From 867a6d3404999a5a56d72585f5f523185d6f5143 Mon Sep 17 00:00:00 2001 From: ttingle-ch Date: Thu, 23 Jan 2025 15:42:59 +0000 Subject: [PATCH] Adding all URLs in the redirect chain to CSP --- src/middleware/content_security_policy_middleware_config.ts | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/middleware/content_security_policy_middleware_config.ts b/src/middleware/content_security_policy_middleware_config.ts index 7b0ba58e..57b29227 100644 --- a/src/middleware/content_security_policy_middleware_config.ts +++ b/src/middleware/content_security_policy_middleware_config.ts @@ -6,6 +6,9 @@ export const prepareCSPConfig = (nonce: string) : HelmetOptions => { const NONCE = `'nonce-${nonce}'`; const ONE_YEAR_SECONDS = 31536000; + const CHS_SIGN_IN = `${CHS_URL}/signin`; + const OAUTH_AUTHORIZE = `${ACCOUNT_URL}/oauth2/authorize`; + const OAUTH_CHOOSE_SIGN_IN = `${ACCOUNT_URL}/oauth2/user/choose-your-sign-in`; const OAUTH_USER_CALL_BACK = `${CHS_URL}/user/callback`; return { @@ -17,7 +20,8 @@ export const prepareCSPConfig = (nonce: string) : HelmetOptions => { imgSrc: [CDN_HOST], styleSrc: [NONCE, CDN_HOST], connectSrc: [SELF, PIWIK_URL], - formAction: [SELF, PIWIK_CHS_DOMAIN, CHS_URL, ACCOUNT_URL, OAUTH_USER_CALL_BACK], + formAction: [SELF, PIWIK_CHS_DOMAIN, OAUTH_USER_CALL_BACK, + CHS_SIGN_IN, OAUTH_AUTHORIZE, OAUTH_CHOOSE_SIGN_IN], scriptSrc: [NONCE, CDN_HOST, PIWIK_URL], objectSrc: [`'none'`] }