Facebook CSP header fixes (#10406)

bbc · Nov 9, 2022 · 2dd57c4 · 2dd57c4
1 parent ba16f3d
commit 2dd57c4
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 12 deletions.
diff --git a/src/server/utilities/cspHeader/index.js b/src/server/utilities/cspHeader/index.js
@@ -129,7 +129,7 @@ const directives = {
       'https://www.youtube-nocookie.com', // Social Embeds, youtube no-cookie
       'https://www.instagram.com', // Social Embeds
       'https://www.tiktok.com', // Social Embeds
-      'https://www.facebook.com', // Social Embeds
+      'https://*.facebook.com', // Social Embeds
       'https://*.twitter.com', // Social Embeds
       'https://bbc.com', // Media Player
       'https://bbc-maps.carto.com', // STY include maps
@@ -158,7 +158,7 @@ const directives = {
       'https://www.youtube-nocookie.com', // Social Embeds, youtube no-cookie
       'https://www.instagram.com', // Social Embeds
       'https://www.tiktok.com', // Social Embeds
-      'https://www.facebook.com', // Social Embeds
+      'https://*.facebook.com', // Social Embeds
       'https://*.twitter.com', // Social Embeds
       'https://bbc.com', // Media Player
       'https://bbc-maps.carto.com', // STY include maps
@@ -177,7 +177,7 @@ const directives = {
       'https://*.cdninstagram.com', // Social Embeds, <amp-instagram />
       'https://www.tiktok.com', // Social Embeds, <amp-tiktok />
       'https://*.tiktokcdn.com', // Social Embeds, <amp-tiktok />
-      'https://www.facebook.com', // Social Embeds, <amp-facebook />
+      'https://*.facebook.com', // Social Embeds, <amp-facebook />
       'https://*.xx.fbcdn.net', // Social Embeds, <amp-facebook />
       ...advertisingDirectives.imgSrc,
       'https://*.googleusercontent.com', // Google Play Store - BBC News Apps - Arabic, Hindi, Mundo, Russian
@@ -206,7 +206,7 @@ const directives = {
       'https://*.cdninstagram.com', // Social Embeds, <amp-instagram />
       'https://www.tiktok.com', // Social Embeds, <amp-tiktok />
       'https://*.tiktokcdn.com', // Social Embeds, <amp-tiktok />
-      'https://www.facebook.com', // Social Embeds, <amp-facebook />
+      'https://*.facebook.com', // Social Embeds, <amp-facebook />
       'https://*.xx.fbcdn.net', // Social Embeds, <amp-facebook />
       ...advertisingDirectives.imgSrc,
       'https://*.googleusercontent.com', // Google Play Store - BBC News Apps - Arabic, Hindi, Mundo, Russian
@@ -245,7 +245,7 @@ const directives = {
       'https://www.instagram.com', // Social Embeds
       'https://www.tiktok.com', // Social Embeds
       'https://lf16-tiktok-web.ttwstatic.com', // Social Embeds - TikTok
-      'https://www.facebook.com', // Social Embeds
+      'https://*.facebook.com', // Social Embeds
       'https://connect.facebook.net', // Social Embeds
       'https://*.xx.fbcdn.net', // Social Embeds
       'https://*.twimg.com', // Social Embeds
@@ -273,7 +273,7 @@ const directives = {
       'https://www.instagram.com', // Social Embeds
       'https://www.tiktok.com', // Social Embeds
       'https://lf16-tiktok-web.ttwstatic.com', // Social Embeds - TikTok
-      'https://www.facebook.com', // Social Embeds
+      'https://*.facebook.com', // Social Embeds
       'https://connect.facebook.net', // Social Embeds
       'https://*.xx.fbcdn.net', // Social Embeds
       'https://*.twimg.com', // Social Embeds

diff --git a/src/server/utilities/cspHeader/index.test.js b/src/server/utilities/cspHeader/index.test.js
@@ -102,7 +102,7 @@ describe('cspHeader', () => {
         'https://*.xx.fbcdn.net',
         'https://www.instagram.com',
         'https://www.tiktok.com',
-        'https://www.facebook.com',
+        'https://*.facebook.com',
         'https://sb.scorecardresearch.com',
         'https://i.ytimg.com',
         "data: 'self'",
@@ -169,7 +169,7 @@ describe('cspHeader', () => {
         'https://*.googlesyndication.com',
         'https://edigitalsurvey.com',
         'https://www.tiktok.com',
-        'https://www.facebook.com',
+        'https://*.facebook.com',
         "'self'",
       ].sort(),
       imgSrcExpectation: [
@@ -214,7 +214,7 @@ describe('cspHeader', () => {
         'https://*.wearehearken.eu',
         'https://www.tiktok.com',
         'https://lf16-tiktok-web.ttwstatic.com',
-        'https://www.facebook.com',
+        'https://*.facebook.com',
         'https://connect.facebook.net',
         'https://*.xx.fbcdn.net',
         ...advertisingServiceCountryDomains,
@@ -296,7 +296,7 @@ describe('cspHeader', () => {
         'https://i.ytimg.com',
         'https://www.tiktok.com',
         'https://*.tiktokcdn.com',
-        'https://www.facebook.com',
+        'https://*.facebook.com',
         'https://*.xx.fbcdn.net',
         "data: 'self'",
       ].sort(),
@@ -363,7 +363,7 @@ describe('cspHeader', () => {
         'https://www.youtube.com',
         'https://www.youtube-nocookie.com',
         'https://www.tiktok.com',
-        'https://www.facebook.com',
+        'https://*.facebook.com',
         "'self'",
       ].sort(),
       imgSrcExpectation: [
@@ -412,7 +412,7 @@ describe('cspHeader', () => {
         'https://*.imrworldwide.com',
         'https://www.tiktok.com',
         'https://lf16-tiktok-web.ttwstatic.com',
-        'https://www.facebook.com',
+        'https://*.facebook.com',
         'https://connect.facebook.net',
         'https://*.xx.fbcdn.net',
         ...advertisingServiceCountryDomains,