Skip to content

Commit

Permalink
Adding all URLs in the redirect chain to CSP
Browse files Browse the repository at this point in the history
  • Loading branch information
@ttingle-ch
ttingle-ch committed Jan 23, 2025
1 parent 4aad60f commit 867a6d3
Showing 1 changed file with 5 additions and 1 deletion.
6 changes: 5 additions & 1 deletion src/middleware/content_security_policy_middleware_config.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,9 @@ export const prepareCSPConfig = (nonce: string) : HelmetOptions => {
const NONCE = `'nonce-${nonce}'`;
const ONE_YEAR_SECONDS = 31536000;

const CHS_SIGN_IN = `${CHS_URL}/signin`;
const OAUTH_AUTHORIZE = `${ACCOUNT_URL}/oauth2/authorize`;
const OAUTH_CHOOSE_SIGN_IN = `${ACCOUNT_URL}/oauth2/user/choose-your-sign-in`;
const OAUTH_USER_CALL_BACK = `${CHS_URL}/user/callback`;

return {
Expand All @@ -17,7 +20,8 @@ export const prepareCSPConfig = (nonce: string) : HelmetOptions => {
imgSrc: [CDN_HOST],
styleSrc: [NONCE, CDN_HOST],
connectSrc: [SELF, PIWIK_URL],
formAction: [SELF, PIWIK_CHS_DOMAIN, CHS_URL, ACCOUNT_URL, OAUTH_USER_CALL_BACK],
formAction: [SELF, PIWIK_CHS_DOMAIN, OAUTH_USER_CALL_BACK,
CHS_SIGN_IN, OAUTH_AUTHORIZE, OAUTH_CHOOSE_SIGN_IN],
scriptSrc: [NONCE, CDN_HOST, PIWIK_URL],
objectSrc: [`'none'`]
}
Expand Down

0 comments on commit 867a6d3

Please sign in to comment.