From 9a0c9566a46b7d2abdcbfe40a347fc76ad829e8a Mon Sep 17 00:00:00 2001
From: Andy Sellick <andy.sellick@digital.cabinet-office.gov.uk>
Date: Tue, 27 Feb 2024 15:41:29 +0000
Subject: [PATCH] Add single cookie consent api URLs

- once the single consent API is enabled on GOV.UK the JS will be making XMLHttprequests to the staging and production environments for the single consent api, so these URLs need to be added to the CSP
---
 lib/govuk_app_config/govuk_content_security_policy.rb | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/lib/govuk_app_config/govuk_content_security_policy.rb b/lib/govuk_app_config/govuk_content_security_policy.rb
index 97a83de..4836467 100644
--- a/lib/govuk_app_config/govuk_content_security_policy.rb
+++ b/lib/govuk_app_config/govuk_content_security_policy.rb
@@ -71,7 +71,9 @@ def self.build_policy(policy)
                        *GOVUK_DOMAINS,
                        *GOOGLE_ANALYTICS_DOMAINS,
                        # Speedcurve real user monitoring (RUM) - as per: https://support.speedcurve.com/docs/add-rum-to-your-csp
-                       "lux.speedcurve.com"
+                       "lux.speedcurve.com",
+                       "gds-single-consent-staging.app",
+                       "gds-single-consent.app"
 
     # Disallow all <object>, <embed>, and <applet> elements
     #