govuk_app_config 9.3.0 → 9.4.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (5) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +5 -0
  3. data/lib/govuk_app_config/govuk_content_security_policy.rb +5 -0
  4. data/lib/govuk_app_config/version.rb +1 -1
  5. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 91aa874fe05081ba23cdf6d37cb9046b357fe1d20d79ec3c336877a3e75e2edc
4
- data.tar.gz: eff73c0ebf947cd2adb0c8bd37599c5bae85497db9c3942621b2178465c586de
3
+ metadata.gz: 273b6b6ef65edc0acb8786a4e5352dfbd0c06d54ed7df78b71352f513b74ba22
4
+ data.tar.gz: a929e8ecabac4aada60d6c31337d1f36b7ce077a259fa596124f44cfc7c8ab0c
5
5
  SHA512:
6
- metadata.gz: fcf73e2e1bcf53b466918e89fd23b2083e02dc7d9e8dd4333021db40f46a3d9774d52079c443d204bc00b0d09547e5be83c0f824611f532fc90a786f07cfe8f4
7
- data.tar.gz: b0ffcd15e23557623c9749eb925ec52ffa867558769da1cb13cd9d52e275e1201576c5c1d040ce9d90b80af5a7848452bd43ffe8d59d328bfdbed4029781f4b4
6
+ metadata.gz: 86bf49ce98b88af4c0781a94797eeb55cd4007830004fa6ed90c65dd19e4b0b409897b53f10b0293f2e5120ea3241517e3c08548527d34daab165e8f838b0e06
7
+ data.tar.gz: fa89fb00c3e24406151b4e5cdce2f54596ecf56846192b1dfc378f3237a00beffb129805d205a0d001e6ce2205ae4d404b468b6fd240a3011e0a41aa8ad3e06f
data/CHANGELOG.md CHANGED
@@ -1,3 +1,8 @@
1
+ # 9.4.0
2
+
3
+ * Disallow any domain from embeding a page to prevent clickjacking ([#322](https://github.com/alphagov/govuk_app_config/pull/322))
4
+ * Fix GovukContentSecurityPolicy test ([#324](https://github.com/alphagov/govuk_app_config/pull/324))
5
+
1
6
  # 9.3.0
2
7
 
3
8
  * Get prometheus labels from controller, not params ([#320](https://github.com/alphagov/govuk_app_config/pull/320))
data/lib/govuk_app_config/govuk_content_security_policy.rb CHANGED
@@ -80,6 +80,11 @@ module GovukContentSecurityPolicy
80
80
  # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-src
81
81
  policy.frame_src :self, *GOVUK_DOMAINS, "www.youtube.com", "www.youtube-nocookie.com" # Allow youtube embeds
82
82
 
83
+ # Disallow any domain from embeding a page using <frame>, <iframe>, <object>, or <embed> to prevent clickjacking
84
+ #
85
+ # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
86
+ policy.frame_ancestors :none
87
+
83
88
  policy.report_uri ENV["GOVUK_CSP_REPORT_URI"] if ENV.include?("GOVUK_CSP_REPORT_URI")
84
89
  end
85
90
 
data/lib/govuk_app_config/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module GovukAppConfig
2
- VERSION = "9.3.0".freeze
2
+ VERSION = "9.4.0".freeze
3
3
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: govuk_app_config
3
3
  version: !ruby/object:Gem::Version
4
- version: 9.3.0
4
+ version: 9.4.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - GOV.UK Dev
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2023-10-03 00:00:00.000000000 Z
11
+ date: 2023-10-05 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: logstasher