Add tools-security.esy-web.dev to script-src CSP directive

Direct script loading requires the domain in script-src, not just connect-src. Added to both base and prod config. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-24 10:01:47 +01:00
parent 8223e0b954
commit b075209746
2 changed files with 2 additions and 0 deletions
--- a/config/packages/nelmio_security.yaml
+++ b/config/packages/nelmio_security.yaml
@@ -32,6 +32,7 @@ nelmio_security:
            script-src:
                - 'self'
                - 'https://static.cloudflareinsights.com'
+                - 'https://tools-security.esy-web.dev'
                - 'https://challenges.cloudflare.com'
                - 'https://cdn.jsdelivr.net'
                - 'https://js.stripe.com'
--- a/config/packages/prod/nelmio_security.yaml
+++ b/config/packages/prod/nelmio_security.yaml
@@ -5,6 +5,7 @@ nelmio_security:
                - 'self'
                - 'nonce'
                - 'https://static.cloudflareinsights.com'
+                - 'https://tools-security.esy-web.dev'

            # Restreindre les soumissions de formulaires à notre domaine
            # et aux redirections OAuth des plateformes de partage social