From 0ac4e80ba71ab9c92be0b21ea4472f989cc4f380 Mon Sep 17 00:00:00 2001
From: barsa <tumurbarsnarantuya@gmail.com>
Date: Tue, 3 Mar 2026 14:30:39 +0900
Subject: [PATCH] refactor: update Content Security Policy in proxy
 configuration

- Adjusted CSP to allow same-origin scripts and inline scripts generated by Next.js.
- Removed 'strict-dynamic' to prevent blocking of parser-inserted script tags, ensuring proper loading of Next.js chunks.
---
 apps/portal/src/proxy.ts | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/apps/portal/src/proxy.ts b/apps/portal/src/proxy.ts
index 0528f7d8..c5925213 100644
--- a/apps/portal/src/proxy.ts
+++ b/apps/portal/src/proxy.ts
@@ -52,12 +52,13 @@ function buildCSP(nonce: string, isDev: boolean): string {
   }
 
   // Production: Strict CSP with nonce
-  // 'strict-dynamic' allows scripts loaded by nonced scripts to execute.
-  // Next 16 applies the nonce to its own inline scripts, so 'unsafe-inline'
-  // is not required in script-src when the nonce is present.
+  // 'self' allows same-origin script files (Next.js chunks).
+  // The nonce allows inline scripts that Next.js generates at render time.
+  // Note: 'strict-dynamic' is intentionally omitted — it disables 'self',
+  // which blocks parser-inserted <script> tags (Next.js chunks in the HTML).
   return [
     "default-src 'self'",
-    `script-src 'self' 'nonce-${nonce}' 'strict-dynamic'`,
+    `script-src 'self' 'nonce-${nonce}'`,
     "style-src 'self' 'unsafe-inline'", // Next.js requires this for styled-jsx
     "img-src 'self' data: https:",
     "font-src 'self' data:",