govuk_app_config 1.13.1 → 1.14.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +4 -0
- data/README.md +14 -0
- data/lib/govuk_app_config.rb +1 -0
- data/lib/govuk_app_config/govuk_content_security_policy.rb +138 -0
- data/lib/govuk_app_config/version.rb +1 -1
- metadata +3 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: a128bd40ec0db6c4e7b792fc2c24cbdc31c1aff62a5be05a04d279da4ebf502b
|
|
4
|
+
data.tar.gz: 890eebef66ab4e625f7a8c34fe3dfeed9b39a3d1f83ec48d3ca71a7f1f286c0b
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: f03074bb2adf21510b86ec9786bdd205f65cd2bbc4d8e1fe94f01f5f2c33d9b3c060ce612b919ceccdf607b58f1118db6cb3da0395a438cba30ec3a38978fc42
|
|
7
|
+
data.tar.gz: cdec791c828fb80e08bba9bac8118a324b6b3e472613b46aa30f4bc921c3ec982da559d6d089258cdfe1506925ff3987ed55818bcf4f781d037587b5a80b2c2f
|
data/CHANGELOG.md
CHANGED
data/README.md
CHANGED
|
@@ -6,6 +6,7 @@ Adds the basics of a GOV.UK application:
|
|
|
6
6
|
- Error reporting with Sentry
|
|
7
7
|
- Statsd client for reporting stats
|
|
8
8
|
- Rails logging
|
|
9
|
+
- Content Security Policy generation for frontend apps
|
|
9
10
|
|
|
10
11
|
## Installation
|
|
11
12
|
|
|
@@ -115,6 +116,19 @@ check docs](docs/healthchecks.md) for more information on how to use it.
|
|
|
115
116
|
In Rails applications, the application will be configured to send JSON-formatted
|
|
116
117
|
logs to `STDOUT` and unstructed logs to `STDERR`.
|
|
117
118
|
|
|
119
|
+
## Content Security Policy generation
|
|
120
|
+
|
|
121
|
+
For frontend apps, configuration can be added to generate and serve a
|
|
122
|
+
content security policy header. The policy is report only when the Rails
|
|
123
|
+
environment is set to "production", and enforced otherwise.
|
|
124
|
+
|
|
125
|
+
To enable this feature, create a file at `config/initializers/csp.rb` in the
|
|
126
|
+
app with the following content:
|
|
127
|
+
|
|
128
|
+
```ruby
|
|
129
|
+
GovukContentSecurityPolicy.configure
|
|
130
|
+
```
|
|
131
|
+
|
|
118
132
|
## License
|
|
119
133
|
|
|
120
134
|
[MIT License](LICENSE.md)
|
data/lib/govuk_app_config.rb
CHANGED
|
@@ -0,0 +1,138 @@
|
|
|
1
|
+
module GovukContentSecurityPolicy
|
|
2
|
+
# Generate a Content Security Policy (CSP) directive.
|
|
3
|
+
#
|
|
4
|
+
#
|
|
5
|
+
# Extracted in a separate module to allow comments.
|
|
6
|
+
#
|
|
7
|
+
# See https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP for more CSP info.
|
|
8
|
+
#
|
|
9
|
+
# The resulting policy should be checked with:
|
|
10
|
+
#
|
|
11
|
+
# - https://csp-evaluator.withgoogle.com
|
|
12
|
+
# - https://cspvalidator.org
|
|
13
|
+
|
|
14
|
+
GOVUK_DOMAINS = "'self' *.publishing.service.gov.uk localhost".freeze
|
|
15
|
+
|
|
16
|
+
GOOGLE_ANALYTICS_DOMAINS = "www.google-analytics.com ssl.google-analytics.com".freeze
|
|
17
|
+
|
|
18
|
+
def self.build
|
|
19
|
+
policies = []
|
|
20
|
+
|
|
21
|
+
# By default, only allow HTTPS connections, and allow loading things from
|
|
22
|
+
# the publishing domain
|
|
23
|
+
#
|
|
24
|
+
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src
|
|
25
|
+
policies << [
|
|
26
|
+
"default-src https",
|
|
27
|
+
GOVUK_DOMAINS
|
|
28
|
+
]
|
|
29
|
+
|
|
30
|
+
# Allow images from the current domain, Google Analytics (the tracking pixel),
|
|
31
|
+
# and publishing domains.
|
|
32
|
+
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src
|
|
33
|
+
policies << [
|
|
34
|
+
"img-src",
|
|
35
|
+
|
|
36
|
+
# Allow `data:` images for Base64-encoded images in CSS like:
|
|
37
|
+
#
|
|
38
|
+
# https://github.com/alphagov/service-manual-frontend/blob/1db99ed48de0dfc794b9686a98e6c62f8435ae80/app/assets/stylesheets/modules/_search.scss#L106
|
|
39
|
+
"data:",
|
|
40
|
+
|
|
41
|
+
GOVUK_DOMAINS,
|
|
42
|
+
GOOGLE_ANALYTICS_DOMAINS,
|
|
43
|
+
|
|
44
|
+
# Some content still links to an old domain we used to use
|
|
45
|
+
"assets.digital.cabinet-office.gov.uk",
|
|
46
|
+
]
|
|
47
|
+
|
|
48
|
+
# script-src determines the scripts that the browser can load
|
|
49
|
+
#
|
|
50
|
+
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src
|
|
51
|
+
policies << [
|
|
52
|
+
# Allow scripts from publishing domains
|
|
53
|
+
"script-src",
|
|
54
|
+
GOVUK_DOMAINS,
|
|
55
|
+
GOOGLE_ANALYTICS_DOMAINS,
|
|
56
|
+
|
|
57
|
+
# Allow JSONP call to Verify to check whether the user is logged in
|
|
58
|
+
# https://www.staging.publishing.service.gov.uk/log-in-file-self-assessment-tax-return/sign-in/prove-identity
|
|
59
|
+
# https://github.com/alphagov/government-frontend/blob/71aca4df9b74366618a5a93acdb5cd2715f94f49/app/assets/javascripts/modules/track-radio-group.js
|
|
60
|
+
"www.signin.service.gov.uk",
|
|
61
|
+
|
|
62
|
+
# Allow YouTube Embeds (Govspeak turns YouTube links into embeds)
|
|
63
|
+
"*.ytimg.com",
|
|
64
|
+
"www.youtube.com",
|
|
65
|
+
|
|
66
|
+
# Allow all inline scripts until we can conclusively document all the inline scripts we use,
|
|
67
|
+
# and there's a better way to filter out junk reports
|
|
68
|
+
"'unsafe-inline'"
|
|
69
|
+
]
|
|
70
|
+
|
|
71
|
+
# Allow styles from own domain and publishing domains.
|
|
72
|
+
#
|
|
73
|
+
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src
|
|
74
|
+
policies << [
|
|
75
|
+
"style-src",
|
|
76
|
+
GOVUK_DOMAINS,
|
|
77
|
+
|
|
78
|
+
# Also allow "unsafe-inline" styles, because we use the `style=""` attribute on some HTML elements
|
|
79
|
+
"'unsafe-inline'"
|
|
80
|
+
]
|
|
81
|
+
|
|
82
|
+
# Allow fonts to be loaded from data-uri's (this is the old way of doing things)
|
|
83
|
+
# or from the publishing asset domains.
|
|
84
|
+
#
|
|
85
|
+
# https://www.staging.publishing.service.gov.uk/apply-for-a-licence/test-licence/westminster/apply-1
|
|
86
|
+
#
|
|
87
|
+
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/font-src
|
|
88
|
+
policies << [
|
|
89
|
+
"font-src data:",
|
|
90
|
+
GOVUK_DOMAINS
|
|
91
|
+
]
|
|
92
|
+
|
|
93
|
+
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src
|
|
94
|
+
policies << [
|
|
95
|
+
# Scripts can only load data using Ajax from Google Analytics and the publishing domains
|
|
96
|
+
"connect-src",
|
|
97
|
+
GOVUK_DOMAINS,
|
|
98
|
+
GOOGLE_ANALYTICS_DOMAINS,
|
|
99
|
+
|
|
100
|
+
# Allow connecting to web chat from HMRC contact pages like
|
|
101
|
+
# https://www.staging.publishing.service.gov.uk/government/organisations/hm-revenue-customs/contact/child-benefit
|
|
102
|
+
"www.tax.service.gov.uk",
|
|
103
|
+
|
|
104
|
+
# Allow connecting to Verify to check whether the user is logged in
|
|
105
|
+
# https://github.com/alphagov/government-frontend/blob/71aca4df9b74366618a5a93acdb5cd2715f94f49/app/assets/javascripts/modules/track-radio-group.js
|
|
106
|
+
# https://www.staging.publishing.service.gov.uk/log-in-file-self-assessment-tax-return/sign-in/prove-identity
|
|
107
|
+
"www.signin.service.gov.uk",
|
|
108
|
+
]
|
|
109
|
+
|
|
110
|
+
# Disallow all <object>, <embed>, and <applet> elements
|
|
111
|
+
#
|
|
112
|
+
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/object-src
|
|
113
|
+
policies << [
|
|
114
|
+
"object-src 'none'"
|
|
115
|
+
]
|
|
116
|
+
|
|
117
|
+
policies << [
|
|
118
|
+
"frame-src",
|
|
119
|
+
|
|
120
|
+
# Allow YouTube embeds
|
|
121
|
+
"www.youtube.com",
|
|
122
|
+
]
|
|
123
|
+
|
|
124
|
+
policies.map { |str| str.join(" ") }.join("; ") + ";"
|
|
125
|
+
end
|
|
126
|
+
|
|
127
|
+
def self.configure
|
|
128
|
+
# In test and development, use CSP for real to find issues. In production we only
|
|
129
|
+
# report violations to Sentry (https://sentry.io/govuk/govuk-frontend-csp) via an
|
|
130
|
+
# AWS Lambda function that filters out junk reports.
|
|
131
|
+
if Rails.env.production?
|
|
132
|
+
reporting = "report-uri https://jhpno0hk6b.execute-api.eu-west-2.amazonaws.com/production"
|
|
133
|
+
Rails.application.config.action_dispatch.default_headers['Content-Security-Policy-Report-Only'] = GovukContentSecurityPolicy.build + " " + reporting
|
|
134
|
+
else
|
|
135
|
+
Rails.application.config.action_dispatch.default_headers['Content-Security-Policy'] = GovukContentSecurityPolicy.build
|
|
136
|
+
end
|
|
137
|
+
end
|
|
138
|
+
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: govuk_app_config
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.
|
|
4
|
+
version: 1.14.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- GOV.UK Dev
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2019-
|
|
11
|
+
date: 2019-04-05 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: aws-xray-sdk
|
|
@@ -200,6 +200,7 @@ files:
|
|
|
200
200
|
- govuk_app_config.gemspec
|
|
201
201
|
- lib/govuk_app_config.rb
|
|
202
202
|
- lib/govuk_app_config/configure.rb
|
|
203
|
+
- lib/govuk_app_config/govuk_content_security_policy.rb
|
|
203
204
|
- lib/govuk_app_config/govuk_error.rb
|
|
204
205
|
- lib/govuk_app_config/govuk_healthcheck.rb
|
|
205
206
|
- lib/govuk_app_config/govuk_healthcheck/active_record.rb
|