govuk_app_config 4.11.1 → 4.13.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.github/workflows/ci.yml +1 -1
- data/CHANGELOG.md +13 -0
- data/{LICENSE.md → LICENCE} +0 -0
- data/README.md +1 -1
- data/lib/govuk_app_config/govuk_content_security_policy.rb +32 -32
- data/lib/govuk_app_config/govuk_logging.rb +12 -13
- data/lib/govuk_app_config/version.rb +1 -1
- metadata +4 -4
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 19626391e07dadef9dce3abc326901bd86952b34532628b3ca0690d2cff2c314
|
|
4
|
+
data.tar.gz: 996320aff2dbeb2eae7d4fdd961461e33c39e2688ede77eaf7d5a92e5e6b9f84
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 880a5141ae35cbff8b463c49526fe9b41163fdf2c4a9fec6e1e6717a43f633f602e569449271be1609415b1d4f36b1c51782190ed40ced692ebd6daa722e7f73
|
|
7
|
+
data.tar.gz: 6b5e893f9abc787e20510f0e2a38565224df5902197f90a07cf861ca4fe7cc49ca306ea12e2440d858e888f1121d1c800767e2b774711749a8c7ea29a30955e4
|
data/.github/workflows/ci.yml
CHANGED
|
@@ -30,6 +30,6 @@ jobs:
|
|
|
30
30
|
if: ${{ github.ref == 'refs/heads/main' }}
|
|
31
31
|
permissions:
|
|
32
32
|
contents: write
|
|
33
|
-
uses: alphagov/govuk-infrastructure/.github/workflows/publish-rubygem.
|
|
33
|
+
uses: alphagov/govuk-infrastructure/.github/workflows/publish-rubygem.yml@main
|
|
34
34
|
secrets:
|
|
35
35
|
GEM_HOST_API_KEY: ${{ secrets.ALPHAGOV_RUBYGEMS_API_KEY }}
|
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,16 @@
|
|
|
1
|
+
# 4.13.0
|
|
2
|
+
|
|
3
|
+
- Flush log writes to stdout immediately so that structured (JSON) logs are not lost on crash or delayed indefinitely.
|
|
4
|
+
|
|
5
|
+
# 4.12.0
|
|
6
|
+
|
|
7
|
+
* Allow `https://img.youtube.com` as a CSP image source
|
|
8
|
+
* CSP only allows scripts, styles and fonts from self which reflects GOV.UK production behaviour
|
|
9
|
+
* Set the default CSP behaviour to be allow communication only to self
|
|
10
|
+
* Remove webchat scripts from the CSP, these are now handled in [government-frontend](https://github.com/alphagov/government-frontend/pull/2643)
|
|
11
|
+
* Remove `www.signin.service.gov.uk` from the CSP as it is no-longer used in GOV.UK
|
|
12
|
+
* Disallow data fonts in the global Content Security policy
|
|
13
|
+
|
|
1
14
|
# 4.11.1
|
|
2
15
|
|
|
3
16
|
- Remove govuk_i18n plural rules file
|
data/{LICENSE.md → LICENCE}
RENAMED
|
File without changes
|
data/README.md
CHANGED
|
@@ -1,12 +1,12 @@
|
|
|
1
1
|
module GovukContentSecurityPolicy
|
|
2
2
|
# Generate a Content Security Policy (CSP) directive.
|
|
3
3
|
#
|
|
4
|
-
#
|
|
4
|
+
# Before making any changes please read our documentation: https://docs.publishing.service.gov.uk/manual/content-security-policy.html
|
|
5
5
|
#
|
|
6
|
-
#
|
|
6
|
+
# If you are making a change here you should consider 2 basic rules of thumb:
|
|
7
7
|
#
|
|
8
|
-
#
|
|
9
|
-
#
|
|
8
|
+
# 1. Are you creating a XSS risk? Adding unsafe-* declarations, allowing data: URLs or being overly permissive (e.g. https) risks these
|
|
9
|
+
# 2. Is this change needed globally, if it's just one or two apps the change should be applied in them directly.
|
|
10
10
|
|
|
11
11
|
GOVUK_DOMAINS = [
|
|
12
12
|
"*.publishing.service.gov.uk",
|
|
@@ -26,64 +26,56 @@ module GovukContentSecurityPolicy
|
|
|
26
26
|
|
|
27
27
|
def self.build_policy(policy)
|
|
28
28
|
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src
|
|
29
|
-
policy.default_src :
|
|
29
|
+
policy.default_src :self
|
|
30
30
|
|
|
31
31
|
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src
|
|
32
32
|
policy.img_src :self,
|
|
33
|
-
|
|
33
|
+
# This allows Base64 encoded images, but is a security
|
|
34
|
+
# risk as it can embed third party resources.
|
|
35
|
+
# As of December 2022, we intend to remove this prior
|
|
36
|
+
# to making the CSP live.
|
|
37
|
+
:data,
|
|
34
38
|
*GOVUK_DOMAINS,
|
|
35
39
|
*GOOGLE_ANALYTICS_DOMAINS, # Tracking pixels
|
|
36
40
|
# Speedcurve real user monitoring (RUM) - as per: https://support.speedcurve.com/docs/add-rum-to-your-csp
|
|
37
41
|
"lux.speedcurve.com",
|
|
38
42
|
# Some content still links to an old domain we used to use
|
|
39
|
-
"assets.digital.cabinet-office.gov.uk"
|
|
43
|
+
"assets.digital.cabinet-office.gov.uk",
|
|
44
|
+
# Allow YouTube thumbnails
|
|
45
|
+
"https://img.youtube.com"
|
|
40
46
|
|
|
41
47
|
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src
|
|
42
48
|
policy.script_src :self,
|
|
43
|
-
*GOVUK_DOMAINS,
|
|
44
49
|
*GOOGLE_ANALYTICS_DOMAINS,
|
|
45
50
|
*GOOGLE_STATIC_DOMAINS,
|
|
46
|
-
# Allow JSONP call to Verify to check whether the user is logged in
|
|
47
|
-
"www.signin.service.gov.uk",
|
|
48
51
|
# Allow YouTube Embeds (Govspeak turns YouTube links into embeds)
|
|
49
52
|
"*.ytimg.com",
|
|
50
53
|
"www.youtube.com",
|
|
51
54
|
"www.youtube-nocookie.com",
|
|
52
|
-
#
|
|
53
|
-
|
|
54
|
-
#
|
|
55
|
-
#
|
|
56
|
-
# and there's a better way to filter out junk reports
|
|
55
|
+
# This allows inline scripts and thus is a XSS risk.
|
|
56
|
+
# As of December 2022, we intend to work towards removing
|
|
57
|
+
# this from apps that don't use jQuery 1.12 (which needs
|
|
58
|
+
# this) once we've set up nonces.
|
|
57
59
|
:unsafe_inline
|
|
58
60
|
|
|
59
61
|
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src
|
|
60
62
|
policy.style_src :self,
|
|
61
|
-
*GOVUK_DOMAINS,
|
|
62
63
|
*GOOGLE_STATIC_DOMAINS,
|
|
63
|
-
#
|
|
64
|
+
# This allows style="" attributes and style elements.
|
|
65
|
+
# As of December 2022, we intend to remove this prior
|
|
66
|
+
# to making the CSP live due to the security risks it has.
|
|
64
67
|
:unsafe_inline
|
|
65
68
|
|
|
66
69
|
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/font-src
|
|
67
|
-
|
|
68
|
-
|
|
69
|
-
:data # Used by some legacy fonts
|
|
70
|
+
# Note: we purposely don't include data here because it produces a security risk.
|
|
71
|
+
policy.font_src :self
|
|
70
72
|
|
|
71
73
|
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src
|
|
72
74
|
policy.connect_src :self,
|
|
73
75
|
*GOVUK_DOMAINS,
|
|
74
76
|
*GOOGLE_ANALYTICS_DOMAINS,
|
|
75
77
|
# Speedcurve real user monitoring (RUM) - as per: https://support.speedcurve.com/docs/add-rum-to-your-csp
|
|
76
|
-
"lux.speedcurve.com"
|
|
77
|
-
# Allow connecting to web chat from HMRC contact pages
|
|
78
|
-
"www.tax.service.gov.uk",
|
|
79
|
-
# Allow JSON call to Nuance - HMRC web chat provider
|
|
80
|
-
"hmrc-uk.digital.nuance.com",
|
|
81
|
-
# Allow JSON call to klick2contact - HMPO web chat provider
|
|
82
|
-
"hmpowebchat.klick2contact.com",
|
|
83
|
-
# Allow JSON call to Eckoh - HMPO web chat provider
|
|
84
|
-
"omni.eckoh.uk",
|
|
85
|
-
# Allow connecting to Verify to check whether the user is logged in
|
|
86
|
-
"www.signin.service.gov.uk"
|
|
78
|
+
"lux.speedcurve.com"
|
|
87
79
|
|
|
88
80
|
# Disallow all <object>, <embed>, and <applet> elements
|
|
89
81
|
#
|
|
@@ -99,6 +91,14 @@ module GovukContentSecurityPolicy
|
|
|
99
91
|
def self.configure
|
|
100
92
|
Rails.application.config.content_security_policy_report_only = ENV.include?("GOVUK_CSP_REPORT_ONLY")
|
|
101
93
|
|
|
102
|
-
Rails.application.config.content_security_policy(&method(:build_policy))
|
|
94
|
+
policy = Rails.application.config.content_security_policy(&method(:build_policy))
|
|
95
|
+
|
|
96
|
+
# # allow apps to customise the CSP by passing a block e.g:
|
|
97
|
+
# GovukContentSecuirtyPolicy.configure do |policy|
|
|
98
|
+
# policy.image_src(*policy.image_src, "https://i.ytimg.com")
|
|
99
|
+
# end
|
|
100
|
+
yield(policy) if block_given?
|
|
101
|
+
|
|
102
|
+
policy
|
|
103
103
|
end
|
|
104
104
|
end
|
|
@@ -12,36 +12,37 @@ module GovukLogging
|
|
|
12
12
|
# `Rails.logger` calls or 'puts' statements. However these are not in a
|
|
13
13
|
# JSON format which causes problems for the log file parsers.
|
|
14
14
|
#
|
|
15
|
-
# To resolve this we
|
|
15
|
+
# To resolve this we redirect stdout to stderr, to cover any Rails
|
|
16
16
|
# writing. This frees up the normal stdout for the logstasher logs.
|
|
17
|
+
#
|
|
18
|
+
# We also disable buffering, so that logs aren't lost on crash or delayed
|
|
19
|
+
# indefinitely while troubleshooting.
|
|
17
20
|
|
|
18
21
|
# rubocop:disable Style/GlobalVars
|
|
19
22
|
$real_stdout = $stdout.clone
|
|
23
|
+
$real_stdout.sync = true
|
|
20
24
|
$stdout.reopen($stderr)
|
|
25
|
+
$stdout.sync = true
|
|
21
26
|
# rubocop:enable Style/GlobalVars
|
|
22
27
|
|
|
23
28
|
# Send Rails' logs to STDERR because they're not JSON formatted.
|
|
24
29
|
Rails.logger = ActiveSupport::TaggedLogging.new(Logger.new($stderr, level: Rails.logger.level))
|
|
25
30
|
|
|
26
|
-
# Custom that will be added to the Rails request logs
|
|
27
31
|
LogStasher.add_custom_fields do |fields|
|
|
28
|
-
# Mirrors Nginx request logging, e.g GET /path/here HTTP/1.1
|
|
32
|
+
# Mirrors Nginx request logging, e.g. GET /path/here HTTP/1.1
|
|
29
33
|
fields[:request] = "#{request.request_method} #{request.fullpath} #{request.headers['SERVER_PROTOCOL']}"
|
|
30
34
|
|
|
31
|
-
# Pass request Id to logging
|
|
32
35
|
fields[:govuk_request_id] = request.headers["GOVUK-Request-Id"]
|
|
33
|
-
|
|
34
36
|
fields[:varnish_id] = request.headers["X-Varnish"]
|
|
35
|
-
|
|
36
37
|
fields[:govuk_app_config] = GovukAppConfig::VERSION
|
|
37
38
|
end
|
|
38
39
|
|
|
39
40
|
Rails.application.config.logstasher.enabled = true
|
|
40
41
|
|
|
41
|
-
# Log controller actions so that we can graph response times
|
|
42
|
+
# Log controller actions so that we can graph response times.
|
|
42
43
|
Rails.application.config.logstasher.controller_enabled = true
|
|
43
44
|
|
|
44
|
-
# The other loggers are not that interesting in production
|
|
45
|
+
# The other loggers are not that interesting in production.
|
|
45
46
|
Rails.application.config.logstasher.mailer_enabled = false
|
|
46
47
|
Rails.application.config.logstasher.record_enabled = false
|
|
47
48
|
Rails.application.config.logstasher.view_enabled = false
|
|
@@ -59,11 +60,9 @@ module GovukLogging
|
|
|
59
60
|
if defined?(GdsApi::Base)
|
|
60
61
|
GdsApi::Base.default_options ||= {}
|
|
61
62
|
|
|
62
|
-
# The
|
|
63
|
-
#
|
|
64
|
-
|
|
65
|
-
GdsApi::Base.default_options[:logger] =
|
|
66
|
-
Rails.application.config.logstasher.logger
|
|
63
|
+
# The gds-api-adapters gem logs JSON to describe the requests it makes and
|
|
64
|
+
# the responses it gets, so direct this to the logstasher logger.
|
|
65
|
+
GdsApi::Base.default_options[:logger] = Rails.application.config.logstasher.logger
|
|
67
66
|
end
|
|
68
67
|
|
|
69
68
|
RailsExt::ActionDispatch.monkey_patch_log_error if RailsExt::ActionDispatch.should_monkey_patch_log_error?
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: govuk_app_config
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 4.
|
|
4
|
+
version: 4.13.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- GOV.UK Dev
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2023-01-11 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: logstasher
|
|
@@ -289,7 +289,7 @@ files:
|
|
|
289
289
|
- ".ruby-version"
|
|
290
290
|
- CHANGELOG.md
|
|
291
291
|
- Gemfile
|
|
292
|
-
-
|
|
292
|
+
- LICENCE
|
|
293
293
|
- README.md
|
|
294
294
|
- Rakefile
|
|
295
295
|
- bin/console
|
|
@@ -336,7 +336,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
336
336
|
- !ruby/object:Gem::Version
|
|
337
337
|
version: '0'
|
|
338
338
|
requirements: []
|
|
339
|
-
rubygems_version: 3.3
|
|
339
|
+
rubygems_version: 3.4.3
|
|
340
340
|
signing_key:
|
|
341
341
|
specification_version: 4
|
|
342
342
|
summary: Base configuration for GOV.UK applications
|