From d62e8b50f814c12254f261739377377d2eb494d6 Mon Sep 17 00:00:00 2001
From: Neil Mills <neil.mills@digital.justice.gov.uk>
Date: Tue, 14 Jan 2025 12:06:22 +0000
Subject: [PATCH] MAN-256 csr connection fixes

---
 server/middleware/setUpWebSecurity.ts | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/server/middleware/setUpWebSecurity.ts b/server/middleware/setUpWebSecurity.ts
index 102d4290..df1d8ce8 100644
--- a/server/middleware/setUpWebSecurity.ts
+++ b/server/middleware/setUpWebSecurity.ts
@@ -17,7 +17,7 @@ export default function setUpWebSecurity(): Router {
     helmet({
       contentSecurityPolicy: {
         directives: {
-          defaultSrc: ["'self'"],
+          defaultSrc: ["'self'", 'js.monitor.azure.com', '*.applicationinsights.azure.com/v2/track'],
           // This nonce allows us to use scripts with the use of the `cspNonce` local, e.g (in a Nunjucks template):
           // <script nonce="{{ cspNonce }}">
           // or
@@ -26,9 +26,15 @@ export default function setUpWebSecurity(): Router {
           // page by an attacker.
           scriptSrc: [
             "'self' https://browser.sentry-cdn.com https://js.sentry-cdn.com",
+            'js.monitor.azure.com',
+            '*.applicationinsights.azure.com/v2/track',
             (_req: Request, res: Response) => `'nonce-${res.locals.cspNonce}'`,
           ],
-          connectSrc: ["'self' https://*.sentry.io"],
+          connectSrc: [
+            "'self' https://*.sentry.io",
+            'js.monitor.azure.com',
+            '*.applicationinsights.azure.com/v2/track',
+          ],
           workerSrc: ["'self' blob:"],
           styleSrc: ["'self'", (_req: Request, res: Response) => `'nonce-${res.locals.cspNonce}'`],
           fontSrc: ["'self'"],