18F · soniaconnolly · May 10, 2023 · May 9, 2023 · May 9, 2023
diff --git a/app/controllers/concerns/idv/threat_metrix_concern.rb b/app/controllers/concerns/idv/threat_metrix_concern.rb
@@ -10,6 +10,18 @@ def override_csp_for_threat_metrix
 
       return if params[:step] != 'ssn'
 
+      threat_metrix_csp_overrides
+    end
+
+    # Remove this duplication once in_person_controller is no longer in use
+    # for their SSN step
+    def override_csp_for_threat_metrix_no_fsm
+      return unless FeatureManagement.proofing_device_profiling_collecting_enabled?
+
+      threat_metrix_csp_overrides
+    end
+
+    def threat_metrix_csp_overrides
       policy = current_content_security_policy
 
       # ThreatMetrix requires additional Content Security Policy (CSP)

diff --git a/app/controllers/idv/ssn_controller.rb b/app/controllers/idv/ssn_controller.rb
@@ -5,9 +5,11 @@ class SsnController < ApplicationController
     include StepIndicatorConcern
     include StepUtilitiesConcern
     include Steps::ThreatMetrixStepHelper
+    include ThreatMetrixConcern
 
     before_action :confirm_verify_info_step_needed
     before_action :confirm_document_capture_complete
+    before_action :override_csp_for_threat_metrix_no_fsm
 
     attr_accessor :error_message
 

diff --git a/spec/controllers/idv/ssn_controller_spec.rb b/spec/controllers/idv/ssn_controller_spec.rb
@@ -34,6 +34,13 @@
         :confirm_document_capture_complete,
       )
     end
+
+    it 'overrides CSPs for ThreatMetrix' do
+      expect(subject).to have_actions(
+        :before,
+        :override_csp_for_threat_metrix_no_fsm,
+      )
+    end
   end
 
   describe '#show' do
@@ -76,6 +83,27 @@
         expect(response).to redirect_to(idv_doc_auth_url)
       end
     end
+
+    it 'overrides Content Security Policies for ThreatMetrix' do
+      allow(IdentityConfig.store).to receive(:proofing_device_profiling).
+        and_return(:enabled)
+      get :show
+
+      csp = response.request.content_security_policy
+
+      aggregate_failures do
+        expect(csp.directives['script-src']).to include('h.online-metrix.net')
+        expect(csp.directives['script-src']).to include("'unsafe-eval'")
+
+        expect(csp.directives['style-src']).to include("'unsafe-inline'")
+
+        expect(csp.directives['child-src']).to include('h.online-metrix.net')
+
+        expect(csp.directives['connect-src']).to include('h.online-metrix.net')
+
+        expect(csp.directives['img-src']).to include('*.online-metrix.net')
+      end
+    end
   end
 
   describe '#update' do