PLATUI-3378 add pega domains to back link (#417)

* PLATUI-3378 add pega domains to back link

* PLATUI-3378 wording

* PLATUI-3378 fixed potential null reference

* PLATUI-3378 reworked var names tweaked logic

* PLATUI-3378 null ref

* PLATUI-3378 Added test for valid domain

* PLATUI-3378 fixed logic flaw

* PLATUI-3378 more null

* PLATUI-3378 dont index false

* PLATUI-3378 typo

* PLATUI-3378 reworked structure

* PLATUI-3378 http

* PLATUI-3378 minor version and changelog

* PLATUI-3378 changelog

* PLATUI-3378 changelog 2

* Update src/components/back-link-helper/back-link-helper.js

Co-authored-by: Oscar Duignan <[email protected]>

* PLATUI-3378 tidy up

* add more context to changelog and tweak test names

---------

Co-authored-by: Oscar Duignan <[email protected]>

CHANGELOG.md

@@ -7,6 +7,13 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
 
 ## [Unreleased]
 
+## [6.42.0] - 2024-11-28
+
+### Changed
+
+- Added allowlist to backlink helper. When using the helper backlinks were hidden if the referrer was unavailable or on
+  a different domain, to enable handoff between pega services, other domains can now be allowlisted.
+
 ## [6.41.0] - 2024-11-18
 
 ### Changed

package.json

@@ -1,6 +1,6 @@
 {
   "name": "hmrc-frontend",
-  "version": "6.41.0",
+  "version": "6.42.0",
   "description": "Design patterns for HMRC frontends",
   "scripts": {
     "start": "gulp dev",

src/components/back-link-helper/back-link-helper.browser.test.js

@@ -17,6 +17,15 @@ describe('/components/back-link-helper', () => {
       expect(await linkDisplayStyle()).toBe('none');
     });
 
+    it('should be shown when referrer is on a different domain, but the domain has been allowlisted', async () => {
+      await render(page, withHmrcStylesAndScripts(`
+        <a href="#" class="govuk-back-link" data-module="hmrc-back-link">back</a>
+      `), {
+        referer: 'http://account.hmrc.gov.uk',
+      });
+      expect(await linkDisplayStyle()).not.toBe('none');
+    });
+
     it('should be hidden when referrer is empty', async () => {
       await render(page, withHmrcStylesAndScripts(`
         <a href="#" class="govuk-back-link" data-module="hmrc-back-link">back</a>

src/components/back-link-helper/back-link-helper.js

@@ -7,21 +7,25 @@ function BackLinkHelper($module, window, document) {
 BackLinkHelper.prototype.init = function init() {
   // do nothing if History API is absent
   if (this.window.history) {
-    // eslint-disable-next-line max-len
-    /* TODO: It remains unclear whether a check for the same domain is necessary for security reasons.
+    /* TODO: Remains unclear whether a check for the same domain is necessary for security reasons.
        There may be user research suggesting considerations regarding the visibility of the
        back link on refresh.
        Currently, a page refresh sets the referer to empty, leading to the back link being hidden
        under our existing logic.
-     */
-    // eslint-disable-next-line max-len
-    const referrerNotOnSameDomain = () => {
+    */
+    const referrerAllowList = ['account-np.hmrc.gov.uk', 'account.hmrc.gov.uk'];
+    const shouldHideBackLink = () => {
       const referer = this.document.referrer;
-      return !referer || referer.indexOf(this.window.location.host) === -1;
+      if (!referer) return true;
+      const referredFromDifferentDomain = () => referer.indexOf(this.window.location.host) === -1;
+      const referrerNotOnAllowList = () => !referrerAllowList.some(
+        (allowListedDomain) => referer.includes(allowListedDomain),
+      );
+      return referredFromDifferentDomain() && referrerNotOnAllowList();
     };
 
     // hide the backlink if the referrer is on a different domain or the referrer is not set
-    if (referrerNotOnSameDomain()) {
+    if (shouldHideBackLink()) {
       this.$module.classList.add('hmrc-hidden-backlink');
     } else {
       // prevent resubmit warning