From c2789c8edd5de87cbc79c0e68441da93950bf2a2 Mon Sep 17 00:00:00 2001
From: Maxime Quandalle <maxime@quandalle.com>
Date: Mon, 10 May 2021 11:54:56 +0200
Subject: [PATCH] =?UTF-8?q?=F0=9F=9B=A1=EF=B8=8F=20Ajoute=20une=20politiqu?=
 =?UTF-8?q?e=20de=20s=C3=A9curit=C3=A9=20de=20contenu=20HTTP?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 mon-entreprise/source/components/Feedback/FeedbackForm.tsx | 5 ++++-
 netlify.toml                                               | 7 +++++++
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/mon-entreprise/source/components/Feedback/FeedbackForm.tsx b/mon-entreprise/source/components/Feedback/FeedbackForm.tsx
index 5ae914241..1d3df570a 100644
--- a/mon-entreprise/source/components/Feedback/FeedbackForm.tsx
+++ b/mon-entreprise/source/components/Feedback/FeedbackForm.tsx
@@ -1,11 +1,14 @@
 import { ScrollToElement } from 'Components/utils/Scroll'
-import React, { useEffect } from 'react'
+import { useEffect } from 'react'
 import { useTranslation } from 'react-i18next'
 import { useLocation } from 'react-router'
 
 declare global {
 	const $: any
 }
+
+// TODO: we could implement the form logic ourselves to avoid including
+// https://mon-entreprise.zammad.com and https://code.jquery.com scripts
 export default function FeedbackForm() {
 	// const tracker = useContext(TrackerContext)
 	const pathname = useLocation().pathname
diff --git a/netlify.toml b/netlify.toml
index 3646d8b5e..94d8b8ecb 100644
--- a/netlify.toml
+++ b/netlify.toml
@@ -1,3 +1,10 @@
+[[headers]]
+for = "/*"
+[headers.values]
+# TODO : self-host emojies to remove twemoji.maxcdn.com
+# https://github.com/betagouv/mon-entreprise/issues/1219
+Content-Security-Policy = "default-src 'self' mon-entreprise.fr; style-src 'self' 'unsafe-inline' mon-entreprise.zammad.com; connect-src 'self' *.sentry.io raw.githubusercontent.com *.xiti.com mon-entreprise.zammad.com; form-action 'self' *.sibforms.com *.sentry.io mon-entreprise.zammad.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' entreprise.data.gouv.fr geo.api.gouv.fr *.xiti.com stonly.com code.jquery.com mon-entreprise.zammad.com; img-src 'self' data: https://twemoji.maxcdn.com *.xiti.com user-images.githubusercontent.com; frame-src 'self' https://www.youtube-nocookie.com https://codesandbox.io"
+
 ############
 # Redirects following architectural changes