Merge pull request #592 from companieshouse/bug/IDVA5-1710-Start-Now-…

…CSP-Issue Adding Account URL and oauth2 callback url
companieshouse · Jan 21, 2025 · 1caed71 · 1caed71
2 parents bde65ab + 937525b
commit 1caed71
Showing 1 changed file with 4 additions and 2 deletions.
diff --git a/src/middleware/content_security_policy_middleware_config.ts b/src/middleware/content_security_policy_middleware_config.ts
@@ -1,11 +1,13 @@
 import { HelmetOptions } from "helmet";
-import { CDN_HOST, PIWIK_URL, PIWIK_CHS_DOMAIN, CHS_URL } from "../utils/properties";
+import { CDN_HOST, PIWIK_URL, PIWIK_CHS_DOMAIN, CHS_URL, ACCOUNT_URL } from "../utils/properties";
 
 export const prepareCSPConfig = (nonce: string) : HelmetOptions => {
     const SELF = `'self'`;
     const NONCE = `'nonce-${nonce}'`;
     const ONE_YEAR_SECONDS = 31536000;
 
+    const OAUTH_USER_CALL_BACK = `${CHS_URL}/user/callback`;
+
     return {
         contentSecurityPolicy: {
             directives: {
@@ -15,7 +17,7 @@ export const prepareCSPConfig = (nonce: string) : HelmetOptions => {
                 imgSrc: [CDN_HOST],
                 styleSrc: [NONCE, CDN_HOST],
                 connectSrc: [SELF, PIWIK_URL],
-                formAction: [SELF, PIWIK_CHS_DOMAIN, "https:"],
+                formAction: [SELF, PIWIK_CHS_DOMAIN, CHS_URL, ACCOUNT_URL, OAUTH_USER_CALL_BACK],
                 scriptSrc: [NONCE, CDN_HOST, PIWIK_URL],
                 objectSrc: [`'none'`]
             }