Merge pull request #1206 from alphagov/PP-5882-add_directives_to_card…

…_details_page PP-5882 add some extra directives to card details page
alphagov · Dec 2, 2019 · 393e423 · 393e423
2 parents c0250cb + 65017dd
commit 393e423
Showing 1 changed file with 21 additions and 8 deletions.
diff --git a/app/middleware/csp.js b/app/middleware/csp.js
@@ -12,18 +12,21 @@ const sentryCspReportUri = `${cspReportUri}&sentry_environment=${environment}`
 const govUkFrontendLayoutJsEnabledScriptHash = "'sha256-+6WnXIl4mbFTCARd8N3COQmT3bJJmo32N8q8ZSQAIcU='"
 
 // Worldpay 3ds flex iframe
-const frameSource = ["'self'", 'https://secure-test.worldpay.com/']
+const CSP_NONE = ["'none'"]
+const CSP_SELF = ["'self'"]
+
+// Worldpay 3ds flex iframe - frame and child must be kept in sync
+const frameAndChildSource = ["'self'", 'https://secure-test.worldpay.com/', 'https://centinelapi.cardinalcommerce.com/']
 
 // Google analytics
-const imgSource = ["'self'", 'https://www.google-analytics.com/', 'http://www.google-analytics.com/']
+const imgSource = ["'self'", 'https://www.google-analytics.com/']
 
 // Google analytics
-const scriptSource = ["'self'", 'https://www.google-analytics.com/', 'http://www.google-analytics.com/',
+const scriptSource = ["'self'", 'https://www.google-analytics.com/',
   (req, res) => `'nonce-${res.locals && res.locals.nonce}'`, govUkFrontendLayoutJsEnabledScriptHash]
-const styleSource = ["'self'"]
 
 // Google analytics, Apple pay, Google pay uses standard Payment Request API so requires no exceptions
-const connectSource = ["'self'", 'https://www.google-analytics.com/', 'http://www.google-analytics.com/',
+const connectSource = ["'self'", 'https://www.google-analytics.com/',
   'https://apple-pay-gateway.apple.com/', 'https://apple-pay-gateway-nc-pod1.apple.com/',
   'https://apple-pay-gateway-nc-pod2.apple.com/', 'https://apple-pay-gateway-nc-pod3.apple.com/',
   'https://apple-pay-gateway-nc-pod4.apple.com/', 'https://apple-pay-gateway-nc-pod5.apple.com/',
@@ -45,11 +48,21 @@ const connectSource = ["'self'", 'https://www.google-analytics.com/', 'http://ww
 const csp = helmet.contentSecurityPolicy({
   directives: {
     reportUri: sentryCspReportUri,
-    frameSrc: frameSource,
+    frameSrc: frameAndChildSource,
+    childSrc: frameAndChildSource,
     imgSrc: imgSource,
-    styleSrc: styleSource,
     scriptSrc: scriptSource,
-    connectSrc: connectSource
+    connectSrc: connectSource,
+    styleSrc: CSP_SELF,
+    formAction: CSP_SELF,
+    fontSrc: CSP_SELF,
+    frameAncestors: CSP_SELF,
+    manifestSrc: CSP_NONE,
+    mediaSrc: CSP_NONE,
+    objectSrc: CSP_NONE,
+    prefetchSrc: CSP_SELF,
+    baseUri: CSP_NONE,
+    blockAllMixedContent: true
   },
   reportOnly: !enforceCsp
 })