govuk_app_config 4.11.0 → 4.12.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (11) hide show
  1. checksums.yaml +4 -4
  2. data/.github/dependabot.yml +4 -6
  3. data/CHANGELOG.md +13 -0
  4. data/{LICENSE.md → LICENCE} +0 -0
  5. data/README.md +1 -1
  6. data/govuk_app_config.gemspec +1 -1
  7. data/lib/govuk_app_config/govuk_content_security_policy.rb +32 -32
  8. data/lib/govuk_app_config/version.rb +1 -1
  9. data/lib/govuk_app_config.rb +0 -1
  10. metadata +6 -7
  11. data/lib/govuk_app_config/govuk_i18n.rb +0 -78
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 9a99ab31af0eeb89e3d7b1fb7538ea6095d52d93e08dbccd8cf17a9431beaa1e
4
- data.tar.gz: f3664830daf4a0900bad8f5087daf791969a9310e6a8d39c1b71165519600d2c
3
+ metadata.gz: 7906015f743285fadae37a3b4c0754fcb3ef5d6c6d59ff5b8f67d0f0b43ce970
4
+ data.tar.gz: da302c7be0424e4b4b476669468e8cbb1b6a3f5b38a017ddac4999ec14e0b622
5
5
  SHA512:
6
- metadata.gz: 13ae8c4325ed10df67460a2eabce7fd6bd9da83b0d250ac7cbbefc78ab8d32fad2370f106cb323b38c14f379c27e881300ecc63adb4971caa3acd5aaa75df13d
7
- data.tar.gz: 6b439e2ea5f9970c9e9eb7ecd38e6389ab4f4a028b62b566c107fa6b79459f62a5ddb5eae016f16b8fbd74258dee339d93e802335270e6c321c39041e56bde88
6
+ metadata.gz: fac4b8128b250e74a9e71f165e6ca5eb431bd3f364a2efea18ceb696ce55d9e772fe73a04020811d6cbdd68341bd711fe07bc99e3f37d4ad371ea57b5446360d
7
+ data.tar.gz: adef9932375e8c63f002a99ef759e1a301fdfbd1f4ad21a7b089fcda8b33acf83dcb4b6c658e5ccf9872171fac6cf58c2e0a0bbfd2a31dd2fbf7323669ea746b
data/.github/dependabot.yml CHANGED
@@ -4,9 +4,7 @@ updates:
4
4
  directory: "/"
5
5
  schedule:
6
6
  interval: daily
7
- time: "03:00"
8
- open-pull-requests-limit: 10
9
- ignore:
10
- - dependency-name: aws-xray-sdk
11
- versions:
12
- - "> 0.10.0"
7
+ - package-ecosystem: "github-actions"
8
+ directory: "/"
9
+ schedule:
10
+ interval: daily
data/CHANGELOG.md CHANGED
@@ -1,3 +1,16 @@
1
+ # 4.12.0
2
+
3
+ * Allow `https://img.youtube.com` as a CSP image source
4
+ * CSP only allows scripts, styles and fonts from self which reflects GOV.UK production behaviour
5
+ * Set the default CSP behaviour to be allow communication only to self
6
+ * Remove webchat scripts from the CSP, these are now handled in [government-frontend](https://github.com/alphagov/government-frontend/pull/2643)
7
+ * Remove `www.signin.service.gov.uk` from the CSP as it is no-longer used in GOV.UK
8
+ * Disallow data fonts in the global Content Security policy
9
+
10
+ # 4.11.1
11
+
12
+ - Remove govuk_i18n plural rules file
13
+
1
14
  # 4.11.0
2
15
 
3
16
  - Update Plek support to allow version 5
data/{LICENSE.md → LICENCE} RENAMED
File without changes
data/README.md CHANGED
@@ -178,4 +178,4 @@ GovukPrometheusExporter.configure
178
178
 
179
179
  ## License
180
180
 
181
- [MIT License](LICENSE.md)
181
+ [MIT License](LICENCE)
data/govuk_app_config.gemspec CHANGED
@@ -37,6 +37,6 @@ Gem::Specification.new do |spec|
37
37
  spec.add_development_dependency "rake", "~> 13.0"
38
38
  spec.add_development_dependency "rspec", "~> 3.10"
39
39
  spec.add_development_dependency "rspec-its", "~> 1.3"
40
- spec.add_development_dependency "rubocop-govuk", "4.8.0"
40
+ spec.add_development_dependency "rubocop-govuk", "4.9.0"
41
41
  spec.add_development_dependency "webmock"
42
42
  end
data/lib/govuk_app_config/govuk_content_security_policy.rb CHANGED
@@ -1,12 +1,12 @@
1
1
  module GovukContentSecurityPolicy
2
2
  # Generate a Content Security Policy (CSP) directive.
3
3
  #
4
- # See https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP for more CSP info.
4
+ # Before making any changes please read our documentation: https://docs.publishing.service.gov.uk/manual/content-security-policy.html
5
5
  #
6
- # The resulting policy should be checked with:
6
+ # If you are making a change here you should consider 2 basic rules of thumb:
7
7
  #
8
- # - https://csp-evaluator.withgoogle.com
9
- # - https://cspvalidator.org
8
+ # 1. Are you creating a XSS risk? Adding unsafe-* declarations, allowing data: URLs or being overly permissive (e.g. https) risks these
9
+ # 2. Is this change needed globally, if it's just one or two apps the change should be applied in them directly.
10
10
 
11
11
  GOVUK_DOMAINS = [
12
12
  "*.publishing.service.gov.uk",
@@ -26,64 +26,56 @@ module GovukContentSecurityPolicy
26
26
 
27
27
  def self.build_policy(policy)
28
28
  # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src
29
- policy.default_src :https, :self, *GOVUK_DOMAINS
29
+ policy.default_src :self
30
30
 
31
31
  # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src
32
32
  policy.img_src :self,
33
- :data, # Base64 encoded images
33
+ # This allows Base64 encoded images, but is a security
34
+ # risk as it can embed third party resources.
35
+ # As of December 2022, we intend to remove this prior
36
+ # to making the CSP live.
37
+ :data,
34
38
  *GOVUK_DOMAINS,
35
39
  *GOOGLE_ANALYTICS_DOMAINS, # Tracking pixels
36
40
  # Speedcurve real user monitoring (RUM) - as per: https://support.speedcurve.com/docs/add-rum-to-your-csp
37
41
  "lux.speedcurve.com",
38
42
  # Some content still links to an old domain we used to use
39
- "assets.digital.cabinet-office.gov.uk"
43
+ "assets.digital.cabinet-office.gov.uk",
44
+ # Allow YouTube thumbnails
45
+ "https://img.youtube.com"
40
46
 
41
47
  # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src
42
48
  policy.script_src :self,
43
- *GOVUK_DOMAINS,
44
49
  *GOOGLE_ANALYTICS_DOMAINS,
45
50
  *GOOGLE_STATIC_DOMAINS,
46
- # Allow JSONP call to Verify to check whether the user is logged in
47
- "www.signin.service.gov.uk",
48
51
  # Allow YouTube Embeds (Govspeak turns YouTube links into embeds)
49
52
  "*.ytimg.com",
50
53
  "www.youtube.com",
51
54
  "www.youtube-nocookie.com",
52
- # Allow JSONP call to Nuance - HMRC web chat provider
53
- "hmrc-uk.digital.nuance.com",
54
- # Allow all inline scripts until we can conclusively
55
- # document all the inline scripts we use,
56
- # and there's a better way to filter out junk reports
55
+ # This allows inline scripts and thus is a XSS risk.
56
+ # As of December 2022, we intend to work towards removing
57
+ # this from apps that don't use jQuery 1.12 (which needs
58
+ # this) once we've set up nonces.
57
59
  :unsafe_inline
58
60
 
59
61
  # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src
60
62
  policy.style_src :self,
61
- *GOVUK_DOMAINS,
62
63
  *GOOGLE_STATIC_DOMAINS,
63
- # We use the `style=""` attribute on some HTML elements
64
+ # This allows style="" attributes and style elements.
65
+ # As of December 2022, we intend to remove this prior
66
+ # to making the CSP live due to the security risks it has.
64
67
  :unsafe_inline
65
68
 
66
69
  # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/font-src
67
- policy.font_src :self,
68
- *GOVUK_DOMAINS,
69
- :data # Used by some legacy fonts
70
+ # Note: we purposely don't include data here because it produces a security risk.
71
+ policy.font_src :self
70
72
 
71
73
  # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src
72
74
  policy.connect_src :self,
73
75
  *GOVUK_DOMAINS,
74
76
  *GOOGLE_ANALYTICS_DOMAINS,
75
77
  # Speedcurve real user monitoring (RUM) - as per: https://support.speedcurve.com/docs/add-rum-to-your-csp
76
- "lux.speedcurve.com",
77
- # Allow connecting to web chat from HMRC contact pages
78
- "www.tax.service.gov.uk",
79
- # Allow JSON call to Nuance - HMRC web chat provider
80
- "hmrc-uk.digital.nuance.com",
81
- # Allow JSON call to klick2contact - HMPO web chat provider
82
- "hmpowebchat.klick2contact.com",
83
- # Allow JSON call to Eckoh - HMPO web chat provider
84
- "omni.eckoh.uk",
85
- # Allow connecting to Verify to check whether the user is logged in
86
- "www.signin.service.gov.uk"
78
+ "lux.speedcurve.com"
87
79
 
88
80
  # Disallow all <object>, <embed>, and <applet> elements
89
81
  #
@@ -99,6 +91,14 @@ module GovukContentSecurityPolicy
99
91
  def self.configure
100
92
  Rails.application.config.content_security_policy_report_only = ENV.include?("GOVUK_CSP_REPORT_ONLY")
101
93
 
102
- Rails.application.config.content_security_policy(&method(:build_policy))
94
+ policy = Rails.application.config.content_security_policy(&method(:build_policy))
95
+
96
+ # # allow apps to customise the CSP by passing a block e.g:
97
+ # GovukContentSecuirtyPolicy.configure do |policy|
98
+ # policy.image_src(*policy.image_src, "https://i.ytimg.com")
99
+ # end
100
+ yield(policy) if block_given?
101
+
102
+ policy
103
103
  end
104
104
  end
data/lib/govuk_app_config/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module GovukAppConfig
2
- VERSION = "4.11.0".freeze
2
+ VERSION = "4.12.0".freeze
3
3
  end
data/lib/govuk_app_config.rb CHANGED
@@ -3,7 +3,6 @@ require "govuk_app_config/govuk_statsd"
3
3
  require "govuk_app_config/govuk_error"
4
4
  require "govuk_app_config/govuk_proxy/static_proxy"
5
5
  require "govuk_app_config/govuk_healthcheck"
6
- require "govuk_app_config/govuk_i18n"
7
6
  # This require is deprecated and should be removed on next major version bump
8
7
  # and should be required by applications directly.
9
8
  require "govuk_app_config/govuk_unicorn"
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: govuk_app_config
3
3
  version: !ruby/object:Gem::Version
4
- version: 4.11.0
4
+ version: 4.12.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - GOV.UK Dev
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2022-11-21 00:00:00.000000000 Z
11
+ date: 2023-01-03 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: logstasher
@@ -252,14 +252,14 @@ dependencies:
252
252
  requirements:
253
253
  - - '='
254
254
  - !ruby/object:Gem::Version
255
- version: 4.8.0
255
+ version: 4.9.0
256
256
  type: :development
257
257
  prerelease: false
258
258
  version_requirements: !ruby/object:Gem::Requirement
259
259
  requirements:
260
260
  - - '='
261
261
  - !ruby/object:Gem::Version
262
- version: 4.8.0
262
+ version: 4.9.0
263
263
  - !ruby/object:Gem::Dependency
264
264
  name: webmock
265
265
  requirement: !ruby/object:Gem::Requirement
@@ -289,7 +289,7 @@ files:
289
289
  - ".ruby-version"
290
290
  - CHANGELOG.md
291
291
  - Gemfile
292
- - LICENSE.md
292
+ - LICENCE
293
293
  - README.md
294
294
  - Rakefile
295
295
  - bin/console
@@ -308,7 +308,6 @@ files:
308
308
  - lib/govuk_app_config/govuk_healthcheck/rails_cache.rb
309
309
  - lib/govuk_app_config/govuk_healthcheck/redis.rb
310
310
  - lib/govuk_app_config/govuk_healthcheck/sidekiq_redis.rb
311
- - lib/govuk_app_config/govuk_i18n.rb
312
311
  - lib/govuk_app_config/govuk_logging.rb
313
312
  - lib/govuk_app_config/govuk_prometheus_exporter.rb
314
313
  - lib/govuk_app_config/govuk_proxy/static_proxy.rb
@@ -337,7 +336,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
337
336
  - !ruby/object:Gem::Version
338
337
  version: '0'
339
338
  requirements: []
340
- rubygems_version: 3.3.26
339
+ rubygems_version: 3.4.2
341
340
  signing_key:
342
341
  specification_version: 4
343
342
  summary: Base configuration for GOV.UK applications
data/lib/govuk_app_config/govuk_i18n.rb DELETED
@@ -1,78 +0,0 @@
1
- module GovukI18n
2
- def self.plurals
3
- {
4
- # Azerbaijani
5
- az: { i18n: { plural: { keys: %i[one other], rule: ->(n) { n == 1 ? :one : :other } } } },
6
- # Welsh
7
- cy: { i18n: { plural: { keys: %i[zero one two few many other],
8
- rule:
9
- lambda do |n|
10
- case n
11
- when 0 then :zero
12
- when 1 then :one
13
- when 2 then :two
14
- when 3 then :few
15
- when 6 then :many
16
- else :other
17
- end
18
- end } } },
19
- # Dari - this isn't an iso code. Probably should be 'prs' as per ISO 639-3.
20
- dr: { i18n: { plural: { keys: %i[one other], rule: ->(n) { n == 1 ? :one : :other } } } },
21
- # Latin America and Caribbean Spanish
22
- "es-419": { i18n: { plural: { keys: %i[one other], rule: ->(n) { n == 1 ? :one : :other } } } },
23
- # Persian
24
- fa: { i18n: { plural: { keys: %i[one other], rule: ->(n) { [0, 1].include?(n) ? :one : :other } } } },
25
- # Scottish Gaelic
26
- gd: { i18n: { plural: { keys: %i[one two few other],
27
- rule:
28
- lambda do |n|
29
- if [1, 11].include?(n)
30
- :one
31
- elsif [2, 12].include?(n)
32
- :two
33
- elsif [3, 4, 5, 6, 7, 8, 9, 10, 13, 14, 15, 16, 17, 18, 19].include?(n)
34
- :few
35
- else
36
- :other
37
- end
38
- end } } },
39
- # Armenian
40
- hy: { i18n: { plural: { keys: %i[one other], rule: ->(n) { n == 1 ? :one : :other } } } },
41
- # Georgian
42
- ka: { i18n: { plural: { keys: %i[one other], rule: ->(n) { n == 1 ? :one : :other } } } },
43
- # Kazakh
44
- kk: { i18n: { plural: { keys: %i[one other], rule: ->(n) { n == 1 ? :one : :other } } } },
45
- # Punjabi Shahmukhi
46
- "pa-pk": { i18n: { plural: { keys: %i[one other], rule: ->(n) { n == 1 ? :one : :other } } } },
47
- # Maltese
48
- mt: { i18n: { plural: { keys: %i[one few many other],
49
- rule:
50
- lambda do |n|
51
- n ||= 0
52
- mod100 = n % 100
53
-
54
- if n == 1
55
- :one
56
- elsif n.zero? || (2..10).to_a.include?(mod100)
57
- :few
58
- elsif (11..19).to_a.include?(mod100)
59
- :many
60
- else
61
- :other
62
- end
63
- end } } },
64
- # Sinhalese
65
- si: { i18n: { plural: { keys: %i[one other], rule: ->(n) { n == 1 ? :one : :other } } } },
66
- # Turkish
67
- tr: { i18n: { plural: { keys: %i[one other], rule: ->(n) { n == 1 ? :one : :other } } } },
68
- # Uzbek
69
- uz: { i18n: { plural: { keys: %i[one other], rule: ->(n) { n == 1 ? :one : :other } } } },
70
- # Chinese
71
- zh: { i18n: { plural: { keys: %i[other], rule: ->(_) { :other } } } },
72
- # Chinese Hong Kong
73
- "zh-hk" => { i18n: { plural: { keys: %i[one other], rule: ->(n) { n == 1 ? :one : :other } } } },
74
- # Chinese Taiwan
75
- "zh-tw" => { i18n: { plural: { keys: %i[one other], rule: ->(n) { n == 1 ? :one : :other } } } },
76
- }
77
- end
78
- end