GSA · ccostino · Dec 23, 2024 · Nov 18, 2024 · Nov 19, 2024 · Nov 19, 2024
diff --git a/app/__init__.py b/app/__init__.py
@@ -1,8 +1,9 @@
 import os
 import pathlib
+import secrets
 from functools import partial
 from time import monotonic
-from urllib.parse import urlparse, urlunparse
+from urllib.parse import unquote, urlparse, urlunparse
 
 import jinja2
 from flask import (
@@ -114,6 +115,7 @@
     get_lines_with_normalised_whitespace,
 )
 from notifications_utils.recipients import format_phone_number_human_readable
+from notifications_utils.url_safe_token import generate_token
 
 login_manager = LoginManager()
 csrf = CSRFProtect()
@@ -139,6 +141,10 @@ def _csp(config):
     logo_domain = config["LOGO_CDN_DOMAIN"]
     return {
         "default-src": ["'self'", asset_domain],
+        "frame-src": [
+            "https://www.youtube.com",
+            "https://www.youtube-nocookie.com",
+        ],
         "frame-ancestors": "'none'",
         "form-action": "'self'",
         "script-src": [
@@ -168,10 +174,42 @@ def create_app(application):
 
     @application.context_processor
     def inject_feature_flags():
-        feature_best_practices_enabled = application.config[
-            "FEATURE_BEST_PRACTICES_ENABLED"
-        ]
-        return dict(FEATURE_BEST_PRACTICES_ENABLED=feature_best_practices_enabled)
+        feature_best_practices_enabled = application.config.get(
+            "FEATURE_BEST_PRACTICES_ENABLED", False
+        )
+        feature_about_page_enabled = application.config.get(
+            "FEATURE_ABOUT_PAGE_ENABLED", False
+        )
+        return dict(
+            FEATURE_BEST_PRACTICES_ENABLED=feature_best_practices_enabled,
+            FEATURE_ABOUT_PAGE_ENABLED=feature_about_page_enabled,
+        )
+
+    @application.context_processor
+    def inject_initial_signin_url():
+        ttl = 24 * 60 * 60
+
+        # make and store the state
+        state = generate_token(
+            str(request.remote_addr),
+            current_app.config["SECRET_KEY"],
+            current_app.config["DANGEROUS_SALT"],
+        )
+
+        state_key = f"login-state-{unquote(state)}"
+        redis_client.set(state_key, state, ex=ttl)
+
+        # make and store the nonce
+        nonce = secrets.token_urlsafe()
+        nonce_key = f"login-nonce-{unquote(nonce)}"
+        redis_client.set(nonce_key, nonce, ex=ttl)
+
+        url = os.getenv("LOGIN_DOT_GOV_INITIAL_SIGNIN_URL")
+        if url is not None:
+            url = url.replace("NONCE", nonce)
+            url = url.replace("STATE", state)
+
+        return {"initial_signin_url": url}
 
     notify_environment = os.environ["NOTIFY_ENVIRONMENT"]
 

diff --git a/app/assets/images/contact.svg b/app/assets/images/contact.svg
diff --git a/app/assets/images/fast.svg b/app/assets/images/fast.svg
diff --git a/app/assets/images/internet.svg b/app/assets/images/internet.svg