govuk_app_config 4.11.0 → 4.12.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (11) hide show
  1. checksums.yaml +4 -4
  2. data/.github/dependabot.yml +4 -6
  3. data/CHANGELOG.md +13 -0
  4. data/{LICENSE.md → LICENCE} +0 -0
  5. data/README.md +1 -1
  6. data/govuk_app_config.gemspec +1 -1
  7. data/lib/govuk_app_config/govuk_content_security_policy.rb +32 -32
  8. data/lib/govuk_app_config/version.rb +1 -1
  9. data/lib/govuk_app_config.rb +0 -1
  10. metadata +6 -7
  11. data/lib/govuk_app_config/govuk_i18n.rb +0 -78
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 9a99ab31af0eeb89e3d7b1fb7538ea6095d52d93e08dbccd8cf17a9431beaa1e
4
- data.tar.gz: f3664830daf4a0900bad8f5087daf791969a9310e6a8d39c1b71165519600d2c
3
+ metadata.gz: 7906015f743285fadae37a3b4c0754fcb3ef5d6c6d59ff5b8f67d0f0b43ce970
4
+ data.tar.gz: da302c7be0424e4b4b476669468e8cbb1b6a3f5b38a017ddac4999ec14e0b622
5
5
  SHA512:
6
- metadata.gz: 13ae8c4325ed10df67460a2eabce7fd6bd9da83b0d250ac7cbbefc78ab8d32fad2370f106cb323b38c14f379c27e881300ecc63adb4971caa3acd5aaa75df13d
7
- data.tar.gz: 6b439e2ea5f9970c9e9eb7ecd38e6389ab4f4a028b62b566c107fa6b79459f62a5ddb5eae016f16b8fbd74258dee339d93e802335270e6c321c39041e56bde88
6
+ metadata.gz: fac4b8128b250e74a9e71f165e6ca5eb431bd3f364a2efea18ceb696ce55d9e772fe73a04020811d6cbdd68341bd711fe07bc99e3f37d4ad371ea57b5446360d
7
+ data.tar.gz: adef9932375e8c63f002a99ef759e1a301fdfbd1f4ad21a7b089fcda8b33acf83dcb4b6c658e5ccf9872171fac6cf58c2e0a0bbfd2a31dd2fbf7323669ea746b
data/.github/dependabot.yml CHANGED
@@ -4,9 +4,7 @@ updates:
4
4
  directory: "/"
5
5
  schedule:
6
6
  interval: daily
7
- time: "03:00"
8
- open-pull-requests-limit: 10
9
- ignore:
10
- - dependency-name: aws-xray-sdk
11
- versions:
12
- - "> 0.10.0"
7
+ - package-ecosystem: "github-actions"
8
+ directory: "/"
9
+ schedule:
10
+ interval: daily
data/CHANGELOG.md CHANGED
@@ -1,3 +1,16 @@
1
+ # 4.12.0
2
+
3
+ * Allow `https://img.youtube.com` as a CSP image source
4
+ * CSP only allows scripts, styles and fonts from self which reflects GOV.UK production behaviour
5
+ * Set the default CSP behaviour to be allow communication only to self
6
+ * Remove webchat scripts from the CSP, these are now handled in [government-frontend](https://github.com/alphagov/government-frontend/pull/2643)
7
+ * Remove `www.signin.service.gov.uk` from the CSP as it is no-longer used in GOV.UK
8
+ * Disallow data fonts in the global Content Security policy
9
+
10
+ # 4.11.1
11
+
12
+ - Remove govuk_i18n plural rules file
13
+
1
14
  # 4.11.0
2
15
 
3
16
  - Update Plek support to allow version 5
data/{LICENSE.md → LICENCE} RENAMED
File without changes
data/README.md CHANGED
@@ -178,4 +178,4 @@ GovukPrometheusExporter.configure
178
178
 
179
179
  ## License
180
180
 
181
- [MIT License](LICENSE.md)
181
+ [MIT License](LICENCE)
data/govuk_app_config.gemspec CHANGED
@@ -37,6 +37,6 @@ Gem::Specification.new do |spec|
37
37
  spec.add_development_dependency "rake", "~> 13.0"
38
38
  spec.add_development_dependency "rspec", "~> 3.10"
39
39
  spec.add_development_dependency "rspec-its", "~> 1.3"
40
- spec.add_development_dependency "rubocop-govuk", "4.8.0"
40
+ spec.add_development_dependency "rubocop-govuk", "4.9.0"
41
41
  spec.add_development_dependency "webmock"
42
42
  end
data/lib/govuk_app_config/govuk_content_security_policy.rb CHANGED
@@ -1,12 +1,12 @@
1
1
  module GovukContentSecurityPolicy
2
2
  # Generate a Content Security Policy (CSP) directive.
3
3
  #
4
- # See https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP for more CSP info.
4
+ # Before making any changes please read our documentation: https://docs.publishing.service.gov.uk/manual/content-security-policy.html
5
5
  #
6
- # The resulting policy should be checked with:
6
+ # If you are making a change here you should consider 2 basic rules of thumb:
7
7
  #
8
- # - https://csp-evaluator.withgoogle.com
9
- # - https://cspvalidator.org
8
+ # 1. Are you creating a XSS risk? Adding unsafe-* declarations, allowing data: URLs or being overly permissive (e.g. https) risks these
9
+ # 2. Is this change needed globally, if it's just one or two apps the change should be applied in them directly.
10
10
 
11
11
  GOVUK_DOMAINS = [
12
12
  "*.publishing.service.gov.uk",
@@ -26,64 +26,56 @@ module GovukContentSecurityPolicy
26
26
 
27
27
  def self.build_policy(policy)
28
28
  # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src
29
- policy.default_src :https, :self, *GOVUK_DOMAINS
29
+ policy.default_src :self
30
30
 
31
31
  # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src
32
32
  policy.img_src :self,
33
- :data, # Base64 encoded images
33
+ # This allows Base64 encoded images, but is a security
34
+ # risk as it can embed third party resources.
35
+ # As of December 2022, we intend to remove this prior
36
+ # to making the CSP live.
37
+ :data,
34
38
  *GOVUK_DOMAINS,
35
39
  *GOOGLE_ANALYTICS_DOMAINS, # Tracking pixels
36
40
  # Speedcurve real user monitoring (RUM) - as per: https://support.speedcurve.com/docs/add-rum-to-your-csp
37
41
  "lux.speedcurve.com",
38
42
  # Some content still links to an old domain we used to use
39
- "assets.digital.cabinet-office.gov.uk"
43
+ "assets.digital.cabinet-office.gov.uk",
44
+ # Allow YouTube thumbnails
45
+ "https://img.youtube.com"
40
46
 
41
47
  # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src
42
48
  policy.script_src :self,
43
- *GOVUK_DOMAINS,
44
49
  *GOOGLE_ANALYTICS_DOMAINS,
45
50
  *GOOGLE_STATIC_DOMAINS,
46
- # Allow JSONP call to Verify to check whether the user is logged in
47
- "www.signin.service.gov.uk",
48
51
  # Allow YouTube Embeds (Govspeak turns YouTube links into embeds)
49
52
  "*.ytimg.com",
50
53
  "www.youtube.com",
51
54
  "www.youtube-nocookie.com",
52
- # Allow JSONP call to Nuance - HMRC web chat provider
53
- "hmrc-uk.digital.nuance.com",
54
- # Allow all inline scripts until we can conclusively
55
- # document all the inline scripts we use,
56
- # and there's a better way to filter out junk reports
55
+ # This allows inline scripts and thus is a XSS risk.
56
+ # As of December 2022, we intend to work towards removing
57
+ # this from apps that don't use jQuery 1.12 (which needs
58
+ # this) once we've set up nonces.
57
59
  :unsafe_inline
58
60
 
59
61
  # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src
60
62
  policy.style_src :self,
61
- *GOVUK_DOMAINS,
62
63
  *GOOGLE_STATIC_DOMAINS,
63
- # We use the `style=""` attribute on some HTML elements
64
+ # This allows style="" attributes and style elements.
65
+ # As of December 2022, we intend to remove this prior
66
+ # to making the CSP live due to the security risks it has.
64
67
  :unsafe_inline
65
68
 
66
69
  # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/font-src
67
- policy.font_src :self,
68
- *GOVUK_DOMAINS,
69
- :data # Used by some legacy fonts
70
+ # Note: we purposely don't include data here because it produces a security risk.
71
+ policy.font_src :self
70
72
 
71
73
  # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src
72
74
  policy.connect_src :self,
73
75
  *GOVUK_DOMAINS,
74
76
  *GOOGLE_ANALYTICS_DOMAINS,
75
77
  # Speedcurve real user monitoring (RUM) - as per: https://support.speedcurve.com/docs/add-rum-to-your-csp
76
- "lux.speedcurve.com",
77
- # Allow connecting to web chat from HMRC contact pages
78
- "www.tax.service.gov.uk",
79
- # Allow JSON call to Nuance - HMRC web chat provider
80
- "hmrc-uk.digital.nuance.com",
81
- # Allow JSON call to klick2contact - HMPO web chat provider
82
- "hmpowebchat.klick2contact.com",
83
- # Allow JSON call to Eckoh - HMPO web chat provider
84
- "omni.eckoh.uk",
85
- # Allow connecting to Verify to check whether the user is logged in
86
- "www.signin.service.gov.uk"
78
+ "lux.speedcurve.com"
87
79
 
88
80
  # Disallow all <object>, <embed>, and <applet> elements
89
81
  #
@@ -99,6 +91,14 @@ module GovukContentSecurityPolicy
99
91
  def self.configure
100
92
  Rails.application.config.content_security_policy_report_only = ENV.include?("GOVUK_CSP_REPORT_ONLY")
101
93
 
102
- Rails.application.config.content_security_policy(&method(:build_policy))
94
+ policy = Rails.application.config.content_security_policy(&method(:build_policy))
95
+
96
+ # # allow apps to customise the CSP by passing a block e.g:
97
+ # GovukContentSecuirtyPolicy.configure do |policy|
98
+ # policy.image_src(*policy.image_src, "https://i.ytimg.com")
99
+ # end
100
+ yield(policy) if block_given?
101
+
102
+ policy
103
103
  end
104
104
  end
data/lib/govuk_app_config/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module GovukAppConfig
2
- VERSION = "4.11.0".freeze
2
+ VERSION = "4.12.0".freeze
3
3
  end
data/lib/govuk_app_config.rb CHANGED
@@ -3,7 +3,6 @@ require "govuk_app_config/govuk_statsd"
3
3
  require "govuk_app_config/govuk_error"
4
4
  require "govuk_app_config/govuk_proxy/static_proxy"
5
5
  require "govuk_app_config/govuk_healthcheck"
6
- require "govuk_app_config/govuk_i18n"
7
6
  # This require is deprecated and should be removed on next major version bump
8
7
  # and should be required by applications directly.
9
8
  require "govuk_app_config/govuk_unicorn"
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: govuk_app_config
3
3
  version: !ruby/object:Gem::Version
4
- version: 4.11.0
4
+ version: 4.12.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - GOV.UK Dev
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2022-11-21 00:00:00.000000000 Z
11
+ date: 2023-01-03 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: logstasher
@@ -252,14 +252,14 @@ dependencies:
252
252
  requirements:
253
253
  - - '='
254
254
  - !ruby/object:Gem::Version
255
- version: 4.8.0
255
+ version: 4.9.0
256
256
  type: :development
257
257
  prerelease: false
258
258
  version_requirements: !ruby/object:Gem::Requirement
259
259
  requirements:
260
260
  - - '='
261
261
  - !ruby/object:Gem::Version
262
- version: 4.8.0
262
+ version: 4.9.0
263
263
  - !ruby/object:Gem::Dependency
264
264
  name: webmock
265
265
  requirement: !ruby/object:Gem::Requirement
@@ -289,7 +289,7 @@ files:
289
289
  - ".ruby-version"
290
290
  - CHANGELOG.md
291
291
  - Gemfile
292
- - LICENSE.md
292
+ - LICENCE
293
293
  - README.md
294
294
  - Rakefile
295
295
  - bin/console
@@ -308,7 +308,6 @@ files:
308
308
  - lib/govuk_app_config/govuk_healthcheck/rails_cache.rb
309
309
  - lib/govuk_app_config/govuk_healthcheck/redis.rb
310
310
  - lib/govuk_app_config/govuk_healthcheck/sidekiq_redis.rb
311
- - lib/govuk_app_config/govuk_i18n.rb
312
311
  - lib/govuk_app_config/govuk_logging.rb
313
312
  - lib/govuk_app_config/govuk_prometheus_exporter.rb
314
313
  - lib/govuk_app_config/govuk_proxy/static_proxy.rb
@@ -337,7 +336,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
337
336
  - !ruby/object:Gem::Version
338
337
  version: '0'
339
338
  requirements: []
340
- rubygems_version: 3.3.26
339
+ rubygems_version: 3.4.2
341
340
  signing_key:
342
341
  specification_version: 4
343
342
  summary: Base configuration for GOV.UK applications
data/lib/govuk_app_config/govuk_i18n.rb DELETED
@@ -1,78 +0,0 @@
1
- module GovukI18n
2
- def self.plurals
3
- {
4
- # Azerbaijani
5
- az: { i18n: { plural: { keys: %i[one other], rule: ->(n) { n == 1 ? :one : :other } } } },
6
- # Welsh
7
- cy: { i18n: { plural: { keys: %i[zero one two few many other],
8
- rule:
9
- lambda do |n|
10
- case n
11
- when 0 then :zero
12
- when 1 then :one
13
- when 2 then :two
14
- when 3 then :few
15
- when 6 then :many
16
- else :other
17
- end
18
- end } } },
19
- # Dari - this isn't an iso code. Probably should be 'prs' as per ISO 639-3.
20
- dr: { i18n: { plural: { keys: %i[one other], rule: ->(n) { n == 1 ? :one : :other } } } },
21
- # Latin America and Caribbean Spanish
22
- "es-419": { i18n: { plural: { keys: %i[one other], rule: ->(n) { n == 1 ? :one : :other } } } },
23
- # Persian
24
- fa: { i18n: { plural: { keys: %i[one other], rule: ->(n) { [0, 1].include?(n) ? :one : :other } } } },
25
- # Scottish Gaelic
26
- gd: { i18n: { plural: { keys: %i[one two few other],
27
- rule:
28
- lambda do |n|
29
- if [1, 11].include?(n)
30
- :one
31
- elsif [2, 12].include?(n)
32
- :two
33
- elsif [3, 4, 5, 6, 7, 8, 9, 10, 13, 14, 15, 16, 17, 18, 19].include?(n)
34
- :few
35
- else
36
- :other
37
- end
38
- end } } },
39
- # Armenian
40
- hy: { i18n: { plural: { keys: %i[one other], rule: ->(n) { n == 1 ? :one : :other } } } },
41
- # Georgian
42
- ka: { i18n: { plural: { keys: %i[one other], rule: ->(n) { n == 1 ? :one : :other } } } },
43
- # Kazakh
44
- kk: { i18n: { plural: { keys: %i[one other], rule: ->(n) { n == 1 ? :one : :other } } } },
45
- # Punjabi Shahmukhi
46
- "pa-pk": { i18n: { plural: { keys: %i[one other], rule: ->(n) { n == 1 ? :one : :other } } } },
47
- # Maltese
48
- mt: { i18n: { plural: { keys: %i[one few many other],
49
- rule:
50
- lambda do |n|
51
- n ||= 0
52
- mod100 = n % 100
53
-
54
- if n == 1
55
- :one
56
- elsif n.zero? || (2..10).to_a.include?(mod100)
57
- :few
58
- elsif (11..19).to_a.include?(mod100)
59
- :many
60
- else
61
- :other
62
- end
63
- end } } },
64
- # Sinhalese
65
- si: { i18n: { plural: { keys: %i[one other], rule: ->(n) { n == 1 ? :one : :other } } } },
66
- # Turkish
67
- tr: { i18n: { plural: { keys: %i[one other], rule: ->(n) { n == 1 ? :one : :other } } } },
68
- # Uzbek
69
- uz: { i18n: { plural: { keys: %i[one other], rule: ->(n) { n == 1 ? :one : :other } } } },
70
- # Chinese
71
- zh: { i18n: { plural: { keys: %i[other], rule: ->(_) { :other } } } },
72
- # Chinese Hong Kong
73
- "zh-hk" => { i18n: { plural: { keys: %i[one other], rule: ->(n) { n == 1 ? :one : :other } } } },
74
- # Chinese Taiwan
75
- "zh-tw" => { i18n: { plural: { keys: %i[one other], rule: ->(n) { n == 1 ? :one : :other } } } },
76
- }
77
- end
78
- end