RubyGems - govuk_app_config - Versions diffs - 1.17.0 → 1.18.1 - Mend

govuk_app_config 1.17.0 → 1.18.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +9 -0
data/govuk_app_config.gemspec +1 -0
data/lib/govuk_app_config.rb +5 -2
data/lib/govuk_app_config/govuk_content_security_policy.rb +46 -105
data/lib/govuk_app_config/version.rb +1 -1
metadata +16 -2

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: fe5e846bb45a6b28512d6dc2dd01794106ebe653d739855b564491290b8a6e31
-  data.tar.gz: '05335490c4278b67b1ab0404712b91cd9fc4be44f08887cad5453313e0cfb502'
+  metadata.gz: a50c0d77a0aae41136b1099a036a761c3e1a965ecb0184879f8f722d40786108
+  data.tar.gz: 87d38200558b9f2b945910ee6447cb150d53e83ad06005e0fa5c439ef70eb79d
 SHA512:
-  metadata.gz: aba550d1c915e3f2ede8424ac30f1c5ea35de88c4c68a744075a6cc19c65ffdda3ffdd7ae7bcebc178f9fb5bedba291ec4d585f09a0cff764baf2efe0587bf52
-  data.tar.gz: 54cbb007d3e933986a5d0af504d0c57042267d22375e7784c043a3022b10a7935bb7b550be181ded92a0769680861344077656bef6886857aa50e13293341fa6
+  metadata.gz: af87829f8bf53a26b7df8b612e3a113c5d14ac0b3f09609bb62751c8376b20c81b37958702f43a9829d5c20ccaaf784c2b0e09ad9a5da034e323e2db228af7b2
+  data.tar.gz: 7786abef8b8319af18b79779e98f721c3526947d804534ef6f78c4b47b14e380997052de3f3fa10e8d4d4f661855fce1fa466894b7d8eab447ea54d12f75ad82

data/CHANGELOG.md CHANGED

@@ -1,3 +1,12 @@
+# 1.18.1
+* Fix incorrect report_uri= method usage in content security policy
+# 1.18.0
+* Use Rails DSL to configure content security policy, allowing apps to modify
+  the policy and use nonce features.
 # 1.17.0
 * Tweak our CSP to work with 'dev.gov.uk'

data/govuk_app_config.gemspec CHANGED

@@ -28,6 +28,7 @@ Gem::Specification.new do |spec|
   spec.add_dependency "unicorn", "~> 5.4.0"
   spec.add_development_dependency "bundler", "~> 1.15"
+  spec.add_development_dependency "rails", "~> 5"
   spec.add_development_dependency "rake", "~> 10.0"
   spec.add_development_dependency "rspec", "~> 3.6.0"
   spec.add_development_dependency "rspec-its", "~> 1.2.0"

data/lib/govuk_app_config.rb CHANGED

@@ -1,5 +1,4 @@
 require "govuk_app_config/version"
-require "govuk_app_config/govuk_content_security_policy"
 require "govuk_app_config/govuk_statsd"
 require "govuk_app_config/govuk_error"
 require "govuk_app_config/govuk_logging"
@@ -9,4 +8,8 @@ require "govuk_app_config/govuk_healthcheck"
 require "govuk_app_config/govuk_unicorn"
 require "govuk_app_config/govuk_xray"
 require "govuk_app_config/configure"
-require "govuk_app_config/railtie" if defined?(Rails)
+if defined?(Rails)
+  require "govuk_app_config/railtie"
+  require "govuk_app_config/govuk_content_security_policy"
+end

data/lib/govuk_app_config/govuk_content_security_policy.rb CHANGED

@@ -1,9 +1,6 @@
 module GovukContentSecurityPolicy
   # Generate a Content Security Policy (CSP) directive.
   #
-  #
-  # Extracted in a separate module to allow comments.
-  #
   # See https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP for more CSP info.
   #
   # The resulting policy should be checked with:
@@ -12,131 +9,75 @@ module GovukContentSecurityPolicy
   # - https://cspvalidator.org
   GOVUK_DOMAINS = [
-    "'self'",
     '*.publishing.service.gov.uk',
     "*.#{ENV['GOVUK_APP_DOMAIN_EXTERNAL'] || ENV['GOVUK_APP_DOMAIN'] || 'dev.gov.uk'}"
-  ].uniq.join(" ").freeze
-  GOOGLE_ANALYTICS_DOMAINS = "www.google-analytics.com ssl.google-analytics.com stats.g.doubleclick.net".freeze
+  ].uniq.freeze
-  def self.build
-    policies = []
+  GOOGLE_ANALYTICS_DOMAINS = %w(www.google-analytics.com
+                                ssl.google-analytics.com
+                                stats.g.doubleclick.net).freeze
-    # By default, only allow HTTPS connections, and allow loading things from
-    # the publishing domain
-    #
+  def self.build_policy(policy)
     # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src
-    policies << [
-      "default-src https",
-      GOVUK_DOMAINS
-    ]
+    policy.default_src :https, :self, *GOVUK_DOMAINS
-    # Allow images from the current domain, Google Analytics (the tracking pixel),
-    # and publishing domains.
     # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src
-    policies << [
-      "img-src",
-      # Allow `data:` images for Base64-encoded images in CSS like:
-      #
-      # https://github.com/alphagov/service-manual-frontend/blob/1db99ed48de0dfc794b9686a98e6c62f8435ae80/app/assets/stylesheets/modules/_search.scss#L106
-      "data:",
-      GOVUK_DOMAINS,
-      GOOGLE_ANALYTICS_DOMAINS,
+    policy.img_src :self,
+                   :data, # Base64 encoded images
+                   *GOVUK_DOMAINS,
+                   *GOOGLE_ANALYTICS_DOMAINS, # Tracking pixels
+                   # Some content still links to an old domain we used to use
+                   "assets.digital.cabinet-office.gov.uk"
-      # Some content still links to an old domain we used to use
-      "assets.digital.cabinet-office.gov.uk",
-    ]
-    # script-src determines the scripts that the browser can load
-    #
     # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src
-    policies << [
-      # Allow scripts from publishing domains
-      "script-src",
-      GOVUK_DOMAINS,
-      GOOGLE_ANALYTICS_DOMAINS,
-      # Allow JSONP call to Verify to check whether the user is logged in
-      # https://www.staging.publishing.service.gov.uk/log-in-file-self-assessment-tax-return/sign-in/prove-identity
-      # https://github.com/alphagov/government-frontend/blob/71aca4df9b74366618a5a93acdb5cd2715f94f49/app/assets/javascripts/modules/track-radio-group.js
-      "www.signin.service.gov.uk",
-      # Allow YouTube Embeds (Govspeak turns YouTube links into embeds)
-      "*.ytimg.com",
-      "www.youtube.com",
-      # Allow all inline scripts until we can conclusively document all the inline scripts we use,
-      # and there's a better way to filter out junk reports
-      "'unsafe-inline'"
-    ]
+    policy.script_src :self,
+                      *GOVUK_DOMAINS,
+                      *GOOGLE_ANALYTICS_DOMAINS,
+                      # Allow JSONP call to Verify to check whether the user is logged in
+                      "www.signin.service.gov.uk",
+                      # Allow YouTube Embeds (Govspeak turns YouTube links into embeds)
+                      "*.ytimg.com",
+                      "www.youtube.com",
+                      # Allow all inline scripts until we can conclusively
+                      # document all the inline scripts we use,
+                      # and there's a better way to filter out junk reports
+                      :unsafe_inline
-    # Allow styles from own domain and publishing domains.
-    #
     # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src
-    policies << [
-      "style-src",
-      GOVUK_DOMAINS,
-      # Also allow "unsafe-inline" styles, because we use the `style=""` attribute on some HTML elements
-      "'unsafe-inline'"
-    ]
+    policy.style_src :self,
+                     *GOVUK_DOMAINS,
+                     # We use the `style=""` attribute on some HTML elements
+                     :unsafe_inline
-    # Allow fonts to be loaded from data-uri's (this is the old way of doing things)
-    # or from the publishing asset domains.
-    #
-    # https://www.staging.publishing.service.gov.uk/apply-for-a-licence/test-licence/westminster/apply-1
-    #
     # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/font-src
-    policies << [
-      "font-src data:",
-      GOVUK_DOMAINS
-    ]
+    policy.font_src :self,
+                    *GOVUK_DOMAINS,
+                    :data # Used by some legacy fonts
     # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src
-    policies << [
-      # Scripts can only load data using Ajax from Google Analytics and the publishing domains
-      "connect-src",
-      GOVUK_DOMAINS,
-      GOOGLE_ANALYTICS_DOMAINS,
-      # Allow connecting to web chat from HMRC contact pages like
-      # https://www.staging.publishing.service.gov.uk/government/organisations/hm-revenue-customs/contact/child-benefit
-      "www.tax.service.gov.uk",
-      # Allow connecting to Verify to check whether the user is logged in
-      # https://github.com/alphagov/government-frontend/blob/71aca4df9b74366618a5a93acdb5cd2715f94f49/app/assets/javascripts/modules/track-radio-group.js
-      # https://www.staging.publishing.service.gov.uk/log-in-file-self-assessment-tax-return/sign-in/prove-identity
-      "www.signin.service.gov.uk",
-    ]
+    policy.connect_src :self,
+                       *GOVUK_DOMAINS,
+                       *GOOGLE_ANALYTICS_DOMAINS,
+                       # Allow connecting to web chat from HMRC contact pages
+                       "www.tax.service.gov.uk",
+                       # Allow connecting to Verify to check whether the user is logged in
+                       "www.signin.service.gov.uk"
     # Disallow all <object>, <embed>, and <applet> elements
     #
     # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/object-src
-    policies << [
-      "object-src 'none'"
-    ]
-    policies << [
-      "frame-src",
+    policy.object_src :none
-      # Allow YouTube embeds
-      "www.youtube.com",
-    ]
+    # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-src
+    policy.frame_src :self, *GOVUK_DOMAINS, "www.youtube.com" # Allow youtube embeds
-    policies.map { |str| str.join(" ") }.join("; ") + ";"
+    # AWS Lambda function that filters out junk reports.
+    policy.report_uri "https://jhpno0hk6b.execute-api.eu-west-2.amazonaws.com/production" if Rails.env.production?
   end
   def self.configure
-    # In test and development, use CSP for real to find issues. In production we only
-    # report violations to Sentry (https://sentry.io/govuk/govuk-frontend-csp) via an
-    # AWS Lambda function that filters out junk reports.
-    if Rails.env.production?
-      reporting = "report-uri https://jhpno0hk6b.execute-api.eu-west-2.amazonaws.com/production"
-      Rails.application.config.action_dispatch.default_headers['Content-Security-Policy-Report-Only'] = self.build + " " + reporting
-    else
-      Rails.application.config.action_dispatch.default_headers['Content-Security-Policy'] = self.build
-    end
+    Rails.application.config.content_security_policy_report_only = true if Rails.env.production?
+    Rails.application.config.content_security_policy(&method(:build_policy))
   end
 end

data/lib/govuk_app_config/version.rb CHANGED

@@ -1,3 +1,3 @@
 module GovukAppConfig
-  VERSION = "1.17.0"
+  VERSION = "1.18.1"
 end

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: govuk_app_config
 version: !ruby/object:Gem::Version
-  version: 1.17.0
+  version: 1.18.1
 platform: ruby
 authors:
 - GOV.UK Dev
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2019-05-29 00:00:00.000000000 Z
+date: 2019-06-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-xray-sdk
@@ -94,6 +94,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.15'
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement