From 7f837b2921a6659fbcc4f30bfb7936f0aa17cad7 Mon Sep 17 00:00:00 2001
From: dbes-gds <daniel.besbrode@digital.cabinet-office.gov.uk>
Date: Thu, 16 Nov 2023 15:15:51 +0000
Subject: [PATCH] AUT-1706: Exclude additional pages from 'form-action'

These pages submit a form that leads to an oauth redirect, preventing service login.
---
 src/config/helmet.ts | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/src/config/helmet.ts b/src/config/helmet.ts
index ba633ba61..7a7b425bf 100644
--- a/src/config/helmet.ts
+++ b/src/config/helmet.ts
@@ -1,6 +1,7 @@
 import helmet from "helmet";
 import e, { Request, Response } from "express";
 import { supportFrameAncestorsFormActionsCspHeaders } from "../config";
+import { PATH_NAMES } from "../app.constants";
 // Helmet does not export the config type - This is the way the recommend getting it on GitHub.
 export function helmetConfiguration(
   req: Request
@@ -65,7 +66,14 @@ export function helmetConfiguration(
     expectCt: false,
   };
   if (supportFrameAncestorsFormActionsCspHeaders()) {
-    if (req.url == "/enter-code") {
+    if (
+      [
+        PATH_NAMES.ENTER_MFA,
+        PATH_NAMES.ENTER_PASSWORD,
+        PATH_NAMES.CREATE_ACCOUNT_SUCCESSFUL,
+        PATH_NAMES.UPDATED_TERMS_AND_CONDITIONS,
+      ].includes(req.url)
+    ) {
       helmetConfig.contentSecurityPolicy.directives["frame-ancestors"] = [
         "'self'",
         "https://*.account.gov.uk",