govuk_app_config 9.4.0 → 9.6.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +8 -0
- data/govuk_app_config.gemspec +1 -1
- data/lib/govuk_app_config/govuk_content_security_policy.rb +4 -3
- data/lib/govuk_app_config/version.rb +1 -1
- metadata +5 -5
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: c15ac7d4a7297bc830a60b2877bc36d0e1b046fe2a498a0006b29b58ce9a0fec
|
4
|
+
data.tar.gz: 323f249a17a7806f176e88d060e7c99ac0eb54f0244815534056e2820e70f9e0
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 8d514827abb88965374c9213b700ba05f9fdb3f65098f403d4e583581da768ebb6aa512b8b38adeae4818e839186443a011dfc3dd9ee7e1fc101363cd2721f3d
|
7
|
+
data.tar.gz: 319470197ea8a8ead9e29ba6e01b347215c62d472be68d94eaf58223a0e4b350a1046cee03c2aafef5d8e3828a34e802400eb60ea2322c93e6c5da277230d856
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,11 @@
|
|
1
|
+
# 9.6.0
|
2
|
+
|
3
|
+
* Allow YouTube thumbnails from https://i.ytimg.com in the global Content Security Policy ([#328](https://github.com/alphagov/govuk_app_config/pull/328))
|
4
|
+
|
5
|
+
# 9.5.0
|
6
|
+
|
7
|
+
* Allow gov.uk domains to embed pages in the global Content Security Policy ([#325](https://github.com/alphagov/govuk_app_config/pull/325))
|
8
|
+
|
1
9
|
# 9.4.0
|
2
10
|
|
3
11
|
* Disallow any domain from embeding a page to prevent clickjacking ([#322](https://github.com/alphagov/govuk_app_config/pull/322))
|
data/govuk_app_config.gemspec
CHANGED
@@ -22,7 +22,7 @@ Gem::Specification.new do |spec|
|
|
22
22
|
|
23
23
|
spec.add_dependency "logstasher", "~> 2.1"
|
24
24
|
spec.add_dependency "opentelemetry-exporter-otlp", ">= 0.25", "< 0.27"
|
25
|
-
spec.add_dependency "opentelemetry-instrumentation-all", ">= 0.39.1", "< 0.
|
25
|
+
spec.add_dependency "opentelemetry-instrumentation-all", ">= 0.39.1", "< 0.52.0"
|
26
26
|
spec.add_dependency "opentelemetry-sdk", "~> 1.2"
|
27
27
|
spec.add_dependency "plek", ">= 4", "< 6"
|
28
28
|
spec.add_dependency "prometheus_exporter", "~> 2.0"
|
@@ -41,7 +41,8 @@ module GovukContentSecurityPolicy
|
|
41
41
|
# Some content still links to an old domain we used to use
|
42
42
|
"assets.digital.cabinet-office.gov.uk",
|
43
43
|
# Allow YouTube thumbnails
|
44
|
-
"https://img.youtube.com"
|
44
|
+
"https://img.youtube.com",
|
45
|
+
"https://i.ytimg.com"
|
45
46
|
|
46
47
|
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src
|
47
48
|
# Note: we purposely don't include `data:`, `unsafe-inline` or `unsafe-eval` because
|
@@ -80,10 +81,10 @@ module GovukContentSecurityPolicy
|
|
80
81
|
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-src
|
81
82
|
policy.frame_src :self, *GOVUK_DOMAINS, "www.youtube.com", "www.youtube-nocookie.com" # Allow youtube embeds
|
82
83
|
|
83
|
-
# Disallow
|
84
|
+
# Disallow non-gov.uk domains from embeding a page using <frame>, <iframe>, <object>, or <embed> to prevent clickjacking
|
84
85
|
#
|
85
86
|
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
|
86
|
-
policy.frame_ancestors :
|
87
|
+
policy.frame_ancestors :self, *GOVUK_DOMAINS
|
87
88
|
|
88
89
|
policy.report_uri ENV["GOVUK_CSP_REPORT_URI"] if ENV.include?("GOVUK_CSP_REPORT_URI")
|
89
90
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: govuk_app_config
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 9.
|
4
|
+
version: 9.6.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- GOV.UK Dev
|
8
8
|
autorequire:
|
9
9
|
bindir: exe
|
10
10
|
cert_chain: []
|
11
|
-
date: 2023-
|
11
|
+
date: 2023-11-17 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: logstasher
|
@@ -53,7 +53,7 @@ dependencies:
|
|
53
53
|
version: 0.39.1
|
54
54
|
- - "<"
|
55
55
|
- !ruby/object:Gem::Version
|
56
|
-
version: 0.
|
56
|
+
version: 0.52.0
|
57
57
|
type: :runtime
|
58
58
|
prerelease: false
|
59
59
|
version_requirements: !ruby/object:Gem::Requirement
|
@@ -63,7 +63,7 @@ dependencies:
|
|
63
63
|
version: 0.39.1
|
64
64
|
- - "<"
|
65
65
|
- !ruby/object:Gem::Version
|
66
|
-
version: 0.
|
66
|
+
version: 0.52.0
|
67
67
|
- !ruby/object:Gem::Dependency
|
68
68
|
name: opentelemetry-sdk
|
69
69
|
requirement: !ruby/object:Gem::Requirement
|
@@ -375,7 +375,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
375
375
|
- !ruby/object:Gem::Version
|
376
376
|
version: '0'
|
377
377
|
requirements: []
|
378
|
-
rubygems_version: 3.4.
|
378
|
+
rubygems_version: 3.4.22
|
379
379
|
signing_key:
|
380
380
|
specification_version: 4
|
381
381
|
summary: Base configuration for GOV.UK applications
|