Skip to content
Merged
Show file tree
Hide file tree
Changes from 2 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 3 additions & 9 deletions app/controllers/users/sessions_controller.rb
Original file line number Diff line number Diff line change
Expand Up @@ -241,23 +241,17 @@ def pending_account_reset_request

def override_csp_for_google_analytics
return unless IdentityConfig.store.participate_in_dap
# See: https://github.com/digital-analytics-program/gov-wide-code#content-security-policy
policy = current_content_security_policy
policy.script_src(
*policy.script_src,
'dap.digitalgov.gov',
'www.google-analytics.com',
'*.googletagmanager.com',
'www.googletagmanager.com',
)
policy.connect_src(
*policy.connect_src,
'*.google-analytics.com',
'*.analytics.google.com',
'*.googletagmanager.com',
)
policy.img_src(
*policy.img_src,
'*.google-analytics.com',
'*.googletagmanager.com',
'www.google-analytics.com',
)
request.content_security_policy = policy
end
Expand Down
1 change: 1 addition & 0 deletions config/application.yml.default.docker
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ production:
recaptcha_mock_validator: true
redis_throttle_url: ['env', 'REDIS_THROTTLE_URL']
redis_url: ['env', 'REDIS_URL']
participate_in_dap: true
Comment thread
mitchellhenke marked this conversation as resolved.
Outdated
password_pepper: f22d4b2cafac9066fe2f4416f5b7a32c
session_encryption_key: 27bad3c25711099429c1afdfd1890910f3b59f5a4faec1c85e945cb8b02b02f261ba501d99cfbb4fab394e0102de6fecf8ffe260f322f610db3e96b2a775c120
phone_recaptcha_score_threshold: 0.5
Expand Down
28 changes: 10 additions & 18 deletions spec/requests/csp_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -228,16 +228,11 @@

content_security_policy = parse_content_security_policy

# see GA4 docs for directives
# https://developers.google.com/tag-platform/security/guides/csp#google_analytics_4_google_analytics
expect(content_security_policy['script-src']).to include('*.googletagmanager.com')

expect(content_security_policy['img-src']).to include('*.google-analytics.com')
expect(content_security_policy['img-src']).to include('*.googletagmanager.com')

expect(content_security_policy['connect-src']).to include('*.google-analytics.com')
expect(content_security_policy['connect-src']).to include('*.analytics.google.com')
expect(content_security_policy['connect-src']).to include('*.googletagmanager.com')
# See: https://github.com/digital-analytics-program/gov-wide-code#content-security-policy
expect(content_security_policy['script-src']).to include('dap.digitalgov.gov')
expect(content_security_policy['script-src']).to include('www.google-analytics.com')
expect(content_security_policy['script-src']).to include('www.googletagmanager.com')
expect(content_security_policy['connect-src']).to include('www.google-analytics.com')
end
end

Expand All @@ -247,14 +242,11 @@

content_security_policy = parse_content_security_policy

expect(content_security_policy['script-src']).to_not include('*.googletagmanager.com')

expect(content_security_policy['img-src']).to_not include('*.google-analytics.com')
expect(content_security_policy['img-src']).to_not include('*.googletagmanager.com')

expect(content_security_policy['connect-src']).to_not include('*.google-analytics.com')
expect(content_security_policy['connect-src']).to_not include('*.analytics.google.com')
expect(content_security_policy['connect-src']).to_not include('*.googletagmanager.com')
# See: https://github.com/digital-analytics-program/gov-wide-code#content-security-policy
expect(content_security_policy['script-src']).not_to include('dap.digitalgov.gov')
expect(content_security_policy['script-src']).not_to include('www.google-analytics.com')
expect(content_security_policy['script-src']).not_to include('www.googletagmanager.com')
expect(content_security_policy['connect-src']).not_to include('www.google-analytics.com')
end
end
end
Expand Down