Merge pull request #232 from alphagov/add-speedcurve-csp

Add lux.speedcurve.com to connect_src CSP
alphagov · Apr 7, 2022 · 4c7198b · 4c7198b
2 parents 2d38dbb + 494dd20
commit 4c7198b
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 4 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,6 @@
 # Unreleased
 
+- Add lux.speedcurve.com to connect_src for GOV.UK Content Security Policy ([#232](https://github.com/alphagov/govuk_app_config/pull/232))
 - Fix prometheus_exporter to only be enabled when the GOVUK_PROMETHEUS_EXPORTER env var is set to "true" ([#231](https://github.com/alphagov/govuk_app_config/pull/231)).
 - Add Prometheus monitoring for EKS section to README.md ([#231](https://github.com/alphagov/govuk_app_config/pull/231)).
 - Fix govuk_error being incompatible with Ruby >= 3 ([#233](https://github.com/alphagov/govuk_app_config/pull/233))

diff --git a/lib/govuk_app_config/govuk_content_security_policy.rb b/lib/govuk_app_config/govuk_content_security_policy.rb
@@ -31,11 +31,10 @@ def self.build_policy(policy)
                    :data, # Base64 encoded images
                    *GOVUK_DOMAINS,
                    *GOOGLE_ANALYTICS_DOMAINS, # Tracking pixels
+                   # Speedcurve real user monitoring (RUM) - as per: https://support.speedcurve.com/docs/add-rum-to-your-csp
+                   "lux.speedcurve.com",
                    # Some content still links to an old domain we used to use
-                   "assets.digital.cabinet-office.gov.uk",
-                   # Allow images to be loaded for Speedcurve's LUX - used for
-                   # getting real user metrics on GOV.UK
-                   "lux.speedcurve.com"
+                   "assets.digital.cabinet-office.gov.uk"
 
     # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src
     policy.script_src :self,
@@ -71,6 +70,8 @@ def self.build_policy(policy)
     policy.connect_src :self,
                        *GOVUK_DOMAINS,
                        *GOOGLE_ANALYTICS_DOMAINS,
+                       # Speedcurve real user monitoring (RUM) - as per: https://support.speedcurve.com/docs/add-rum-to-your-csp
+                       "lux.speedcurve.com",
                        # Allow connecting to web chat from HMRC contact pages
                        "www.tax.service.gov.uk",
                        # Allow JSON call to Nuance - HMRC web chat provider