govuk_app_config 9.3.0 → 9.5.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +9 -0
- data/lib/govuk_app_config/govuk_content_security_policy.rb +5 -0
- data/lib/govuk_app_config/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 255469d22c10d2e07cb30e465f87a899e119d3fa2b5722aff557071b6e26107f
|
|
4
|
+
data.tar.gz: 3cfe8d112cc6b7f12071858a7d22f71a6dc212b9016eb970bc6568cff5ec8869
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: fb1c55f3648e0bc20fa2117acbeb7bfef81230b23e4524b0cc040ac83394fd2bb70ae6c998a919e7349388ce7f8a4e622a3ff0de3703b369875ad1f555a6cf41
|
|
7
|
+
data.tar.gz: 8db44e6eae7f7c1bfb1a34f3fdbb2a49fe46b183bfc379d4158b78b33f8a9ecca40e37d06f991c9af9cbb8a49335f651b16d7488acc31d90fdff60693a1777a2
|
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,12 @@
|
|
|
1
|
+
# 9.5.0
|
|
2
|
+
|
|
3
|
+
* Allow gov.uk domains to embed pages in the global Content Security Policy ([#325](https://github.com/alphagov/govuk_app_config/pull/325))
|
|
4
|
+
|
|
5
|
+
# 9.4.0
|
|
6
|
+
|
|
7
|
+
* Disallow any domain from embeding a page to prevent clickjacking ([#322](https://github.com/alphagov/govuk_app_config/pull/322))
|
|
8
|
+
* Fix GovukContentSecurityPolicy test ([#324](https://github.com/alphagov/govuk_app_config/pull/324))
|
|
9
|
+
|
|
1
10
|
# 9.3.0
|
|
2
11
|
|
|
3
12
|
* Get prometheus labels from controller, not params ([#320](https://github.com/alphagov/govuk_app_config/pull/320))
|
|
@@ -80,6 +80,11 @@ module GovukContentSecurityPolicy
|
|
|
80
80
|
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-src
|
|
81
81
|
policy.frame_src :self, *GOVUK_DOMAINS, "www.youtube.com", "www.youtube-nocookie.com" # Allow youtube embeds
|
|
82
82
|
|
|
83
|
+
# Disallow non-gov.uk domains from embeding a page using <frame>, <iframe>, <object>, or <embed> to prevent clickjacking
|
|
84
|
+
#
|
|
85
|
+
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
|
|
86
|
+
policy.frame_ancestors :self, *GOVUK_DOMAINS
|
|
87
|
+
|
|
83
88
|
policy.report_uri ENV["GOVUK_CSP_REPORT_URI"] if ENV.include?("GOVUK_CSP_REPORT_URI")
|
|
84
89
|
end
|
|
85
90
|
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: govuk_app_config
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 9.
|
|
4
|
+
version: 9.5.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- GOV.UK Dev
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2023-10-
|
|
11
|
+
date: 2023-10-09 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: logstasher
|