hof 23.0.4-session-timeout-beta → 23.0.4

package/CHANGELOG.md

@@ -1,3 +1,23 @@
+## 2026-04-16, Version 23.0.4 (Stable), @PaolaDMadd-Pro
+
+### Fixed
+- Decoupled session timeout keep alive from analytics configuration.
+- Updated CSP defaults to always include `connect-src 'self'` so same-origin keep alive requests are allowed.
+- Updated GA CSP behavior to **extend** `connect-src` with analytics endpoints when `gaTagId` is set, rather than replacing defaults.
+
+### Changed
+- Improved timeout dialog refresh behavior:
+  * On keep alive success, `timeSessionRefreshed` is updated and timeout controller logic is restarted.
+  * On keep alive failure a console.error is triggered.
+
+### Tests
+- Added integration regression coverage for CSP:
+  * `gaTagId` set: GA and region analytics `connect-src` endpoints are present.
+  * `gaTagId` not set: default `connect-src 'self'` remains and GA region endpoints are absent.
+- Added frontend Jest coverage for timeout refresh behavior:
+  * Success path (`$.get().done`) updates refresh time and calls controller.
+
+
 ## 2026-03-18, Version 23.0.3 (Stable), @vinodhasamiyappan-ho
 
 ### Security

package/README.md

@@ -1407,8 +1407,8 @@ This feature allows you to customise the content related to the session timeout
 
 ### Usage
 
-By default, the session timeout is set to the redis session ttl. To bypass this and display the session timeout message before the redis session ttl the following evironment variables must be set:
-`CUSTOM_SESSION_EXPIRY` - e.g. `600`. Configure to expire before thte project's redis session ttl.
+By default, the session timeout is set to the redis session ttl. To bypass this and display the session timeout message before the redis session ttl the following environment variables must be set:
+`CUSTOM_SESSION_EXPIRY` - e.g. `600`. Configure to expire before the project's redis session ttl.
 `USE_CUSTOM_SESSION_TIMEOUT` -  `false` by default. When set to `true` the '/session-timeout' page can run before the session expires without triggering a `404` middleware error.
 
 To enable and customise the session timeout behaviour, you need to set the component and translations in your project's `hof.settings.json` file:
@@ -1437,7 +1437,7 @@ To override the default session-timeout page completely, the path to the session
     "hof/components/session-timeout-warning"
   ],
   "translations": "./apps/common/translations",
-   "views": ["./apps/common/views"], // allows you to overide the HOF default session-timeout page and use a custom one from the specified views
+   "views": ["./apps/common/views"], // allows you to override the HOF default session-timeout page and use a custom one from the specified views
    ...
 ```
 or in the project's `server.js` e.g.
@@ -1445,6 +1445,22 @@ or in the project's `server.js` e.g.
 settings.views = path.resolve(__dirname, './apps/common/views');
 ```
 
+
+### Session Timeout Keep-alive and CSP
+
+From version 23.0.4 , session timeout keep alive is now independent of analytics tags.
+
+- Default CSP always includes: `connect-src 'self'`
+- If `GA_TAG` (`gaTagId`) is configured:
+  - Google Analytics endpoints are added to `connect-src`.
+- If `GA_TAG` is not configured: Only default same-origin `connect-src` is used (no GA region endpoints).
+
+### Timeout Dialog Behavior
+When a user clicks **Stay on this page** in the timeout dialog:
+
+- If keep-alive succeeds:  session refresh timestamp is updated and the timeout countdown/controller is restarted.
+
+
 ### Customising content in `pages.json`
 Once the variables are set, you can customise the session timeout warning and exit messages in your project's pages.json:
 

package/frontend/themes/gov-uk/client-js/session-timeout-dialog.js

@@ -278,13 +278,10 @@ window.GOVUK.sessionDialog = {
 
   refreshSession: function () {
     $.get('')
-   .done(function () {
-      window.GOVUK.sessionDialog.timeSessionRefreshed = new Date();
-      window.GOVUK.sessionDialog.controller();
-    })
-    .fail(function () {
-      window.GOVUK.sessionDialog.redirect();
-    });
+      .done(function () {
+        window.GOVUK.sessionDialog.timeSessionRefreshed = new Date();
+        window.GOVUK.sessionDialog.controller();
+      });
   },
 
   redirect: function () {

package/index.js

@@ -93,7 +93,6 @@ const getContentSecurityPolicy = (config, res) => {
       'www.google.co.uk/ads/ga-audiences'
     ],
     connectSrc: [
-      "'self'",
       'https://www.google-analytics.com',
       'https://region1.google-analytics.com',
       'https://region1.analytics.google.com'

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "hof",
   "description": "A bootstrap for HOF projects",
-  "version": "23.0.4-session-timeout-beta",
+  "version": "23.0.4",
   "license": "MIT",
   "main": "index.js",
   "author": "HomeOffice",

package/frontend/govuk-template/govuk_template_generated.html

@@ -1,118 +0,0 @@
-
-<!DOCTYPE html>
-<!--[if lt IE 9]><html class="lte-ie8" lang="{{htmlLang}}"><![endif]-->
-<!--[if gt IE 8]><!--><html lang="{{htmlLang}}" class="govuk-template--rebranded"><!--<![endif]-->
-  <head>
-    <meta charset="utf-8" />
-    <title>{{$pageTitle}}{{/pageTitle}}</title>
-    {{$head}}{{/head}}
-    <meta name="viewport" content="width=device-width, initial-scale=1, viewport-fit=cover">
-    <meta name="theme-color" content="#1d70b8">
-    <meta http-equiv="X-UA-Compatible" content="IE=edge">
-    <link rel="icon" sizes="48x48" href="{{govukAssetPath}}rebrand/images/favicon.ico">
-    <link rel="icon" sizes="any" href="{{govukAssetPath}}rebrand/images/favicon.svg" type="image/svg+xml">
-    <link rel="mask-icon" href="{{govukAssetPath}}rebrand/images/govuk-icon-mask.svg" color="#1d70b8">
-    <link rel="apple-touch-icon" href="{{govukAssetPath}}rebrand/images/govuk-icon-180.png">
-    <link rel="manifest" href="{{govukAssetPath}}rebrand/manifest.json">
-    <meta property="og:image" content="{{govukAssetPath}}rebrand/images/govuk-opengraph-image.png">
-  </head>
-
-  <body class="{{$bodyClasses}}{{/bodyClasses}} govuk-template__body  js-enabled" >
-    <script {{#nonce}}nonce="{{nonce}}"{{/nonce}}>document.body.className += ' js-enabled' + ('noModule' in HTMLScriptElement.prototype ? ' govuk-frontend-supported' : '');</script>
-
-
-    <div id="global-cookie-message" class="gem-c-cookie-banner govuk-clearfix" data-module="cookie-banner" role="region" aria-label="cookie banner" data-nosnippet="">
-       {{$cookieMessage}}{{/cookieMessage}}
-    </div>
-
-	{{$bodyStart}}{{/bodyStart}}
-
-    <header role="banner" id="govuk-header" class="{{$headerClass}}{{/headerClass}}">
-      <div class="govuk-header__container govuk-width-container">
-
-          <div class="govuk-header__logo">
-            <a href="{{$homepageUrl}}https://www.gov.uk{{/homepageUrl}}" title="{{$logoLinkTitle}}Go to the GOV.UK homepage{{/logoLinkTitle}}" id="logo" class="govuk-header__link govuk-header__link--homepage" target="_blank" data-module="track-click" data-track-category="homeLinkClicked" data-track-action="homeHeader">
-                <!--[if gt IE 8]><!-->
-                <div id="govuk-header__logo"></div>
-                <img src="/public/images/govuk-logo.svg" id="govuk-header__logo" alt="Logo" loading="lazy" />
-                  <!--<![endif]-->
-                  <!--[if IE 8]>
-                  <img src="{{govukAssetPath}}rebrand/images/govuk-logotype-tudor-crown.png" class="govuk-header__logotype-crown-fallback-image" width="32" height="30" alt="">
-                  <![endif]-->
-            </a>
-          </div>
-          {{$insideHeader}}{{/insideHeader}}
-
-        {{$propositionHeader}}{{/propositionHeader}}
-      </div>
-    </header>
-
-
-    {{$afterHeader}}{{/afterHeader}}
-
-
-    {{$main}}{{/main}}
-
-    <footer class="govuk-footer">
-      <div class="govuk-width-container">
-        <svg
-          focusable="false"
-          role="presentation"
-          xmlns="http://www.w3.org/2000/svg"
-          viewBox="0 0 64 60"
-          height="30"
-          width="32"
-          fill="currentcolor" class="govuk-footer__crown">
-          <g>
-            <circle cx="20" cy="17.6" r="3.7" />
-            <circle cx="10.2" cy="23.5" r="3.7" />
-            <circle cx="3.7" cy="33.2" r="3.7" />
-            <circle cx="31.7" cy="30.6" r="3.7" />
-            <circle cx="43.3" cy="17.6" r="3.7" />
-            <circle cx="53.2" cy="23.5" r="3.7" />
-            <circle cx="59.7" cy="33.2" r="3.7" />
-            <circle cx="31.7" cy="30.6" r="3.7" />
-            <path d="M33.1,9.8c.2-.1.3-.3.5-.5l4.6,2.4v-6.8l-4.6,1.5c-.1-.2-.3-.3-.5-.5l1.9-5.9h-6.7l1.9,5.9c-.2.1-.3.3-.5.5l-4.6-1.5v6.8l4.6-2.4c.1.2.3.3.5.5l-2.6,8c-.9,2.8,1.2,5.7,4.1,5.7h0c3,0,5.1-2.9,4.1-5.7l-2.6-8ZM37,37.9s-3.4,3.8-4.1,6.1c2.2,0,4.2-.5,6.4-2.8l-.7,8.5c-2-2.8-4.4-4.1-5.7-3.8.1,3.1.5,6.7,5.8,7.2,3.7.3,6.7-1.5,7-3.8.4-2.6-2-4.3-3.7-1.6-1.4-4.5,2.4-6.1,4.9-3.2-1.9-4.5-1.8-7.7,2.4-10.9,3,4,2.6,7.3-1.2,11.1,2.4-1.3,6.2,0,4,4.6-1.2-2.8-3.7-2.2-4.2.2-.3,1.7.7,3.7,3,4.2,1.9.3,4.7-.9,7-5.9-1.3,0-2.4.7-3.9,1.7l2.4-8c.6,2.3,1.4,3.7,2.2,4.5.6-1.6.5-2.8,0-5.3l5,1.8c-2.6,3.6-5.2,8.7-7.3,17.5-7.4-1.1-15.7-1.7-24.5-1.7h0c-8.8,0-17.1.6-24.5,1.7-2.1-8.9-4.7-13.9-7.3-17.5l5-1.8c-.5,2.5-.6,3.7,0,5.3.8-.8,1.6-2.3,2.2-4.5l2.4,8c-1.5-1-2.6-1.7-3.9-1.7,2.3,5,5.2,6.2,7,5.9,2.3-.4,3.3-2.4,3-4.2-.5-2.4-3-3.1-4.2-.2-2.2-4.6,1.6-6,4-4.6-3.7-3.7-4.2-7.1-1.2-11.1,4.2,3.2,4.3,6.4,2.4,10.9,2.5-2.8,6.3-1.3,4.9,3.2-1.8-2.7-4.1-1-3.7,1.6.3,2.3,3.3,4.1,7,3.8,5.4-.5,5.7-4.2,5.8-7.2-1.3-.2-3.7,1-5.7,3.8l-.7-8.5c2.2,2.3,4.2,2.7,6.4,2.8-.7-2.3-4.1-6.1-4.1-6.1h10.6,0Z" />
-          </g>
-        </svg>
-        <div class="govuk-footer__meta">
-          <div class="govuk-footer__meta-item govuk-footer__meta-item--grow">
-            <h2 class="govuk-visually-hidden">Support links</h2>
-            {{$footerSupportLinks}}{{/footerSupportLinks}}
-            <svg
-              aria-hidden="true"
-              focusable="false"
-              class="govuk-footer__licence-logo"
-              xmlns="http://www.w3.org/2000/svg"
-              viewBox="0 0 483.2 195.7"
-              height="17"
-              width="41">
-              <path
-                fill="currentColor"
-                d="M421.5 142.8V.1l-50.7 32.3v161.1h112.4v-50.7zm-122.3-9.6A47.12 47.12 0 0 1 221 97.8c0-26 21.1-47.1 47.1-47.1 16.7 0 31.4 8.7 39.7 21.8l42.7-27.2A97.63 97.63 0 0 0 268.1 0c-36.5 0-68.3 20.1-85.1 49.7A98 98 0 0 0 97.8 0C43.9 0 0 43.9 0 97.8s43.9 97.8 97.8 97.8c36.5 0 68.3-20.1 85.1-49.7a97.76 97.76 0 0 0 149.6 25.4l19.4 22.2h3v-87.8h-80l24.3 27.5zM97.8 145c-26 0-47.1-21.1-47.1-47.1s21.1-47.1 47.1-47.1 47.2 21 47.2 47S123.8 145 97.8 145" />
-            </svg>
-            <span class="govuk-footer__licence-description">
-                {{$licenceMessage}}All content is available under the <a href="https://www.nationalarchives.gov.uk/doc/open-government-licence/version/3/" id="open-government-licence" class="govuk-footer__link" target="_blank" rel="license">Open Government Licence v3.0</a>, except where otherwise stated{{/licenceMessage}}
-            </span>
-          </div>
-          <div class="govuk-footer__meta-item">
-            <a
-              class="govuk-footer__link govuk-footer__copyright-logo"
-              href="https://www.nationalarchives.gov.uk/information-management/re-using-public-sector-information/uk-government-licensing-framework/crown-copyright/">
-              {{$crownCopyrightMessage}}© Crown copyright{{/crownCopyrightMessage}}
-            </a>
-          </div>
-        </div>
-      </div>
-    </footer>
-
-    <div id="global-app-error" class="app-error hidden"></div>
-
-
-    {{$bodyEnd}}{{/bodyEnd}}
-
-
-    <script  {{#nonce}}nonce="{{nonce}}"{{/nonce}}>if (typeof window.GOVUK === 'undefined') document.body.className = document.body.className.replace('js-enabled', '');</script>
-
-  </body>
-</html>

package/sandbox/apps/sandbox/translations/en/default.json

@@ -1,278 +0,0 @@
-{
-  "errors": {
-    "service-unavailable": {
-      "contact": "You can email for more information"
-    }
-  },
-  "exit": {
-    "header": "You have left this form",
-    "title": "You have left this form"
-  },
-  "fields": {
-    "landing-page-radio": {
-      "legend": "Which form would you like to explore?",
-      "hint": "Choose one of the options below and press continue.",
-      "options": {
-        "basic-form": {
-          "label": "Basic form"
-        },
-        "complex-form": {
-          "label": "Complex form"
-        },
-        "build-your-own-form": {
-          "label": "Build your own form"
-        }
-      }
-    },
-    "name": {
-      "label": "Full name"
-    },
-    "dateOfBirth": {
-      "legend": "What is your date of birth?",
-      "hint": "For example, 31 10 1990"
-    },
-    "building": {
-      "label": "Building and street"
-    },
-    "street": {
-      "label": "Address line 2"
-    },
-    "townOrCity": {
-      "label": "Town or city"
-    },
-    "postcode": {
-      "label": "Postcode"
-    },
-    "incomeTypes": {
-      "label": "Sources of income",
-      "legend": "Select the options where you receive income from",
-      "hint": "Select all options that apply to you.",
-      "options": {
-        "salary": {
-          "label": "Salary"
-        },
-        "universal_credit": {
-          "label": "Universal Credit"
-        },
-        "child_benefit": {
-          "label": "Child Benefit"
-        },
-        "housing_benefit": {
-          "label": "Housing Benefit"
-        },
-        "other": {
-          "label": "Other"
-        }
-      }
-    },
-    "countryOfHearing": {
-      "legend": "What country was the appeal lodged?",
-      "options": {
-        "englandAndWales": {
-          "label": "England and Wales"
-        },
-        "scotland": {
-          "label": "Scotland"
-        },
-        "northernIreland": {
-          "label": "Northern Ireland"
-        }
-      }
-    },
-    "email": {
-      "label": "Email address"
-    },
-    "phone": {
-      "label": "Phone number",
-      "hint": "International phone numbers require the international dialling code, for example +33235066182"
-    },
-    "int-phone-number": {
-      "legend": "International phone number"
-    },
-    "complaintDetails": {
-      "label": "Complaint details",
-      "hint": "Briefly summarise your complaint. Include anything that can help our investigation."
-    },
-    "whatHappened": {
-      "label": "What happened",
-      "hint": "Briefly summarise what happened."
-    },
-    "countrySelect": {
-      "label": "Which country are you based in?",
-      "hint": "Start to type the country name and options will appear"
-    },
-    "appealStages": {
-      "label": "Appeal stage",
-      "hint": "Choose an appeal stage from the drop down menu",
-      "options": {
-        "null": "Select..."
-      }
-    },
-    "amountWithUnitSelect": {
-      "label": "Amount",
-      "amountLabel": "Amount:",
-      "unitLabel": "Unit:",
-      "options": [
-        {
-          "null": "Select..."
-        },
-        {
-          "label": "Litres",
-          "value": "L"
-        },
-        {
-          "label": "Kilograms",
-          "value": "KG"
-        }
-      ]
-    }
-  },
-  "journey": {
-    "header": "HOF Bootstrap Sandbox Form",
-    "serviceName": "HOF Bootstrap Sandbox Form",
-    "confirmation": {
-      "details": "Your reference number <br><strong>HDJ2123F</strong>"
-    }
-  },
-  "pages": {
-    "landing-page": {
-      "header": "Landing page"
-    },
-    "build-your-own-form": {
-      "title": "Build your own form",
-      "subheader": "Access the build your own form guidance link"
-    },
-    "address": {
-      "header": "What is your address in the UK?",
-      "intro": "If you have no fixed address, enter an address where we can contact you."
-    },
-    "name": {
-      "header": "What is your full name?"
-    },
-    "email": {
-      "header": "Enter your email address"
-    },
-    "phone-number": {
-      "header": "Enter your phone number"
-    },
-    "confirm": {
-      "header": "Check your answers before submitting your application.",
-      "sections": {
-        "applicantsDetails": {
-          "header": "Applicant's details"
-        },
-        "address": {
-          "header": "Address"
-        },
-        "income": {
-          "header": "Income"
-        },
-        "appealDetails": {
-          "header": "Appeal details"
-        },
-        "countrySelect": {
-          "header": "Country of residence"
-        },
-        "contactDetails": {
-          "header": "Contact details"
-        },
-        "complaintDetails": {
-          "header": "Complaint details"
-        },
-        "whatHappened": {
-          "header": "What happened"
-        },
-        "amountWithUnitSelect": {
-          "header": "Entered amount"
-        }
-      }
-    },
-    "confirmation": {
-      "title": "Application sent",
-      "alert": "Application sent",
-      "subheader": "What happens next",
-      "content": "We’ll contact you with the decision of your application or if we need more information from you."
-    },
-    "exit": {
-      "message": "We have cleared your information to keep it secure. Your information has not been saved."
-    },
-    "session-timeout-warning": {
-      "dialog-title": "{{^showSaveAndExit}}Your application will close soon{{/showSaveAndExit}}{{#showSaveAndExit}}You will be signed out soon{{/showSaveAndExit}}",
-      "dialog-text": "{{^showSaveAndExit}}If that happens, your progress will not be saved.{{/showSaveAndExit}}{{#showSaveAndExit}}Any answers you have saved will not be affected, but your progress on this page will not be saved.{{/showSaveAndExit}}",
-      "timeout-continue-button": "{{^showSaveAndExit}}Stay on this page{{/showSaveAndExit}}{{#showSaveAndExit}}Stay signed in{{/showSaveAndExit}}",
-      "dialog-exit-link": "{{^showSaveAndExit}}Exit this form{{/showSaveAndExit}}{{#showSaveAndExit}}Sign out{{/showSaveAndExit}}"
-    },
-    "save-and-exit": {
-      "header": "You have been signed out",
-      "paragraph-1": "Your form doesn't appear to have been worked on for 30 minutes so we closed it for security.",
-      "paragraph-2": "Any answers you saved have not been affected.",
-      "paragraph-3": "You can sign back in to your application at any time by returning to the <a href='/' class='govuk-link'>start page</a>."
-    }
-  },
-  "validation": {
-    "landing-page-radio": {
-      "required": "Select an option below and press continue"
-    },
-    "name": {
-      "default": "Enter your full name"
-    },
-    "dateOfBirth": {
-      "default": "Enter your date of birth in the correct format; for example, 31 10 1990",
-      "after": "Enter a date after 1 1 1900",
-      "before": "Enter a date that is in the past"
-    },
-    "building": {
-      "default": "Enter details of your building and street"
-    },
-    "townOrCity": {
-      "default": "Enter a town or city",
-      "regex": "Enter a town or city without including digits"
-    },
-    "postcode": {
-      "default": "Enter your postcode"
-    },
-    "incomeTypes": {
-      "default": "Select all options that apply to you."
-    },
-    "countryOfHearing": {
-      "default": "Select where the appeal hearing is to be held"
-    },
-    "countrySelect": {
-      "default": "Enter a valid country of residence",
-      "required": "Enter your country of residence"
-    },
-    "email": {
-      "default": "Enter your email address in the correct format"
-    },
-    "phone": {
-      "default": "Enter your phone number"
-    },
-    "int-phone-number": {
-      "required": "Enter an international phone number",
-      "internationalPhoneNumber": "Enter a valid international phone number"
-    },
-    "complaintDetails": {
-      "default": "Enter details about why you are making a complaint",
-      "maxlength": "Keep to the {{maxlength}} character limit"
-    },
-    "whatHappened": {
-      "default": "Enter details about what happened",
-      "maxword": "Keep to the {{maxword}} word limit"
-    },
-    "appealStages": {
-      "required": "Select an appeal stage from the list"
-    },
-    "amountWithUnitSelect": {
-      "default": "Enter the amount in the correct format; for example, 10 Litres",
-      "alphanum": "The amount must not contain any special characters",
-      "required": "Enter an amount and a unit value"
-    },
-    "amountWithUnitSelect-unit": {
-      "default": "A valid value must be selected as the amount unit",
-      "required": "A unit must be selected for the amount"
-    },
-    "amountWithUnitSelect-amount": {
-      "required": "An amount must be selected with the unit"
-    }
-  }
-}