From 3e3b04e5a2c1668be8fa43ec18e08f7cfd012e2c Mon Sep 17 00:00:00 2001
From: Kyle Morel <kyle.1.morel@gov.bc.ca>
Date: Mon, 18 Dec 2023 08:02:41 -0800
Subject: [PATCH] Update Helmet content security policy

---
 app/app.ts | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/app/app.ts b/app/app.ts
index 6e039dc..6a93ea8 100644
--- a/app/app.ts
+++ b/app/app.ts
@@ -30,7 +30,18 @@ app.use(compression());
 app.use(cors(DEFAULTCORS));
 app.use(express.json({ limit: config.get('server.bodyLimit') }));
 app.use(express.urlencoded({ extended: true }));
-app.use(helmet());
+app.use(
+  helmet({
+    contentSecurityPolicy: {
+      directives: {
+        'default-src': [
+          "'self'", // eslint-disable-line
+          new URL(config.get('server.oidc.serverUrl')).origin
+        ]
+      }
+    }
+  })
+);
 
 // Skip if running tests
 if (process.env.NODE_ENV !== 'test') {