govuk_app_config 4.13.0 → 5.0.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.github/workflows/ci.yml +1 -1
- data/CHANGELOG.md +56 -50
- data/lib/govuk_app_config/govuk_content_security_policy.rb +30 -14
- data/lib/govuk_app_config/version.rb +1 -1
- metadata +3 -3
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 0bc71cc5bd08fd8564de90311775a22d6c9b6a11bfbda2924c8782be3c265ff9
|
4
|
+
data.tar.gz: 6d28205894b18a2b5ceaaed55967d8a55aaf7ab4e375979b1366cf42fbcd98c7
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 87122fbe05b408cb3578e3b983e99451f5fe0898316f31f8e87107d4a09b50f0205ea803620af3a40dc2a0459015fcb67a898359a66aa998b092a9c2d143b2cd
|
7
|
+
data.tar.gz: b4fe9f24dfe1f98efd3d5988f46f147b48bf869eb3e3901634efc4ceb6089d9735588d92a4574d822c68bfe9e8c219a572d69cab971c688a864b2f4e640d2052
|
data/.github/workflows/ci.yml
CHANGED
data/CHANGELOG.md
CHANGED
@@ -1,6 +1,11 @@
|
|
1
|
+
# 5.0.0
|
2
|
+
|
3
|
+
* Forbid base elements in the Content Security Policy
|
4
|
+
* BREAKING: Content Security Policy forbids unsafe-inline script-src and data: image-src. It provides a nonce generator. Apps that can't support this will need to amend their CSP configuration in an initializer, see [example](https://github.com/alphagov/signon/commit/ddcf31f5c30b8fd334e4aea74986b24bf2b0e9be) in signon. Any apps that still use jQuery 1.x will need unsafe-inline for Firefox compatibility.
|
5
|
+
|
1
6
|
# 4.13.0
|
2
7
|
|
3
|
-
|
8
|
+
* Flush log writes to stdout immediately so that structured (JSON) logs are not lost on crash or delayed indefinitely.
|
4
9
|
|
5
10
|
# 4.12.0
|
6
11
|
|
@@ -13,148 +18,149 @@
|
|
13
18
|
|
14
19
|
# 4.11.1
|
15
20
|
|
16
|
-
|
21
|
+
* Remove govuk_i18n plural rules file
|
17
22
|
|
18
23
|
# 4.11.0
|
19
24
|
|
20
|
-
|
21
|
-
|
25
|
+
* Update Plek support to allow version 5
|
26
|
+
* Add I18n plural rules for Welsh (cy), Maltese (mt) and Chinese (zh) since Rails-I18n has [dropped support](https://github.com/svenfuchs/rails-i18n/pull/1017) for them in 7.0.6 ([#266](https://github.com/alphagov/govuk_app_config/pull/266))
|
22
27
|
|
23
28
|
# 4.10.1
|
24
29
|
|
25
|
-
|
30
|
+
* Fix an object ownership/sharing bug where the Rails log level was erroneously being set to `WARN` when initialising Sentry.
|
26
31
|
|
27
32
|
# 4.10.0
|
28
33
|
|
29
|
-
|
34
|
+
* Reduce log level for the Sentry gem from `INFO` to `WARN` to avoid polluting logs with uninformative messages. This only affects log messages from the Sentry gem itself, which go to `stdout`.
|
30
35
|
|
31
36
|
# 4.9.0
|
32
37
|
|
33
|
-
|
38
|
+
* Add GovukProxy::StaticProxy to forward Static asset requests by setting `GOVUK_PROXY_STATIC_ENABLED=true`.([#261](https://github.com/alphagov/govuk_app_config/pull/261))
|
34
39
|
|
35
40
|
# 4.8.0
|
36
41
|
|
37
|
-
|
42
|
+
* Enables Sentry environment names for EKS versions of integration, staging and production.([#260](https://github.com/alphagov/govuk_app_config/pull/260))
|
38
43
|
|
39
44
|
# 4.7.1
|
40
45
|
|
41
|
-
|
46
|
+
* Fix the ability to open the Rails console (`bundle exec rails c`) when running inside a container ([#257](https://github.com/alphagov/govuk_app_config/pull/257)).
|
42
47
|
|
43
48
|
# 4.7.0
|
44
49
|
|
45
|
-
|
50
|
+
* Adds Prometheus Sidekiq monitoring ([#255](https://github.com/alphagov/govuk_app_config/pull/255))
|
46
51
|
|
47
52
|
# 4.6.3
|
48
53
|
|
49
|
-
|
54
|
+
* Adds `region1.google-analytics.com` to the security policy for GA ([#250](https://github.com/alphagov/govuk_app_config/pull/250))
|
50
55
|
|
51
56
|
# 4.6.2
|
52
57
|
|
53
|
-
|
58
|
+
* Adds a new domain to the security policy for GA ([#248](https://https://github.com/alphagov/govuk_app_config/pull/248))
|
54
59
|
|
55
60
|
# 4.6.1
|
56
61
|
|
57
|
-
|
62
|
+
* Fixes warning message to refer to correct Sidekiq gem dependency name ([#243](https://github.com/alphagov/govuk_app_config/pull/243)).
|
58
63
|
|
59
64
|
# 4.6.0
|
60
65
|
|
61
|
-
|
62
|
-
|
66
|
+
* Add a warning for apps using GovukError with Sidekiq that don't have sentry-sidekiq installed ([#241](https://github.com/alphagov/govuk_app_config/pull/241)).
|
67
|
+
* Add internal Sidekiq exception "Sidekiq::JobRetry::Skip" to excluded exceptions ([#241](https://github.com/alphagov/govuk_app_config/pull/241)).
|
63
68
|
|
64
69
|
# 4.5.0
|
65
70
|
|
66
|
-
|
67
|
-
|
68
|
-
|
69
|
-
|
70
|
-
|
71
|
-
|
72
|
-
|
71
|
+
* Add lux.speedcurve.com to connect_src for GOV.UK Content Security Policy ([#232](https://github.com/alphagov/govuk_app_config/pull/232))
|
72
|
+
* Fix prometheus_exporter to only be enabled when the GOVUK_PROMETHEUS_EXPORTER env var is set to "true" ([#231](https://github.com/alphagov/govuk_app_config/pull/231)).
|
73
|
+
* Add Prometheus monitoring for EKS section to README.md ([#231](https://github.com/alphagov/govuk_app_config/pull/231)).
|
74
|
+
* Fix govuk_error being incompatible with Ruby >= 3 ([#233](https://github.com/alphagov/govuk_app_config/pull/233))
|
75
|
+
* Require Ruby 2.7 as the minimum supported Ruby version ([#233](https://github.com/alphagov/govuk_app_config/pull/233))
|
76
|
+
* Require Sentry 5 and Unicorn 6 major versions ([#237](https://github.com/alphagov/govuk_app_config/pull/237))
|
77
|
+
* Prevent sentry-rails logger warnings when govuk_error is used with non-Rails apps ([#234](https://github.com/alphagov/govuk_app_config/pull/234))
|
73
78
|
|
74
79
|
# 4.4.3
|
75
80
|
|
76
|
-
|
81
|
+
* Update prometheus exporter server to 0.0.0.0 from localhost ([#227](https://github.com/alphagov/govuk_app_config/pull/227)).
|
77
82
|
|
78
83
|
# 4.4.2
|
79
84
|
|
80
|
-
|
85
|
+
* Update HMPO webchat address in security policy ([#225](https://github.com/alphagov/govuk_app_config/pull/225)).
|
81
86
|
|
82
87
|
# 4.4.1
|
83
88
|
|
84
|
-
|
85
|
-
|
89
|
+
* Fix issue where GovukPrometheusExporter module prevented the gem to load due to missing constant "PrometheusExporter" ([#224](https://github.com/alphagov/govuk_app_config/pull/224)).
|
90
|
+
* Lazy load the prometheus_exporter dependency for only apps that use GovukPrometheusExporter ([#224](https://github.com/alphagov/govuk_app_config/pull/224)).
|
86
91
|
|
87
92
|
# 4.4.0
|
88
93
|
|
89
|
-
|
94
|
+
* Add GovukPrometheusModule, to allow for export of prometheus metrics ([#223](https://github.com/alphagov/govuk_app_config/pull/223)).
|
90
95
|
|
91
96
|
# 4.3.0
|
92
97
|
|
93
|
-
|
98
|
+
* Remove Speedcurve's LUX from the connect-src policy ([#216](https://github.com/alphagov/govuk_app_config/pull/216)).
|
94
99
|
|
95
100
|
# 4.2.0
|
96
101
|
|
97
|
-
|
102
|
+
* Add pluralisation rules for Azerbaijani, Persian, Georgian, and Turkish. ([#219](https://github.com/alphagov/govuk_app_config/pull/219))
|
98
103
|
|
99
104
|
# 4.1.0
|
100
105
|
|
101
|
-
|
106
|
+
* Add Puma to dependencies ([#214](https://github.com/alphagov/govuk_app_config/pull/214)).
|
102
107
|
|
103
108
|
# 4.0.1
|
104
109
|
|
105
|
-
|
110
|
+
* Update Content Security Policy with new klick2contact.com subdomain ([#213](https://github.com/alphagov/govuk_app_config/pull/213)).
|
106
111
|
|
107
112
|
# 4.0.0
|
108
113
|
|
109
|
-
|
110
|
-
|
111
|
-
|
112
|
-
|
113
|
-
|
114
|
-
|
114
|
+
* BREAKING: replaces deprecated `sentry-raven` with `sentry-ruby` and `sentry-rails`. Follow the **[migration guide](https://docs.sentry.io/platforms/ruby/migration/)** before upgrading to this version of govuk_app_config to ensure full compatibility with the new gems.
|
115
|
+
* BREAKING: `GovukError.configure` can only be called once, and non-Rails apps will have to manually call `GovukError.configure` in order to initialise Sentry.
|
116
|
+
* BREAKING: apps will no longer increment the `error_reports_failed` statsd if events fail to get sent to Sentry.
|
117
|
+
* BREAKING: the behaviour of `before_send` has changed, and the `should_capture` method is deprecated.
|
118
|
+
* See pre-release notes below for details.
|
119
|
+
* PR: [#212](https://github.com/alphagov/govuk_app_config/pull/212)
|
115
120
|
|
116
121
|
# 4.0.0.pre.4
|
117
122
|
|
118
|
-
|
119
|
-
|
120
|
-
|
123
|
+
* Fix Sentry client initialisation ([#205](https://github.com/alphagov/govuk_app_config/pull/205)).
|
124
|
+
* BREAKING: non-Rails apps will need to manually call `GovukError.configure` in order to initialise Sentry.
|
125
|
+
* BREAKING: `GovukError.configure` can only be called once by the downstream application.
|
121
126
|
|
122
127
|
# 4.0.0.pre.3
|
123
128
|
|
124
|
-
|
129
|
+
* Include [sentry-rails](https://github.com/getsentry/sentry-ruby/tree/master/sentry-rails) by default ([#203](https://github.com/alphagov/govuk_app_config/pull/203)).
|
125
130
|
|
126
131
|
# 4.0.0.pre.2
|
127
132
|
|
128
|
-
|
129
|
-
|
133
|
+
* Fix default Sentry configuration ([#202](https://github.com/alphagov/govuk_app_config/pull/202)).
|
134
|
+
* BREAKING: this means no more `silence_ready` or `transport_failure_callback` options.
|
130
135
|
|
131
136
|
# 4.0.0.pre.1
|
132
137
|
|
133
|
-
|
134
|
-
|
135
|
-
|
138
|
+
* BREAKING: upgrades Sentry gem from `sentry-raven` to `sentry-ruby` ([#199](https://github.com/alphagov/govuk_app_config/pull/199)). There is a **[migration guide](https://docs.sentry.io/platforms/ruby/migration/)** you should follow before upgrading to this version of govuk_app_config.
|
139
|
+
* This release also fixes the `data_sync_excluded_exceptions` behaviour that was broken in v3.1.0 (later fixed in v3.3.0, which was released after 4.0.0.pre.1).
|
140
|
+
* Released as a pre-release to identify and fix any problems before a wider rollout.
|
136
141
|
|
137
142
|
# 3.3.0
|
138
143
|
|
139
|
-
|
144
|
+
* Revert the `should_capture`/`before_send` consolidation introduced in 3.1.0. This fixes the `data_sync_excluded_exceptions` behaviour that has been broken since v3.1.0. ([#211](https://github.com/alphagov/govuk_app_config/pull/211))
|
140
145
|
|
141
146
|
# 3.2.0
|
142
147
|
|
143
|
-
|
148
|
+
* Add Speedcurve's LUX to connect-src policy ([#206](https://github.com/alphagov/govuk_app_config/pull/206))
|
144
149
|
|
145
150
|
# 3.1.1
|
146
151
|
|
147
|
-
|
152
|
+
* Fix the new before_send behaviour & tests, and add documentation ([#197](https://github.com/alphagov/govuk_app_config/pull/197))
|
148
153
|
|
149
154
|
# 3.1.0
|
150
155
|
|
151
|
-
|
156
|
+
* Remove support for `should_capture` callbacks in favour of `before_send` ([#196](https://github.com/alphagov/govuk_app_config/pull/196))
|
152
157
|
|
153
158
|
# 3.0.0
|
154
159
|
|
155
160
|
* BREAKING: Implement RFC 141 - remove unsuitable healthchecks and return a 500 on healthcheck failure ([#193](https://github.com/alphagov/govuk_app_config/pull/193))
|
156
161
|
|
157
162
|
# 2.10.0
|
163
|
+
|
158
164
|
* Allow LUX domain on img-src policy ([#191](https://github.com/alphagov/govuk_app_config/pull/191))
|
159
165
|
|
160
166
|
# 2.9.1
|
@@ -28,13 +28,12 @@ module GovukContentSecurityPolicy
|
|
28
28
|
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src
|
29
29
|
policy.default_src :self
|
30
30
|
|
31
|
+
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/base-uri
|
32
|
+
policy.base_uri :none
|
33
|
+
|
31
34
|
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src
|
35
|
+
# Note: we purposely don't include `data:` here because it produces a security risk.
|
32
36
|
policy.img_src :self,
|
33
|
-
# This allows Base64 encoded images, but is a security
|
34
|
-
# risk as it can embed third party resources.
|
35
|
-
# As of December 2022, we intend to remove this prior
|
36
|
-
# to making the CSP live.
|
37
|
-
:data,
|
38
37
|
*GOVUK_DOMAINS,
|
39
38
|
*GOOGLE_ANALYTICS_DOMAINS, # Tracking pixels
|
40
39
|
# Speedcurve real user monitoring (RUM) - as per: https://support.speedcurve.com/docs/add-rum-to-your-csp
|
@@ -45,25 +44,28 @@ module GovukContentSecurityPolicy
|
|
45
44
|
"https://img.youtube.com"
|
46
45
|
|
47
46
|
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src
|
47
|
+
# Note: we purposely don't include `data:`, `unsafe-inline` or `unsafe-eval` because
|
48
|
+
# they are security risks, if you need them for a legacy app please only apply them at
|
49
|
+
# an app level.
|
48
50
|
policy.script_src :self,
|
49
51
|
*GOOGLE_ANALYTICS_DOMAINS,
|
50
52
|
*GOOGLE_STATIC_DOMAINS,
|
51
53
|
# Allow YouTube Embeds (Govspeak turns YouTube links into embeds)
|
52
54
|
"*.ytimg.com",
|
53
55
|
"www.youtube.com",
|
54
|
-
"www.youtube-nocookie.com"
|
55
|
-
# This allows inline scripts and thus is a XSS risk.
|
56
|
-
# As of December 2022, we intend to work towards removing
|
57
|
-
# this from apps that don't use jQuery 1.12 (which needs
|
58
|
-
# this) once we've set up nonces.
|
59
|
-
:unsafe_inline
|
56
|
+
"www.youtube-nocookie.com"
|
60
57
|
|
61
58
|
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src
|
59
|
+
# Note: we purposely don't include `data:` or `unsafe-eval` because
|
60
|
+
# they are security risks, if you need them for a legacy app please only apply them at
|
61
|
+
# an app level.
|
62
62
|
policy.style_src :self,
|
63
63
|
*GOOGLE_STATIC_DOMAINS,
|
64
|
-
# This allows style="" attributes and style elements.
|
65
|
-
# As of
|
66
|
-
#
|
64
|
+
# This allows `style=""` attributes and `<style>` elements.
|
65
|
+
# As of January 2023 our intentions to remove this were scuppered
|
66
|
+
# by Govspeak [1] using inline styles on tables. Until that
|
67
|
+
# is resolved we'll keep unsafe_inline
|
68
|
+
# [1]: https://github.com/alphagov/govspeak/blob/5642fcc4231f215d1c58ad7feb30ca42fb8cfb91/lib/govspeak/html_sanitizer.rb#L72-L73
|
67
69
|
:unsafe_inline
|
68
70
|
|
69
71
|
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/font-src
|
@@ -91,6 +93,20 @@ module GovukContentSecurityPolicy
|
|
91
93
|
def self.configure
|
92
94
|
Rails.application.config.content_security_policy_report_only = ENV.include?("GOVUK_CSP_REPORT_ONLY")
|
93
95
|
|
96
|
+
# Sets a nonce per request that can be set on script-src and style-src
|
97
|
+
# directives depending on the value of Rails.application.config.content_security_policy_nonce_directives
|
98
|
+
#
|
99
|
+
# Note: if an application needs to set unsafe-inline they will need to
|
100
|
+
# unset this generator (by setting this config option to nil in their application)
|
101
|
+
Rails.application.config.content_security_policy_nonce_generator = ->(_request) { SecureRandom.base64(16) }
|
102
|
+
|
103
|
+
# This only applies the nonce generator to the script-src directive. We need this to
|
104
|
+
# use unsafe-inline for style-src as a nonce will override it.
|
105
|
+
#
|
106
|
+
# When we want to apply it to style-src we can remove this line as the Rails default
|
107
|
+
# is for both script-src and style-src
|
108
|
+
Rails.application.config.content_security_policy_nonce_directives = %w[script-src]
|
109
|
+
|
94
110
|
policy = Rails.application.config.content_security_policy(&method(:build_policy))
|
95
111
|
|
96
112
|
# # allow apps to customise the CSP by passing a block e.g:
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: govuk_app_config
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version:
|
4
|
+
version: 5.0.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- GOV.UK Dev
|
8
8
|
autorequire:
|
9
9
|
bindir: exe
|
10
10
|
cert_chain: []
|
11
|
-
date: 2023-01-
|
11
|
+
date: 2023-01-26 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: logstasher
|
@@ -336,7 +336,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
336
336
|
- !ruby/object:Gem::Version
|
337
337
|
version: '0'
|
338
338
|
requirements: []
|
339
|
-
rubygems_version: 3.4.
|
339
|
+
rubygems_version: 3.4.5
|
340
340
|
signing_key:
|
341
341
|
specification_version: 4
|
342
342
|
summary: Base configuration for GOV.UK applications
|