govuk_app_config 9.3.0 → 9.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 91aa874fe05081ba23cdf6d37cb9046b357fe1d20d79ec3c336877a3e75e2edc
4
- data.tar.gz: eff73c0ebf947cd2adb0c8bd37599c5bae85497db9c3942621b2178465c586de
3
+ metadata.gz: 255469d22c10d2e07cb30e465f87a899e119d3fa2b5722aff557071b6e26107f
4
+ data.tar.gz: 3cfe8d112cc6b7f12071858a7d22f71a6dc212b9016eb970bc6568cff5ec8869
5
5
  SHA512:
6
- metadata.gz: fcf73e2e1bcf53b466918e89fd23b2083e02dc7d9e8dd4333021db40f46a3d9774d52079c443d204bc00b0d09547e5be83c0f824611f532fc90a786f07cfe8f4
7
- data.tar.gz: b0ffcd15e23557623c9749eb925ec52ffa867558769da1cb13cd9d52e275e1201576c5c1d040ce9d90b80af5a7848452bd43ffe8d59d328bfdbed4029781f4b4
6
+ metadata.gz: fb1c55f3648e0bc20fa2117acbeb7bfef81230b23e4524b0cc040ac83394fd2bb70ae6c998a919e7349388ce7f8a4e622a3ff0de3703b369875ad1f555a6cf41
7
+ data.tar.gz: 8db44e6eae7f7c1bfb1a34f3fdbb2a49fe46b183bfc379d4158b78b33f8a9ecca40e37d06f991c9af9cbb8a49335f651b16d7488acc31d90fdff60693a1777a2
data/CHANGELOG.md CHANGED
@@ -1,3 +1,12 @@
1
+ # 9.5.0
2
+
3
+ * Allow gov.uk domains to embed pages in the global Content Security Policy ([#325](https://github.com/alphagov/govuk_app_config/pull/325))
4
+
5
+ # 9.4.0
6
+
7
+ * Disallow any domain from embeding a page to prevent clickjacking ([#322](https://github.com/alphagov/govuk_app_config/pull/322))
8
+ * Fix GovukContentSecurityPolicy test ([#324](https://github.com/alphagov/govuk_app_config/pull/324))
9
+
1
10
  # 9.3.0
2
11
 
3
12
  * Get prometheus labels from controller, not params ([#320](https://github.com/alphagov/govuk_app_config/pull/320))
@@ -80,6 +80,11 @@ module GovukContentSecurityPolicy
80
80
  # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-src
81
81
  policy.frame_src :self, *GOVUK_DOMAINS, "www.youtube.com", "www.youtube-nocookie.com" # Allow youtube embeds
82
82
 
83
+ # Disallow non-gov.uk domains from embeding a page using <frame>, <iframe>, <object>, or <embed> to prevent clickjacking
84
+ #
85
+ # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
86
+ policy.frame_ancestors :self, *GOVUK_DOMAINS
87
+
83
88
  policy.report_uri ENV["GOVUK_CSP_REPORT_URI"] if ENV.include?("GOVUK_CSP_REPORT_URI")
84
89
  end
85
90
 
@@ -1,3 +1,3 @@
1
1
  module GovukAppConfig
2
- VERSION = "9.3.0".freeze
2
+ VERSION = "9.5.0".freeze
3
3
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: govuk_app_config
3
3
  version: !ruby/object:Gem::Version
4
- version: 9.3.0
4
+ version: 9.5.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - GOV.UK Dev
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2023-10-03 00:00:00.000000000 Z
11
+ date: 2023-10-09 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: logstasher