Skip to content

Commit 763f57c

Browse files
authored
Fixing CSP Issues (#1172)
* Updating CSP to work with payment questions.
1 parent 6aad001 commit 763f57c

7 files changed

Lines changed: 42 additions & 8 deletions

File tree

.env.sample

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -52,6 +52,7 @@ USE_MAPS_FEATURE=false
5252
FEEDBACK_VIA_EMAIL=defraforms@defra.gov.uk
5353

5454
#PAYMENT_PROVIDER_API_KEY_TEST=
55+
PAYMENT_PROVIDER_URL=https://card.payments.service.gov.uk
5556

5657
PRIVATE_KEY_FOR_SECRETS=
5758
# one day in milliseconds

jest.setup.cjs

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -46,6 +46,7 @@ process.env.ORDNANCE_SURVEY_API_SECRET = 'dummy-ordnance-survey-api-secret'
4646
process.env.USE_MAPS_FEATURE = 'false'
4747
process.env.FEEDBACK_VIA_EMAIL = 'defraforms@defra.gov.uk'
4848
process.env.PRIVATE_KEY_FOR_SECRETS = 'dummy-private-key'
49+
process.env.PAYMENT_PROVIDER_URL = 'https://test-card.payments.service.gov.uk'
4950
process.env.SNS_FORM_TOPIC_ARN_MAP =
5051
'{"507f1f77bcf86cd799439099":"arn:aws:sns:eu-west-2:123456789012:form-specific-topic"}'
5152
process.env.SESSION_TIMEOUT = '86400000'

package-lock.json

Lines changed: 4 additions & 4 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

package.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -46,7 +46,7 @@
4646
"license": "SEE LICENSE IN LICENSE",
4747
"dependencies": {
4848
"@aws-sdk/client-sns": "^3.997.0",
49-
"@defra/forms-engine-plugin": "^4.7.1",
49+
"@defra/forms-engine-plugin": "^4.7.2",
5050
"@defra/forms-model": "^3.0.647",
5151
"@defra/hapi-tracing": "^1.30.0",
5252
"@elastic/ecs-pino-format": "^1.5.0",

src/config/index.ts

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -235,6 +235,13 @@ export const config = convict({
235235
env: 'UPLOADER_BUCKET_NAME'
236236
} as SchemaObj<string>,
237237

238+
paymentProviderUrl: {
239+
doc: 'Base URL of the hosted payment provider (GOV.UK Pay) users are redirected to after submitting the payment form. Used to allow the redirect target in the form-action CSP directive.',
240+
format: String,
241+
default: null,
242+
env: 'PAYMENT_PROVIDER_URL'
243+
} as SchemaObj<string>,
244+
238245
/**
239246
* Logging
240247
*/

src/server/plugins/blankie.test.ts

Lines changed: 23 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -17,7 +17,7 @@ describe('Server Blankie Plugin', () => {
1717
styleSrc: ['self', 'unsafe-inline'],
1818
imgSrc: ['self', 'data:'],
1919
workerSrc: ['blob:'],
20-
formAction: ['self'],
20+
formAction: ['self', 'https://test-card.payments.service.gov.uk'],
2121
frameAncestors: ['none'],
2222
objectSrc: ['none'],
2323
generateNonces: 'script'
@@ -51,7 +51,7 @@ describe('Server Blankie Plugin', () => {
5151
'https://www.googletagmanager.com'
5252
],
5353
workerSrc: ['blob:'],
54-
formAction: ['self'],
54+
formAction: ['self', 'https://test-card.payments.service.gov.uk'],
5555
frameAncestors: ['none'],
5656
objectSrc: ['none'],
5757
generateNonces: 'script'
@@ -77,4 +77,25 @@ describe('Server Blankie Plugin', () => {
7777

7878
expect(options?.connectSrc).toEqual(['self'])
7979
})
80+
81+
test('configuration includes paymentProviderUrl in formAction when provided', () => {
82+
config.set('googleTagManagerContainerId', '')
83+
config.set('paymentProviderUrl', 'https://card.payments.service.gov.uk')
84+
85+
const { options } = configureBlankiePlugin()
86+
87+
expect(options?.formAction).toEqual([
88+
'self',
89+
'https://card.payments.service.gov.uk'
90+
])
91+
})
92+
93+
test('configuration falls back to self-only formAction when paymentProviderUrl not provided', () => {
94+
config.set('googleTagManagerContainerId', '')
95+
config.set('paymentProviderUrl', '')
96+
97+
const { options } = configureBlankiePlugin()
98+
99+
expect(options?.formAction).toEqual(['self'])
100+
})
80101
})

src/server/plugins/blankie.ts

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,7 @@ export const configureBlankiePlugin = (): ServerRegisterPluginObject<
2222
> => {
2323
const gtmContainerId = config.get('googleTagManagerContainerId')
2424
const uploaderUrl = config.get('uploaderUrl')
25+
const paymentProviderUrl = config.get('paymentProviderUrl')
2526

2627
return {
2728
plugin: Blankie,
@@ -42,7 +43,10 @@ export const configureBlankiePlugin = (): ServerRegisterPluginObject<
4243
].flat(),
4344
frameSrc: gtmContainerId ? googleAnalyticsOptions.frameSrc : ['none'],
4445
workerSrc: ['blob:'],
45-
formAction: ['self'],
46+
formAction: [
47+
['self'],
48+
paymentProviderUrl ? [paymentProviderUrl] : []
49+
].flat(),
4650
frameAncestors: ['none'],
4751
objectSrc: ['none'],
4852
generateNonces: 'script'

0 commit comments

Comments
 (0)