Merge pull request #602 from companieshouse/bug/IDVA5-1710-CSP-Form-A…

…ction-Issues

Adding all URLs in the redirect chain to CSP

src/middleware/content_security_policy_middleware_config.ts

@@ -6,6 +6,9 @@ export const prepareCSPConfig = (nonce: string) : HelmetOptions => {
     const NONCE = `'nonce-${nonce}'`;
     const ONE_YEAR_SECONDS = 31536000;
 
+    const CHS_SIGN_IN = `${CHS_URL}/signin`;
+    const OAUTH_AUTHORIZE = `${ACCOUNT_URL}/oauth2/authorize`;
+    const OAUTH_CHOOSE_SIGN_IN = `${ACCOUNT_URL}/oauth2/user/choose-your-sign-in`;
     const OAUTH_USER_CALL_BACK = `${CHS_URL}/user/callback`;
 
     return {
@@ -17,7 +20,8 @@ export const prepareCSPConfig = (nonce: string) : HelmetOptions => {
                 imgSrc: [CDN_HOST],
                 styleSrc: [NONCE, CDN_HOST],
                 connectSrc: [SELF, PIWIK_URL],
-                formAction: [SELF, PIWIK_CHS_DOMAIN, CHS_URL, ACCOUNT_URL, OAUTH_USER_CALL_BACK],
+                formAction: [SELF, PIWIK_CHS_DOMAIN, OAUTH_USER_CALL_BACK,
+                    CHS_SIGN_IN, OAUTH_AUTHORIZE, OAUTH_CHOOSE_SIGN_IN],
                 scriptSrc: [NONCE, CDN_HOST, PIWIK_URL],
                 objectSrc: [`'none'`]
             }