FACT-1985 removed gstatic from CSP instead (#799)

* removed unsafe-eval and unsafe-inline * removed gstatic from fontSrc and imgSrc * http-proxy-middleware update * trying to remove unsafe-eval only * poke * undo unsafe eval removal * poke
hmcts · Oct 29, 2024 · cbec0aa · cbec0aa
1 parent bc588e7
commit cbec0aa
Show file tree

Hide file tree

Showing 6 changed files with 36 additions and 10 deletions.
diff --git a/.pnp.cjs b/.pnp.cjs
diff --git a/.yarn/install-state.gz b/.yarn/install-state.gz
diff --git a/README.md b/README.md
@@ -189,3 +189,4 @@ e.g. the ones verifying the state of each service it depends on.
 ## License
 
 This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details
+
diff --git a/package.json b/package.json
@@ -56,7 +56,7 @@
     "glob-parent": "6.0.2",
     "govuk-frontend": "^4.8.0",
     "helmet": "^4.6.0",
-    "http-proxy-middleware": "^2.0.6",
+    "http-proxy-middleware": "^2.0.7",
     "i18next": "^21.8.14",
     "i18next-http-middleware": "^3.2.1",
     "jquery": "^3.6.0",

diff --git a/src/main/modules/helmet/index.ts b/src/main/modules/helmet/index.ts
@@ -31,8 +31,8 @@ export class Helmet {
         directives: {
           connectSrc: [self, googleAnalyticsDomain, doubleclick, 'https://*.dynatrace.com'],
           defaultSrc: ["'none'"],
-          fontSrc: [self, 'data:', 'https://fonts.gstatic.com'],
-          imgSrc: [self, azureBlob, ...tagManager, googleAnalyticsDomain, 'data:', 'https://ssl.gstatic.com', 'https://www.gstatic.com', 'https://*.dynatrace.com'],
+          fontSrc: [self, 'data:'],
+          imgSrc: [self, azureBlob, ...tagManager, googleAnalyticsDomain, 'data:', 'https://*.dynatrace.com'],
           objectSrc: [self],
           scriptSrc: [self, ...tagManager, googleAnalyticsDomain, "'unsafe-inline'", "'unsafe-eval'", 'https://*.dynatrace.com'],
           styleSrc: [self, ...tagManager, "'unsafe-inline'", 'https://fonts.googleapis.com'],

diff --git a/yarn.lock b/yarn.lock
@@ -6387,7 +6387,7 @@ __metadata:
     govuk-frontend: ^4.8.0
     helmet: ^4.6.0
     html-webpack-plugin: ^5.6.0
-    http-proxy-middleware: ^2.0.6
+    http-proxy-middleware: ^2.0.7
     i18next: ^21.8.14
     i18next-http-middleware: ^3.2.1
     jest: ^28.1.3
@@ -7502,7 +7502,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"http-proxy-middleware@npm:*, http-proxy-middleware@npm:^2.0.6":
+"http-proxy-middleware@npm:*":
   version: 2.0.6
   resolution: "http-proxy-middleware@npm:2.0.6"
   dependencies:
@@ -7520,6 +7520,24 @@ __metadata:
   languageName: node
   linkType: hard
 
+"http-proxy-middleware@npm:^2.0.7":
+  version: 2.0.7
+  resolution: "http-proxy-middleware@npm:2.0.7"
+  dependencies:
+    "@types/http-proxy": ^1.17.8
+    http-proxy: ^1.18.1
+    is-glob: ^4.0.1
+    is-plain-obj: ^3.0.0
+    micromatch: ^4.0.2
+  peerDependencies:
+    "@types/express": ^4.17.13
+  peerDependenciesMeta:
+    "@types/express":
+      optional: true
+  checksum: 18caa21145917aa1054740353916e8f03f5a3a93bede9106f1f44d84f7b174df17af1c72bf5fade5cc440c2058ee813f47cbb2bdd6ae6874af1cf33e0ac575f3
+  languageName: node
+  linkType: hard
+
 "http-proxy@npm:^1.18.1":
   version: 1.18.1
   resolution: "http-proxy@npm:1.18.1"
Original file line number	Diff line number	Diff line change
Expand Up		@@ -189,3 +189,4 @@ e.g. the ones verifying the state of each service it depends on.
		## License

		This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details