AUT-1706: Remove form-action header from /enter-code page

govuk-one-login · Nov 14, 2023 · 426acc7 · 426acc7
1 parent e10c31c
commit 426acc7
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 12 deletions.
diff --git a/src/app.ts b/src/app.ts
@@ -8,8 +8,6 @@ import i18nextMiddleware from "i18next-http-middleware";
 import * as path from "path";
 import { configureNunjucks } from "./config/nunchucks";
 import { i18nextConfigurationOptions } from "./config/i18next";
-import { helmetConfiguration } from "./config/helmet";
-import helmet from "helmet";
 
 import { setHtmlLangMiddleware } from "./middleware/html-lang-middleware";
 import i18next from "i18next";
@@ -83,6 +81,7 @@ import { setInternationalPhoneNumberSupportMiddleware } from "./middleware/set-i
 import { checkYourEmailSecurityCodesRouter } from "./components/account-recovery/check-your-email-security-codes/check-your-email-security-codes-routes";
 import { changeSecurityCodesConfirmationRouter } from "./components/account-recovery/change-security-codes-confirmation/change-security-codes-confirmation-routes";
 import { outboundContactUsLinksMiddleware } from "./middleware/outbound-contact-us-links-middleware";
+import { setCspHeaders } from "./middleware/set-csp-headers-middleware";
 
 const APP_VIEWS = [
   path.join(__dirname, "components"),
@@ -164,7 +163,7 @@ async function createApp(): Promise<express.Application> {
     );
 
   app.use(i18nextMiddleware.handle(i18next));
-  app.use(helmet(helmetConfiguration()));
+  app.use(setCspHeaders);
 
   const redisConfig = isProduction
     ? await getRedisConfig(getAppEnv())

diff --git a/src/config/helmet.ts b/src/config/helmet.ts
@@ -2,7 +2,9 @@ import helmet from "helmet";
 import e, { Request, Response } from "express";
 import { supportFrameAncestorsFormActionsCspHeaders } from "../config";
 // Helmet does not export the config type - This is the way the recommend getting it on GitHub.
-export function helmetConfiguration(): Parameters<typeof helmet>[0] {
+export function helmetConfiguration(
+  req: Request
+): Parameters<typeof helmet>[0] {
   const helmetConfig: {
     permittedCrossDomainPolicies: boolean;
     referrerPolicy: boolean;
@@ -63,14 +65,21 @@ export function helmetConfiguration(): Parameters<typeof helmet>[0] {
     expectCt: false,
   };
   if (supportFrameAncestorsFormActionsCspHeaders()) {
-    helmetConfig.contentSecurityPolicy.directives["frame-ancestors"] = [
-      "'self'",
-      "https://*.account.gov.uk",
-    ];
-    helmetConfig.contentSecurityPolicy.directives["form-action"] = [
-      "'self'",
-      "https://*.account.gov.uk",
-    ];
+    if (req.url == "/enter-code") {
+      helmetConfig.contentSecurityPolicy.directives["frame-ancestors"] = [
+        "'self'",
+        "https://*.account.gov.uk",
+      ];
+    } else {
+      helmetConfig.contentSecurityPolicy.directives["frame-ancestors"] = [
+        "'self'",
+        "https://*.account.gov.uk",
+      ];
+      helmetConfig.contentSecurityPolicy.directives["form-action"] = [
+        "'self'",
+        "https://*.account.gov.uk",
+      ];
+    }
   }
   return helmetConfig;
 }
diff --git a/src/middleware/set-csp-headers-middleware.ts b/src/middleware/set-csp-headers-middleware.ts
@@ -0,0 +1,11 @@
+import { NextFunction, Request, Response } from "express";
+import helmet from "helmet";
+import { helmetConfiguration } from "../config/helmet";
+
+export function setCspHeaders(
+  req: Request,
+  res: Response,
+  next: NextFunction
+): void {
+  helmet(helmetConfiguration(req))(req, res, next);
+}