govuk_app_config 1.13.1 → 1.14.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +4 -0
- data/README.md +14 -0
- data/lib/govuk_app_config.rb +1 -0
- data/lib/govuk_app_config/govuk_content_security_policy.rb +138 -0
- data/lib/govuk_app_config/version.rb +1 -1
- metadata +3 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: a128bd40ec0db6c4e7b792fc2c24cbdc31c1aff62a5be05a04d279da4ebf502b
|
|
4
|
+
data.tar.gz: 890eebef66ab4e625f7a8c34fe3dfeed9b39a3d1f83ec48d3ca71a7f1f286c0b
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: f03074bb2adf21510b86ec9786bdd205f65cd2bbc4d8e1fe94f01f5f2c33d9b3c060ce612b919ceccdf607b58f1118db6cb3da0395a438cba30ec3a38978fc42
|
|
7
|
+
data.tar.gz: cdec791c828fb80e08bba9bac8118a324b6b3e472613b46aa30f4bc921c3ec982da559d6d089258cdfe1506925ff3987ed55818bcf4f781d037587b5a80b2c2f
|
data/CHANGELOG.md
CHANGED
data/README.md
CHANGED
|
@@ -6,6 +6,7 @@ Adds the basics of a GOV.UK application:
|
|
|
6
6
|
- Error reporting with Sentry
|
|
7
7
|
- Statsd client for reporting stats
|
|
8
8
|
- Rails logging
|
|
9
|
+
- Content Security Policy generation for frontend apps
|
|
9
10
|
|
|
10
11
|
## Installation
|
|
11
12
|
|
|
@@ -115,6 +116,19 @@ check docs](docs/healthchecks.md) for more information on how to use it.
|
|
|
115
116
|
In Rails applications, the application will be configured to send JSON-formatted
|
|
116
117
|
logs to `STDOUT` and unstructed logs to `STDERR`.
|
|
117
118
|
|
|
119
|
+
## Content Security Policy generation
|
|
120
|
+
|
|
121
|
+
For frontend apps, configuration can be added to generate and serve a
|
|
122
|
+
content security policy header. The policy is report only when the Rails
|
|
123
|
+
environment is set to "production", and enforced otherwise.
|
|
124
|
+
|
|
125
|
+
To enable this feature, create a file at `config/initializers/csp.rb` in the
|
|
126
|
+
app with the following content:
|
|
127
|
+
|
|
128
|
+
```ruby
|
|
129
|
+
GovukContentSecurityPolicy.configure
|
|
130
|
+
```
|
|
131
|
+
|
|
118
132
|
## License
|
|
119
133
|
|
|
120
134
|
[MIT License](LICENSE.md)
|
data/lib/govuk_app_config.rb
CHANGED
|
@@ -0,0 +1,138 @@
|
|
|
1
|
+
module GovukContentSecurityPolicy
|
|
2
|
+
# Generate a Content Security Policy (CSP) directive.
|
|
3
|
+
#
|
|
4
|
+
#
|
|
5
|
+
# Extracted in a separate module to allow comments.
|
|
6
|
+
#
|
|
7
|
+
# See https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP for more CSP info.
|
|
8
|
+
#
|
|
9
|
+
# The resulting policy should be checked with:
|
|
10
|
+
#
|
|
11
|
+
# - https://csp-evaluator.withgoogle.com
|
|
12
|
+
# - https://cspvalidator.org
|
|
13
|
+
|
|
14
|
+
GOVUK_DOMAINS = "'self' *.publishing.service.gov.uk localhost".freeze
|
|
15
|
+
|
|
16
|
+
GOOGLE_ANALYTICS_DOMAINS = "www.google-analytics.com ssl.google-analytics.com".freeze
|
|
17
|
+
|
|
18
|
+
def self.build
|
|
19
|
+
policies = []
|
|
20
|
+
|
|
21
|
+
# By default, only allow HTTPS connections, and allow loading things from
|
|
22
|
+
# the publishing domain
|
|
23
|
+
#
|
|
24
|
+
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src
|
|
25
|
+
policies << [
|
|
26
|
+
"default-src https",
|
|
27
|
+
GOVUK_DOMAINS
|
|
28
|
+
]
|
|
29
|
+
|
|
30
|
+
# Allow images from the current domain, Google Analytics (the tracking pixel),
|
|
31
|
+
# and publishing domains.
|
|
32
|
+
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src
|
|
33
|
+
policies << [
|
|
34
|
+
"img-src",
|
|
35
|
+
|
|
36
|
+
# Allow `data:` images for Base64-encoded images in CSS like:
|
|
37
|
+
#
|
|
38
|
+
# https://github.com/alphagov/service-manual-frontend/blob/1db99ed48de0dfc794b9686a98e6c62f8435ae80/app/assets/stylesheets/modules/_search.scss#L106
|
|
39
|
+
"data:",
|
|
40
|
+
|
|
41
|
+
GOVUK_DOMAINS,
|
|
42
|
+
GOOGLE_ANALYTICS_DOMAINS,
|
|
43
|
+
|
|
44
|
+
# Some content still links to an old domain we used to use
|
|
45
|
+
"assets.digital.cabinet-office.gov.uk",
|
|
46
|
+
]
|
|
47
|
+
|
|
48
|
+
# script-src determines the scripts that the browser can load
|
|
49
|
+
#
|
|
50
|
+
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src
|
|
51
|
+
policies << [
|
|
52
|
+
# Allow scripts from publishing domains
|
|
53
|
+
"script-src",
|
|
54
|
+
GOVUK_DOMAINS,
|
|
55
|
+
GOOGLE_ANALYTICS_DOMAINS,
|
|
56
|
+
|
|
57
|
+
# Allow JSONP call to Verify to check whether the user is logged in
|
|
58
|
+
# https://www.staging.publishing.service.gov.uk/log-in-file-self-assessment-tax-return/sign-in/prove-identity
|
|
59
|
+
# https://github.com/alphagov/government-frontend/blob/71aca4df9b74366618a5a93acdb5cd2715f94f49/app/assets/javascripts/modules/track-radio-group.js
|
|
60
|
+
"www.signin.service.gov.uk",
|
|
61
|
+
|
|
62
|
+
# Allow YouTube Embeds (Govspeak turns YouTube links into embeds)
|
|
63
|
+
"*.ytimg.com",
|
|
64
|
+
"www.youtube.com",
|
|
65
|
+
|
|
66
|
+
# Allow all inline scripts until we can conclusively document all the inline scripts we use,
|
|
67
|
+
# and there's a better way to filter out junk reports
|
|
68
|
+
"'unsafe-inline'"
|
|
69
|
+
]
|
|
70
|
+
|
|
71
|
+
# Allow styles from own domain and publishing domains.
|
|
72
|
+
#
|
|
73
|
+
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src
|
|
74
|
+
policies << [
|
|
75
|
+
"style-src",
|
|
76
|
+
GOVUK_DOMAINS,
|
|
77
|
+
|
|
78
|
+
# Also allow "unsafe-inline" styles, because we use the `style=""` attribute on some HTML elements
|
|
79
|
+
"'unsafe-inline'"
|
|
80
|
+
]
|
|
81
|
+
|
|
82
|
+
# Allow fonts to be loaded from data-uri's (this is the old way of doing things)
|
|
83
|
+
# or from the publishing asset domains.
|
|
84
|
+
#
|
|
85
|
+
# https://www.staging.publishing.service.gov.uk/apply-for-a-licence/test-licence/westminster/apply-1
|
|
86
|
+
#
|
|
87
|
+
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/font-src
|
|
88
|
+
policies << [
|
|
89
|
+
"font-src data:",
|
|
90
|
+
GOVUK_DOMAINS
|
|
91
|
+
]
|
|
92
|
+
|
|
93
|
+
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src
|
|
94
|
+
policies << [
|
|
95
|
+
# Scripts can only load data using Ajax from Google Analytics and the publishing domains
|
|
96
|
+
"connect-src",
|
|
97
|
+
GOVUK_DOMAINS,
|
|
98
|
+
GOOGLE_ANALYTICS_DOMAINS,
|
|
99
|
+
|
|
100
|
+
# Allow connecting to web chat from HMRC contact pages like
|
|
101
|
+
# https://www.staging.publishing.service.gov.uk/government/organisations/hm-revenue-customs/contact/child-benefit
|
|
102
|
+
"www.tax.service.gov.uk",
|
|
103
|
+
|
|
104
|
+
# Allow connecting to Verify to check whether the user is logged in
|
|
105
|
+
# https://github.com/alphagov/government-frontend/blob/71aca4df9b74366618a5a93acdb5cd2715f94f49/app/assets/javascripts/modules/track-radio-group.js
|
|
106
|
+
# https://www.staging.publishing.service.gov.uk/log-in-file-self-assessment-tax-return/sign-in/prove-identity
|
|
107
|
+
"www.signin.service.gov.uk",
|
|
108
|
+
]
|
|
109
|
+
|
|
110
|
+
# Disallow all <object>, <embed>, and <applet> elements
|
|
111
|
+
#
|
|
112
|
+
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/object-src
|
|
113
|
+
policies << [
|
|
114
|
+
"object-src 'none'"
|
|
115
|
+
]
|
|
116
|
+
|
|
117
|
+
policies << [
|
|
118
|
+
"frame-src",
|
|
119
|
+
|
|
120
|
+
# Allow YouTube embeds
|
|
121
|
+
"www.youtube.com",
|
|
122
|
+
]
|
|
123
|
+
|
|
124
|
+
policies.map { |str| str.join(" ") }.join("; ") + ";"
|
|
125
|
+
end
|
|
126
|
+
|
|
127
|
+
def self.configure
|
|
128
|
+
# In test and development, use CSP for real to find issues. In production we only
|
|
129
|
+
# report violations to Sentry (https://sentry.io/govuk/govuk-frontend-csp) via an
|
|
130
|
+
# AWS Lambda function that filters out junk reports.
|
|
131
|
+
if Rails.env.production?
|
|
132
|
+
reporting = "report-uri https://jhpno0hk6b.execute-api.eu-west-2.amazonaws.com/production"
|
|
133
|
+
Rails.application.config.action_dispatch.default_headers['Content-Security-Policy-Report-Only'] = GovukContentSecurityPolicy.build + " " + reporting
|
|
134
|
+
else
|
|
135
|
+
Rails.application.config.action_dispatch.default_headers['Content-Security-Policy'] = GovukContentSecurityPolicy.build
|
|
136
|
+
end
|
|
137
|
+
end
|
|
138
|
+
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: govuk_app_config
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.
|
|
4
|
+
version: 1.14.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- GOV.UK Dev
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2019-
|
|
11
|
+
date: 2019-04-05 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: aws-xray-sdk
|
|
@@ -200,6 +200,7 @@ files:
|
|
|
200
200
|
- govuk_app_config.gemspec
|
|
201
201
|
- lib/govuk_app_config.rb
|
|
202
202
|
- lib/govuk_app_config/configure.rb
|
|
203
|
+
- lib/govuk_app_config/govuk_content_security_policy.rb
|
|
203
204
|
- lib/govuk_app_config/govuk_error.rb
|
|
204
205
|
- lib/govuk_app_config/govuk_healthcheck.rb
|
|
205
206
|
- lib/govuk_app_config/govuk_healthcheck/active_record.rb
|