Merge pull request #1217 from alphagov/pp_5887_unsafe_eval

[PP-5887] allow unsafe-eval scripts when configured
alphagov · Dec 2, 2019 · 728cfb9 · 728cfb9
2 parents 384c62f + 50f96a1
commit 728cfb9
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 6 deletions.
diff --git a/app/middleware/csp.js b/app/middleware/csp.js
@@ -4,7 +4,7 @@ const sendCspHeader = process.env.CSP_SEND_HEADER === 'true'
 const enforceCsp = process.env.CSP_ENFORCE === 'true'
 const cspReportUri = process.env.CSP_REPORT_URI
 const environment = process.env.ENVIRONMENT
-const zapTestHash = process.env.CSP_ZAP_TEST_HASH
+const allowUnsafeEvalScripts = process.env.CSP_ALLOW_UNSAFE_EVAL_SCRIPTS === 'true'
 
 const sentryCspReportUri = `${cspReportUri}&sentry_environment=${environment}`
 
@@ -25,8 +25,8 @@ const scriptSource = ["'self'", 'https://www.google-analytics.com/',
   (req, res) => `'nonce-${res.locals && res.locals.nonce}'`, govUkFrontendLayoutJsEnabledScriptHash]
 
 // Sript that is being used during zap test: https://github.com/alphagov/pay-endtoend/blob/d685d5bc38d639e8adef629673e5577cb923408e/src/test/resources/uk/gov/pay/pen/tests/frontend.feature#L23
-if (zapTestHash) {
-  scriptSource.push(zapTestHash)
+if (allowUnsafeEvalScripts) {
+  scriptSource.push("'unsafe-eval'")
 }
 
 // Google analytics, Apple pay, Google pay uses standard Payment Request API so requires no exceptions

diff --git a/test/middleware/csp_test.js b/test/middleware/csp_test.js
@@ -51,15 +51,15 @@ describe('CSP middleware', () => {
     sinon.assert.calledWith(response.setHeader, 'Content-Security-Policy')
   })
 
-  it('should add zap hash to Content-Security-Policy header when included in configuration', () => {
+  it('should add `unsafe-eval` to Content-Security-Policy header when included in configuration', () => {
     process.env.CSP_SEND_HEADER = 'true'
-    process.env.CSP_ZAP_TEST_HASH = "'sha256-xUXfQvaQIcsBFXwODJDnPGU3R2JQw59eNsZ6XDIotxU='"
+    process.env.CSP_ALLOW_UNSAFE_EVAL_SCRIPTS = 'true'
     const csp = requireHelper('../../app/middleware/csp')
 
     const next = sinon.spy()
     const response = { setHeader: sinon.spy() }
     csp(mockRequest, response, next)
 
-    sinon.assert.calledWith(response.setHeader, 'Content-Security-Policy', sinon.match(/'sha256-xUXfQvaQIcsBFXwODJDnPGU3R2JQw59eNsZ6XDIotxU='/g))
+    sinon.assert.calledWith(response.setHeader, 'Content-Security-Policy', sinon.match(/'unsafe-eval'/g))
   })
 })