Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add single cookie consent api URLs #355

Merged
merged 1 commit into from
Feb 28, 2024
Merged

Add single cookie consent api URLs #355

merged 1 commit into from
Feb 28, 2024

Conversation

andysellick
Copy link
Contributor

What / why

Adds the URLs for the single cookie consent API into the CSP. Once the single consent API is enabled on GOV.UK the JS will be making XMLHttprequests to the staging and production environments for the single consent api, so these URLs need to be added to the CSP.

Trello card: https://trello.com/c/dmlTAzKB/140-implement-single-consent-api

Copy link
Contributor

@richardTowers richardTowers left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me. Only thing I wasn't sure about was whether to include the https:// protocol, as the speedcurve link doesn't have that. The documentation suggests it's okay to include that though - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources

- once the single consent API is enabled on GOV.UK the JS will be making XMLHttprequests to the staging and production environments for the single consent api, so these URLs need to be added to the CSP
@andysellick
Copy link
Contributor Author

@richardTowers that's a good point, have updated, thanks!

@andysellick andysellick merged commit 18b2bea into main Feb 28, 2024
11 checks passed
@andysellick andysellick deleted the add-consent-api branch February 28, 2024 16:13
@kevindew
Copy link
Member

kevindew commented Mar 5, 2024

For future reference, it's slightly better to include https as it means it will only connect on that protocol. Without it will allow non-TLS http.

@andysellick
Copy link
Contributor Author

Thanks @kevindew I hadn't realised that. Should I go back and change this now?

@kevindew
Copy link
Member

kevindew commented Mar 5, 2024

Nah don't worry. I expect at some point in the future, we'll (or I'll) do a blanket update of them.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants