CCM-9916: preload fonts with cross origin directive

harrim91 · harrim91 · commit f99756907093 · 2025-10-20T15:33:26.000+01:00
diff --git a/frontend/src/__tests__/middleware.test.ts b/frontend/src/__tests__/middleware.test.ts
@@ -165,7 +165,7 @@ describe('middleware function', () => {
     ]);
   });
 
-  it('when running in development mode, CSP script-src allows unsafe-eval', async () => {
+  it('when running in development mode, CSP script-src allows unsafe-eval and does not upgrade insecure requests', async () => {
     // @ts-expect-error assignment to const
     process.env.NODE_ENV = 'development';
 
@@ -189,8 +189,6 @@ describe('middleware function', () => {
         /^script-src 'self' 'nonce-[\dA-Za-z]+' 'unsafe-eval'$/
       ),
       expect.stringMatching(/^style-src 'self' 'nonce-[\dA-Za-z]+'$/),
-      'upgrade-insecure-requests',
-      '',
     ]);
   });
 });
diff --git a/frontend/src/app/layout.tsx b/frontend/src/app/layout.tsx
@@ -57,6 +57,22 @@ export default function RootLayout({
   return (
     <html lang='en'>
       <head>
+        <link
+          rel='preload'
+          as='font'
+          href='https://assets.nhs.uk/fonts/FrutigerLTW01-55Roman.woff2'
+          type='font/woff2'
+          crossOrigin='anonymous'
+        />
+
+        <link
+          rel='preload'
+          as='font'
+          href='https://assets.nhs.uk/fonts/FrutigerLTW01-65Bold.woff2'
+          type='font/woff2'
+          crossOrigin='anonymous'
+        />
+
         <script
           src={`${getBasePath()}/lib/nhsuk-frontend-10.0.0.min.js`}
           defer
diff --git a/frontend/src/middleware.ts b/frontend/src/middleware.ts
@@ -51,7 +51,7 @@ const publicPaths = [
 ];
 
 function getContentSecurityPolicy(nonce: string) {
-  const contentSecurityPolicyDirective = {
+  const contentSecurityPolicyDirective: Record<string, string[]> = {
     'base-uri': [`'self'`],
     'default-src': [`'none'`],
     'frame-ancestors': [`'none'`],
@@ -64,16 +64,18 @@ function getContentSecurityPolicy(nonce: string) {
     'object-src': [`'none'`],
     'script-src': [`'self'`, `'nonce-${nonce}'`],
     'style-src': [`'self'`, `'nonce-${nonce}'`],
-    'upgrade-insecure-requests;': [],
   };
 
   if (process.env.NODE_ENV === 'development') {
     contentSecurityPolicyDirective['script-src'].push(`'unsafe-eval'`);
+  } else {
+    contentSecurityPolicyDirective['upgrade-insecure-requests'] = [];
   }
 
   return Object.entries(contentSecurityPolicyDirective)
     .map(([key, value]) => `${key} ${value.join(' ')}`)
-    .join('; ');
+    .join('; ')
+    .concat(';');
 }
 
 export async function middleware(request: NextRequest) {
