govuk_app_config 9.4.0 → 9.5.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (5) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +4 -0
  3. data/lib/govuk_app_config/govuk_content_security_policy.rb +2 -2
  4. data/lib/govuk_app_config/version.rb +1 -1
  5. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 273b6b6ef65edc0acb8786a4e5352dfbd0c06d54ed7df78b71352f513b74ba22
4
- data.tar.gz: a929e8ecabac4aada60d6c31337d1f36b7ce077a259fa596124f44cfc7c8ab0c
3
+ metadata.gz: 255469d22c10d2e07cb30e465f87a899e119d3fa2b5722aff557071b6e26107f
4
+ data.tar.gz: 3cfe8d112cc6b7f12071858a7d22f71a6dc212b9016eb970bc6568cff5ec8869
5
5
  SHA512:
6
- metadata.gz: 86bf49ce98b88af4c0781a94797eeb55cd4007830004fa6ed90c65dd19e4b0b409897b53f10b0293f2e5120ea3241517e3c08548527d34daab165e8f838b0e06
7
- data.tar.gz: fa89fb00c3e24406151b4e5cdce2f54596ecf56846192b1dfc378f3237a00beffb129805d205a0d001e6ce2205ae4d404b468b6fd240a3011e0a41aa8ad3e06f
6
+ metadata.gz: fb1c55f3648e0bc20fa2117acbeb7bfef81230b23e4524b0cc040ac83394fd2bb70ae6c998a919e7349388ce7f8a4e622a3ff0de3703b369875ad1f555a6cf41
7
+ data.tar.gz: 8db44e6eae7f7c1bfb1a34f3fdbb2a49fe46b183bfc379d4158b78b33f8a9ecca40e37d06f991c9af9cbb8a49335f651b16d7488acc31d90fdff60693a1777a2
data/CHANGELOG.md CHANGED
@@ -1,3 +1,7 @@
1
+ # 9.5.0
2
+
3
+ * Allow gov.uk domains to embed pages in the global Content Security Policy ([#325](https://github.com/alphagov/govuk_app_config/pull/325))
4
+
1
5
  # 9.4.0
2
6
 
3
7
  * Disallow any domain from embeding a page to prevent clickjacking ([#322](https://github.com/alphagov/govuk_app_config/pull/322))
data/lib/govuk_app_config/govuk_content_security_policy.rb CHANGED
@@ -80,10 +80,10 @@ module GovukContentSecurityPolicy
80
80
  # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-src
81
81
  policy.frame_src :self, *GOVUK_DOMAINS, "www.youtube.com", "www.youtube-nocookie.com" # Allow youtube embeds
82
82
 
83
- # Disallow any domain from embeding a page using <frame>, <iframe>, <object>, or <embed> to prevent clickjacking
83
+ # Disallow non-gov.uk domains from embeding a page using <frame>, <iframe>, <object>, or <embed> to prevent clickjacking
84
84
  #
85
85
  # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
86
- policy.frame_ancestors :none
86
+ policy.frame_ancestors :self, *GOVUK_DOMAINS
87
87
 
88
88
  policy.report_uri ENV["GOVUK_CSP_REPORT_URI"] if ENV.include?("GOVUK_CSP_REPORT_URI")
89
89
  end
data/lib/govuk_app_config/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module GovukAppConfig
2
- VERSION = "9.4.0".freeze
2
+ VERSION = "9.5.0".freeze
3
3
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: govuk_app_config
3
3
  version: !ruby/object:Gem::Version
4
- version: 9.4.0
4
+ version: 9.5.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - GOV.UK Dev
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2023-10-05 00:00:00.000000000 Z
11
+ date: 2023-10-09 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: logstasher