Skip to content

Commit cdd427b

Browse files
ScullyonScullyon
committed
Updating CSP to work with payment questions.
1 parent d1ee54f commit cdd427b

6 files changed

Lines changed: 38 additions & 4 deletions

File tree

.env.sample

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -52,6 +52,7 @@ USE_MAPS_FEATURE=false
5252
FEEDBACK_VIA_EMAIL=defraforms@defra.gov.uk
5353

5454
#PAYMENT_PROVIDER_API_KEY_TEST=
55+
PAYMENT_PROVIDER_URL=https://card.payments.service.gov.uk
5556

5657
PRIVATE_KEY_FOR_SECRETS=
5758
# one day in milliseconds

.github/workflows/publish.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -42,4 +42,4 @@ jobs:
4242
uses: DEFRA/cdp-build-action/build@main
4343
with:
4444
github-token: ${{ secrets.GITHUB_TOKEN }}
45-
version: '0.0.4'
45+
version: '0.0.5'

jest.setup.cjs

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -46,6 +46,7 @@ process.env.ORDNANCE_SURVEY_API_SECRET = 'dummy-ordnance-survey-api-secret'
4646
process.env.USE_MAPS_FEATURE = 'false'
4747
process.env.FEEDBACK_VIA_EMAIL = 'defraforms@defra.gov.uk'
4848
process.env.PRIVATE_KEY_FOR_SECRETS = 'dummy-private-key'
49+
process.env.PAYMENT_PROVIDER_URL = 'https://test-card.payments.service.gov.uk'
4950
process.env.SNS_FORM_TOPIC_ARN_MAP =
5051
'{"507f1f77bcf86cd799439099":"arn:aws:sns:eu-west-2:123456789012:form-specific-topic"}'
5152
process.env.SESSION_TIMEOUT = '86400000'

src/config/index.ts

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -235,6 +235,13 @@ export const config = convict({
235235
env: 'UPLOADER_BUCKET_NAME'
236236
} as SchemaObj<string>,
237237

238+
paymentProviderUrl: {
239+
doc: 'Base URL of the hosted payment provider (GOV.UK Pay) users are redirected to after submitting the payment form. Used to allow the redirect target in the form-action CSP directive.',
240+
format: String,
241+
default: null,
242+
env: 'PAYMENT_PROVIDER_URL'
243+
} as SchemaObj<string>,
244+
238245
/**
239246
* Logging
240247
*/

src/server/plugins/blankie.test.ts

Lines changed: 23 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -17,7 +17,7 @@ describe('Server Blankie Plugin', () => {
1717
styleSrc: ['self', 'unsafe-inline'],
1818
imgSrc: ['self', 'data:'],
1919
workerSrc: ['blob:'],
20-
formAction: ['self'],
20+
formAction: ['self', 'https://test-card.payments.service.gov.uk'],
2121
frameAncestors: ['none'],
2222
objectSrc: ['none'],
2323
generateNonces: 'script'
@@ -51,7 +51,7 @@ describe('Server Blankie Plugin', () => {
5151
'https://www.googletagmanager.com'
5252
],
5353
workerSrc: ['blob:'],
54-
formAction: ['self'],
54+
formAction: ['self', 'https://test-card.payments.service.gov.uk'],
5555
frameAncestors: ['none'],
5656
objectSrc: ['none'],
5757
generateNonces: 'script'
@@ -77,4 +77,25 @@ describe('Server Blankie Plugin', () => {
7777

7878
expect(options?.connectSrc).toEqual(['self'])
7979
})
80+
81+
test('configuration includes paymentProviderUrl in formAction when provided', () => {
82+
config.set('googleTagManagerContainerId', '')
83+
config.set('paymentProviderUrl', 'https://card.payments.service.gov.uk')
84+
85+
const { options } = configureBlankiePlugin()
86+
87+
expect(options?.formAction).toEqual([
88+
'self',
89+
'https://card.payments.service.gov.uk'
90+
])
91+
})
92+
93+
test('configuration falls back to self-only formAction when paymentProviderUrl not provided', () => {
94+
config.set('googleTagManagerContainerId', '')
95+
config.set('paymentProviderUrl', '')
96+
97+
const { options } = configureBlankiePlugin()
98+
99+
expect(options?.formAction).toEqual(['self'])
100+
})
80101
})

src/server/plugins/blankie.ts

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,7 @@ export const configureBlankiePlugin = (): ServerRegisterPluginObject<
2222
> => {
2323
const gtmContainerId = config.get('googleTagManagerContainerId')
2424
const uploaderUrl = config.get('uploaderUrl')
25+
const paymentProviderUrl = config.get('paymentProviderUrl')
2526

2627
return {
2728
plugin: Blankie,
@@ -42,7 +43,10 @@ export const configureBlankiePlugin = (): ServerRegisterPluginObject<
4243
].flat(),
4344
frameSrc: gtmContainerId ? googleAnalyticsOptions.frameSrc : ['none'],
4445
workerSrc: ['blob:'],
45-
formAction: ['self'],
46+
formAction: [
47+
['self'],
48+
paymentProviderUrl ? [paymentProviderUrl] : []
49+
].flat(),
4650
frameAncestors: ['none'],
4751
objectSrc: ['none'],
4852
generateNonces: 'script'

0 commit comments

Comments
 (0)