fix(transition): correct relative paths

- Ensure all requested assets are relative to the site root - Add cdn.jsdelivr.net to the CSP allow list for SGDS resources
opengovsg · Aug 19, 2020 · afedeea · afedeea
1 parent bd2a2ea
commit afedeea
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 6 deletions.
diff --git a/src/server/index.ts b/src/server/index.ts
@@ -83,8 +83,13 @@ app.use(
     contentSecurityPolicy: {
       directives: {
         defaultSrc: ["'self'"],
-        styleSrc: ["'self'", "'unsafe-inline'", 'fonts.googleapis.com'],
-        fontSrc: ["'self'", 'fonts.gstatic.com'],
+        styleSrc: [
+          "'self'",
+          "'unsafe-inline'",
+          'fonts.googleapis.com',
+          'cdn.jsdelivr.net',
+        ],
+        fontSrc: ["'self'", 'fonts.gstatic.com', 'cdn.jsdelivr.net'],
         imgSrc: [
           "'self'",
           'data:',

diff --git a/src/server/views/transition-page.ejs b/src/server/views/transition-page.ejs
@@ -9,7 +9,7 @@
     <title>Go.gov.sg</title>
     <link href="https://fonts.googleapis.com/css2?family=IBM+Plex+Sans:wght@400;500;700&display=swap" rel="stylesheet">
     <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/sgds-govtech@1.3.13/css/sgds.css">
-    <link href="./assets/transition-page/styles/transition-page.css" rel="stylesheet">
+    <link href="/assets/transition-page/styles/transition-page.css" rel="stylesheet">
     <link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">
 </head>
 
@@ -31,15 +31,15 @@
     </div>
     <div class="bottom-half">
         <p id="url" data-href="<%- escapedLongUrl %>">You will be redirected in <span id="countdown-seconds">6</span> second<span id="s">s</span></p>
-        <img class="loading-image" src="./assets/transition-page/images/loading.gif" alt="loading" />
+        <img class="loading-image" src="/assets/transition-page/images/loading.gif" alt="loading" />
         <div class="footer">
-            <img src="./assets/transition-page/icons/go-logo.svg" alt="go logo" />
+            <img src="/assets/transition-page/icons/go-logo.svg" alt="go logo" />
             <p>You will only be shown this page the first time you access this short link.</p>
         </div>
     </div>
     <!-- Global Site Tag (gtag.js) - Google Analytics -->
     <script async src="https://www.googletagmanager.com/gtag/js?id=<%= gaTrackingId %>"></script>
-    <script src="./assets/transition-page/js/redirect.js"></script>
+    <script src="/assets/transition-page/js/redirect.js"></script>
 </body>
 
 </html>