hmcts · Josh-HMCTS · Jan 6, 2025 · Nov 19, 2024 · Nov 19, 2024 · Nov 19, 2024
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@hmcts/rpx-xui-node-lib",
-  "version": "2.29.7",
+  "version": "2.29.8",
   "description": "Common nodejs library components for XUI",
   "main": "dist/index",
   "types": "dist/index.d.ts",

diff --git a/src/common/util/contentSecurityPolicy.spec.ts b/src/common/util/contentSecurityPolicy.spec.ts
@@ -0,0 +1,13 @@
+import { getContentSecurityPolicy } from './'
+import { SECURITY_POLICY } from './contentSecurityPolicy'
+
+describe('getContentSecurityPolicy(helmet)', () => {
+    it('should correctly call the content security policy', () => {
+        const helmet: any = {
+            contentSecurityPolicy: (policy: any) => {
+                return policy
+            },
+        }
+        expect(getContentSecurityPolicy(helmet)).toBe(SECURITY_POLICY)
+    })
+})
diff --git a/src/common/util/contentSecurityPolicy.ts b/src/common/util/contentSecurityPolicy.ts
@@ -0,0 +1,53 @@
+export const SECURITY_POLICY = {
+    directives: {
+        connectSrc: [
+            "'self' blob: data:",
+            '*.gov.uk',
+            'dc.services.visualstudio.com',
+            '*.launchdarkly.com',
+            'https://*.google-analytics.com',
+            'https://*.googletagmanager.com',
+            'https://*.analytics.google.com',
+            '*.hmcts.net',
+            'wss://*.webpubsub.azure.com',
+            'https://*.in.applicationinsights.azure.com',
+            'https://*.monitor.azure.com',
+        ],
+        defaultSrc: ["'self'"],
+        fontSrc: ["'self'", 'https://fonts.gstatic.com', 'data:'],
+        formAction: ["'none'"],
+        frameAncestors: ["'self'"],
+        frameSrc: ["'self'"],
+        imgSrc: [
+            "'self'",
+            'data:',
+            'https://*.google-analytics.com',
+            'https://*.googletagmanager.com',
+            'https://raw.githubusercontent.com/hmcts/',
+            'https://stats.g.doubleclick.net/',
+            'https://ssl.gstatic.com/',
+            'https://www.gstatic.com/',
+            'https://fonts.gstatic.com',
+        ],
+        mediaSrc: ["'self'"],
+        scriptSrc: [
+            "'self'",
+            "'unsafe-inline'",
+            "'unsafe-eval'",
+            'https://*.google-analytics.com',
+            'https://*.googletagmanager.com',
+            'az416426.vo.msecnd.net',
+        ],
+        styleSrc: [
+            "'self'",
+            "'unsafe-inline'",
+            'https://fonts.googleapis.com',
+            'https://fonts.gstatic.com',
+            'https://www.googletagmanager.com',
+        ],
+    },
+}
+
+export const getContentSecurityPolicy = (helmet: any) => {
+    return helmet.contentSecurityPolicy(SECURITY_POLICY)
+}
diff --git a/src/common/util/index.ts b/src/common/util/index.ts
@@ -1,5 +1,6 @@
 export { hasKey } from './hasKey'
 export { getLogger, XuiLogger } from './debug.logger'
+export { getContentSecurityPolicy } from './contentSecurityPolicy'
 export { sortArray } from './sortArray'
 export { isStringPatternMatch } from './stringPatternMatch'
 export { arrayPatternMatch } from './arrayPatternMatch'