From b7593ef5abeafd142bf89ca3eedabb135a93e7db Mon Sep 17 00:00:00 2001 From: Sonia Connolly Date: Tue, 9 May 2023 12:50:00 -0700 Subject: [PATCH 1/2] Add csp overrides before action for ThreatMetrix to SsnController This before action is needed to allow ThreatMetrix to load in browsers that respect Content Security Policies. It was part of the Flow State Machine but not clearly part of the SSN step. changelog: Bug Fixes, Identity Verification, include Content Security Policy overrides for ThreatMetrix --- .../concerns/idv/threat_metrix_concern.rb | 12 ++++++++++++ app/controllers/idv/ssn_controller.rb | 2 ++ spec/controllers/idv/ssn_controller_spec.rb | 7 +++++++ 3 files changed, 21 insertions(+) diff --git a/app/controllers/concerns/idv/threat_metrix_concern.rb b/app/controllers/concerns/idv/threat_metrix_concern.rb index 22de6ca98cd..5ff95b6b9b7 100644 --- a/app/controllers/concerns/idv/threat_metrix_concern.rb +++ b/app/controllers/concerns/idv/threat_metrix_concern.rb @@ -10,6 +10,18 @@ def override_csp_for_threat_metrix return if params[:step] != 'ssn' + threat_metrix_csp_overrides + end + + # Remove this duplication once in_person_controller is no longer in use + # for their SSN step + def override_csp_for_threat_metrix_no_fsm + return unless FeatureManagement.proofing_device_profiling_collecting_enabled? + + threat_metrix_csp_overrides + end + + def threat_metrix_csp_overrides policy = current_content_security_policy # ThreatMetrix requires additional Content Security Policy (CSP) diff --git a/app/controllers/idv/ssn_controller.rb b/app/controllers/idv/ssn_controller.rb index 5999be737b4..bc53eae9798 100644 --- a/app/controllers/idv/ssn_controller.rb +++ b/app/controllers/idv/ssn_controller.rb @@ -5,9 +5,11 @@ class SsnController < ApplicationController include StepIndicatorConcern include StepUtilitiesConcern include Steps::ThreatMetrixStepHelper + include ThreatMetrixConcern before_action :confirm_verify_info_step_needed before_action :confirm_document_capture_complete + before_action :override_csp_for_threat_metrix_no_fsm attr_accessor :error_message diff --git a/spec/controllers/idv/ssn_controller_spec.rb b/spec/controllers/idv/ssn_controller_spec.rb index 62a6d4b5558..213002b53e0 100644 --- a/spec/controllers/idv/ssn_controller_spec.rb +++ b/spec/controllers/idv/ssn_controller_spec.rb @@ -34,6 +34,13 @@ :confirm_document_capture_complete, ) end + + it 'overrides CSPs for ThreatMetrix' do + expect(subject).to have_actions( + :before, + :override_csp_for_threat_metrix_no_fsm, + ) + end end describe '#show' do From 05162d3de2d93d9fe708432eca932accd1fc10fa Mon Sep 17 00:00:00 2001 From: Sonia Connolly Date: Tue, 9 May 2023 14:59:32 -0700 Subject: [PATCH 2/2] Add controller test that checks csp overrides This makes it more explicit that the overrides are required for the SSN step. Co-authored-by: Douglas Price --- spec/controllers/idv/ssn_controller_spec.rb | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/spec/controllers/idv/ssn_controller_spec.rb b/spec/controllers/idv/ssn_controller_spec.rb index 213002b53e0..b2fcbce6970 100644 --- a/spec/controllers/idv/ssn_controller_spec.rb +++ b/spec/controllers/idv/ssn_controller_spec.rb @@ -83,6 +83,27 @@ expect(response).to redirect_to(idv_doc_auth_url) end end + + it 'overrides Content Security Policies for ThreatMetrix' do + allow(IdentityConfig.store).to receive(:proofing_device_profiling). + and_return(:enabled) + get :show + + csp = response.request.content_security_policy + + aggregate_failures do + expect(csp.directives['script-src']).to include('h.online-metrix.net') + expect(csp.directives['script-src']).to include("'unsafe-eval'") + + expect(csp.directives['style-src']).to include("'unsafe-inline'") + + expect(csp.directives['child-src']).to include('h.online-metrix.net') + + expect(csp.directives['connect-src']).to include('h.online-metrix.net') + + expect(csp.directives['img-src']).to include('*.online-metrix.net') + end + end end describe '#update' do