refactor: update Content Security Policy in proxy configuration

- Adjusted CSP to allow same-origin scripts and inline scripts generated by Next.js.
- Removed 'strict-dynamic' to prevent blocking of parser-inserted script tags, ensuring proper loading of Next.js chunks.

apps/portal/src/proxy.ts

@@ -52,12 +52,13 @@ function buildCSP(nonce: string, isDev: boolean): string {
   }
 
   // Production: Strict CSP with nonce
-  // 'strict-dynamic' allows scripts loaded by nonced scripts to execute.
-  // Next 16 applies the nonce to its own inline scripts, so 'unsafe-inline'
-  // is not required in script-src when the nonce is present.
+  // 'self' allows same-origin script files (Next.js chunks).
+  // The nonce allows inline scripts that Next.js generates at render time.
+  // Note: 'strict-dynamic' is intentionally omitted — it disables 'self',
+  // which blocks parser-inserted <script> tags (Next.js chunks in the HTML).
   return [
     "default-src 'self'",
-    `script-src 'self' 'nonce-${nonce}' 'strict-dynamic'`,
+    `script-src 'self' 'nonce-${nonce}'`,
     "style-src 'self' 'unsafe-inline'", // Next.js requires this for styled-jsx
     "img-src 'self' data: https:",
     "font-src 'self' data:",