Merge pull request #2600 from cisagov/rh/2341-andi

ISSUE #2341: Enable ANDI on browser

src/registrar/config/settings.py

@@ -356,9 +356,18 @@
 # strict CSP by allowing scripts to run from their domain
 # and inline with a nonce, as well as allowing connections back to their domain.
 # Note: If needed, we can embed chart.js instead of using the CDN
-CSP_SCRIPT_SRC_ELEM = ["'self'", "https://www.googletagmanager.com/", "https://cdn.jsdelivr.net/npm/chart.js"]
-CSP_CONNECT_SRC = ["'self'", "https://www.google-analytics.com/"]
-CSP_INCLUDE_NONCE_IN = ["script-src-elem"]
+CSP_DEFAULT_SRC = ("'self'",)
+CSP_STYLE_SRC = ["'self'", "https://www.ssa.gov/accessibility/andi/andi.css"]
+CSP_SCRIPT_SRC_ELEM = [
+    "'self'",
+    "https://www.googletagmanager.com/",
+    "https://cdn.jsdelivr.net/npm/chart.js",
+    "https://www.ssa.gov",
+    "https://ajax.googleapis.com",
+]
+CSP_CONNECT_SRC = ["'self'", "https://www.google-analytics.com/", "https://www.ssa.gov/accessibility/andi/andi.js"]
+CSP_INCLUDE_NONCE_IN = ["script-src-elem", "style-src"]
+CSP_IMG_SRC = ["'self'", "https://www.ssa.gov/accessibility/andi/icons/"]
 
 # Cross-Origin Resource Sharing (CORS) configuration
 # Sets clients that allow access control to manage.get.gov