RubyGems - govuk_app_config - Versions diffs - 9.3.0 → 9.4.0 - Mend

govuk_app_config 9.3.0 → 9.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +5 -0
data/lib/govuk_app_config/govuk_content_security_policy.rb +5 -0
data/lib/govuk_app_config/version.rb +1 -1
metadata +2 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 91aa874fe05081ba23cdf6d37cb9046b357fe1d20d79ec3c336877a3e75e2edc
-  data.tar.gz: eff73c0ebf947cd2adb0c8bd37599c5bae85497db9c3942621b2178465c586de
+  metadata.gz: 273b6b6ef65edc0acb8786a4e5352dfbd0c06d54ed7df78b71352f513b74ba22
+  data.tar.gz: a929e8ecabac4aada60d6c31337d1f36b7ce077a259fa596124f44cfc7c8ab0c
 SHA512:
-  metadata.gz: fcf73e2e1bcf53b466918e89fd23b2083e02dc7d9e8dd4333021db40f46a3d9774d52079c443d204bc00b0d09547e5be83c0f824611f532fc90a786f07cfe8f4
-  data.tar.gz: b0ffcd15e23557623c9749eb925ec52ffa867558769da1cb13cd9d52e275e1201576c5c1d040ce9d90b80af5a7848452bd43ffe8d59d328bfdbed4029781f4b4
+  metadata.gz: 86bf49ce98b88af4c0781a94797eeb55cd4007830004fa6ed90c65dd19e4b0b409897b53f10b0293f2e5120ea3241517e3c08548527d34daab165e8f838b0e06
+  data.tar.gz: fa89fb00c3e24406151b4e5cdce2f54596ecf56846192b1dfc378f3237a00beffb129805d205a0d001e6ce2205ae4d404b468b6fd240a3011e0a41aa8ad3e06f

data/CHANGELOG.md CHANGED Viewed

@@ -1,3 +1,8 @@
+# 9.4.0
+* Disallow any domain from embeding a page to prevent clickjacking ([#322](https://github.com/alphagov/govuk_app_config/pull/322))
+* Fix GovukContentSecurityPolicy test ([#324](https://github.com/alphagov/govuk_app_config/pull/324))
 # 9.3.0
 * Get prometheus labels from controller, not params ([#320](https://github.com/alphagov/govuk_app_config/pull/320))

data/lib/govuk_app_config/govuk_content_security_policy.rb CHANGED Viewed

@@ -80,6 +80,11 @@ module GovukContentSecurityPolicy
     # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-src
     policy.frame_src :self, *GOVUK_DOMAINS, "www.youtube.com", "www.youtube-nocookie.com" # Allow youtube embeds
+    # Disallow any domain from embeding a page using <frame>, <iframe>, <object>, or <embed> to prevent clickjacking
+    #
+    # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
+    policy.frame_ancestors :none
     policy.report_uri ENV["GOVUK_CSP_REPORT_URI"] if ENV.include?("GOVUK_CSP_REPORT_URI")
   end

data/lib/govuk_app_config/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module GovukAppConfig
-  VERSION = "9.3.0".freeze
+  VERSION = "9.4.0".freeze
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: govuk_app_config
 version: !ruby/object:Gem::Version
-  version: 9.3.0
+  version: 9.4.0
 platform: ruby
 authors:
 - GOV.UK Dev
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2023-10-03 00:00:00.000000000 Z
+date: 2023-10-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: logstasher