18F · soniaconnolly · Aug 29, 2023 · Aug 25, 2023 · Aug 25, 2023 · Aug 28, 2023
diff --git a/app/controllers/concerns/idv/threat_metrix_concern.rb b/app/controllers/concerns/idv/threat_metrix_concern.rb
@@ -18,17 +18,6 @@ def override_csp_for_threat_metrix
     def override_csp_for_threat_metrix_no_fsm
       return unless FeatureManagement.proofing_device_profiling_collecting_enabled?
 
-      ##
-      # In order to test the behavior without the CSP changes, we do not perform the CSP override
-      # if the user's email is on a list of CSP disabled emails.
-      #
-      current_user.email_addresses.each do |email_address|
-        no_csp_email = IdentityConfig.store.idv_tmx_test_csp_disabled_emails.include?(
-          email_address.email,
-        )
-        return nil if no_csp_email
-      end
-
       threat_metrix_csp_overrides
     end
 

diff --git a/app/controllers/idv/ssn_controller.rb b/app/controllers/idv/ssn_controller.rb
@@ -10,8 +10,6 @@ class SsnController < ApplicationController
     before_action :confirm_repeat_ssn, only: :show
     before_action :override_csp_for_threat_metrix_no_fsm
 
-    helper_method :should_render_threatmetrix_js?
-
     attr_accessor :error_message
 
     def show
@@ -49,23 +47,6 @@ def update
       end
     end
 
-    ##
-    # In order to test the behavior without the threatmetrix JS, we do not load the threatmetrix
-    # JS if the user's email is on a list of JS disabled emails.
-    #
-    def should_render_threatmetrix_js?
-      return false unless FeatureManagement.proofing_device_profiling_collecting_enabled?
-
-      current_user.email_addresses.each do |email_address|
-        no_csp_email = IdentityConfig.store.idv_tmx_test_js_disabled_emails.include?(
-          email_address.email,
-        )
-        return false if no_csp_email
-      end
-
-      true
-    end
-
     private
 
     def confirm_repeat_ssn

diff --git a/app/views/idv/ssn/show.html.erb b/app/views/idv/ssn/show.html.erb
@@ -30,7 +30,7 @@ locals:
   <% end %>
 </p>
 
-<% if should_render_threatmetrix_js? %>
+<% if FeatureManagement.proofing_device_profiling_collecting_enabled? %>
   <% if threatmetrix_session_id.present? %>
     <% threatmetrix_javascript_urls.each do |threatmetrix_javascript_url| %>
       <%= javascript_include_tag threatmetrix_javascript_url, nonce: true %>

diff --git a/config/application.yml.default b/config/application.yml.default
@@ -128,8 +128,6 @@ idv_acuant_sdk_upgrade_a_b_testing_percent: 50
 idv_getting_started_a_b_testing: '{"welcome_default":100, "welcome_new":0, "getting_started":0}'
 idv_send_link_attempt_window_in_minutes: 10
 idv_send_link_max_attempts: 5
-idv_tmx_test_csp_disabled_emails: '[]'
-idv_tmx_test_js_disabled_emails: '[]'
 idv_sp_required: false
 in_person_capture_secondary_id_enabled: false
 in_person_public_address_search_enabled: false

diff --git a/lib/identity_config.rb b/lib/identity_config.rb
@@ -241,8 +241,6 @@ def self.build_store(config_map)
     config.add(:idv_send_link_attempt_window_in_minutes, type: :integer)
     config.add(:idv_send_link_max_attempts, type: :integer)
     config.add(:idv_sp_required, type: :boolean)
-    config.add(:idv_tmx_test_csp_disabled_emails, type: :json)
-    config.add(:idv_tmx_test_js_disabled_emails, type: :json)
     config.add(:in_person_capture_secondary_id_enabled, type: :boolean)
     config.add(:in_person_completion_survey_url, type: :string)
     config.add(:in_person_doc_auth_button_enabled, type: :boolean)

diff --git a/spec/controllers/idv/ssn_controller_spec.rb b/spec/controllers/idv/ssn_controller_spec.rb
@@ -137,29 +137,6 @@
         expect(csp.directives['img-src']).to include('*.online-metrix.net')
       end
     end
-
-    it 'does not override the Content Security for CSP disabled test users' do
-      allow(IdentityConfig.store).to receive(:proofing_device_profiling).
-        and_return(:enabled)
-      allow(IdentityConfig.store).to receive(:idv_tmx_test_csp_disabled_emails).
-        and_return([user.email_addresses.first.email])
-
-      get :show
-
-      csp = response.request.content_security_policy
-
-      aggregate_failures do
-        expect(csp.directives['script-src']).to_not include('h.online-metrix.net')
-
-        expect(csp.directives['style-src']).to_not include("'unsafe-inline'")
-
-        expect(csp.directives['child-src']).to_not include('h.online-metrix.net')
-
-        expect(csp.directives['connect-src']).to_not include('h.online-metrix.net')
-
-        expect(csp.directives['img-src']).to_not include('*.online-metrix.net')
-      end
-    end
   end
 
   describe '#update' do
@@ -286,29 +263,4 @@
       end
     end
   end
-
-  describe '#should_render_threatmetrix_js?' do
-    it 'returns true if the JS should be disabled for the user' do
-      allow(IdentityConfig.store).to receive(:proofing_device_profiling).
-        and_return(:enabled)
-      allow(IdentityConfig.store).to receive(:idv_tmx_test_js_disabled_emails).
-        and_return([user.email_addresses.first.email])
-
-      expect(controller.should_render_threatmetrix_js?).to eq(false)
-    end
-
-    it 'returns true if the JS should not be disabled for the user' do
-      allow(IdentityConfig.store).to receive(:proofing_device_profiling).
-        and_return(:enabled)
-
-      expect(controller.should_render_threatmetrix_js?).to eq(true)
-    end
-
-    it 'returns false if TMx profiling is disabled' do
-      allow(IdentityConfig.store).to receive(:proofing_device_profiling).
-        and_return(:disabled)
-
-      expect(controller.should_render_threatmetrix_js?).to eq(false)
-    end
-  end
 end