert "Merge pull request #4552 from tchak/champ-communes"
This reverts commit 4cec26f73a, reversing
changes made to 0ef25ef36c.
2020-01-13 16:26:27 +01:00
Paul Chavard
22aa2d4ee0 Make all location champs autocomplete 2020-01-07 11:52:51 +01:00
clemkeirua
6351eabfdd remove notification to report-uri in production 2019-11-07 17:32:40 +01:00
Chaïb Martinez
f2386a5800 Add crips help domaine to defaut policy src
[fix #4234]

Signed-off-by: Chaïb Martinez <chaibax@gmail.com>
2019-08-27 10:30:10 +02:00
clemkeirua
dfefb827d9 missing connect-src 2019-07-02 10:50:10 +02:00
clemkeirua
d6f2de2fbf enable static + activate csp in production 2019-07-02 09:40:38 +02:00
clemkeirua
eaf850c1e9 enable csp 2019-06-27 11:10:29 +02:00
clemkeirua
f19b5f8911 fix csp rule for crisp websocket 2019-06-26 12:37:55 +02:00
clemkeirua
7064f7e973 enable crisp websockets and css 2019-06-25 17:39:08 +02:00
clemkeirua
d3c6021ef4 add duplicate rules as fallback 2019-06-20 11:34:24 +02:00
clemkeirua
dc6c2e6bc0 add missing elements 2019-06-17 17:05:08 +02:00
clemkeirua
765b10026e more generic elements to the security policy 2019-06-17 09:51:27 +02:00
clemkeirua
5cbbbb8d3e more whitelist for the common domains we use 2019-05-20 09:52:44 +02:00
clemkeirua
6fe4031b2e use constant for localhost 2019-05-15 16:33:27 +02:00
clemkeirua
b670b60ac6 changement de l'URI de report-uri 2019-05-15 15:32:00 +02:00
clemkeirua
675cc5150c update on the security policy headers 2019-05-09 14:55:21 +02:00
clemkeirua
64b858ef19 handle Gon + add report-uri URL 2019-05-06 10:07:51 +02:00