RubyGems - govuk_app_config - Versions diffs - 1.17.0 → 1.18.1 - Mend

govuk_app_config 1.17.0 → 1.18.1

Files changed (7) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +9 -0
data/govuk_app_config.gemspec +1 -0
data/lib/govuk_app_config.rb +5 -2
data/lib/govuk_app_config/govuk_content_security_policy.rb +46 -105
data/lib/govuk_app_config/version.rb +1 -1
metadata +16 -2

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: fe5e846bb45a6b28512d6dc2dd01794106ebe653d739855b564491290b8a6e31
-  data.tar.gz: '05335490c4278b67b1ab0404712b91cd9fc4be44f08887cad5453313e0cfb502'
+  metadata.gz: a50c0d77a0aae41136b1099a036a761c3e1a965ecb0184879f8f722d40786108
+  data.tar.gz: 87d38200558b9f2b945910ee6447cb150d53e83ad06005e0fa5c439ef70eb79d
 SHA512:
-  metadata.gz: aba550d1c915e3f2ede8424ac30f1c5ea35de88c4c68a744075a6cc19c65ffdda3ffdd7ae7bcebc178f9fb5bedba291ec4d585f09a0cff764baf2efe0587bf52
-  data.tar.gz: 54cbb007d3e933986a5d0af504d0c57042267d22375e7784c043a3022b10a7935bb7b550be181ded92a0769680861344077656bef6886857aa50e13293341fa6
+  metadata.gz: af87829f8bf53a26b7df8b612e3a113c5d14ac0b3f09609bb62751c8376b20c81b37958702f43a9829d5c20ccaaf784c2b0e09ad9a5da034e323e2db228af7b2
+  data.tar.gz: 7786abef8b8319af18b79779e98f721c3526947d804534ef6f78c4b47b14e380997052de3f3fa10e8d4d4f661855fce1fa466894b7d8eab447ea54d12f75ad82

data/CHANGELOG.md CHANGED

@@ -1,3 +1,12 @@
+# 1.18.1
+* Fix incorrect report_uri= method usage in content security policy
+# 1.18.0
+* Use Rails DSL to configure content security policy, allowing apps to modify
+  the policy and use nonce features.
 # 1.17.0
 * Tweak our CSP to work with 'dev.gov.uk'

data/govuk_app_config.gemspec CHANGED

@@ -28,6 +28,7 @@ Gem::Specification.new do |spec|
   spec.add_dependency "unicorn", "~> 5.4.0"
   spec.add_development_dependency "bundler", "~> 1.15"
+  spec.add_development_dependency "rails", "~> 5"
   spec.add_development_dependency "rake", "~> 10.0"
   spec.add_development_dependency "rspec", "~> 3.6.0"
   spec.add_development_dependency "rspec-its", "~> 1.2.0"

data/lib/govuk_app_config.rb CHANGED

@@ -1,5 +1,4 @@
 require "govuk_app_config/version"
-require "govuk_app_config/govuk_content_security_policy"
 require "govuk_app_config/govuk_statsd"
 require "govuk_app_config/govuk_error"
 require "govuk_app_config/govuk_logging"
@@ -9,4 +8,8 @@ require "govuk_app_config/govuk_healthcheck"
 require "govuk_app_config/govuk_unicorn"
 require "govuk_app_config/govuk_xray"
 require "govuk_app_config/configure"
-require "govuk_app_config/railtie" if defined?(Rails)
+if defined?(Rails)
+  require "govuk_app_config/railtie"
+  require "govuk_app_config/govuk_content_security_policy"
+end

data/lib/govuk_app_config/govuk_content_security_policy.rb CHANGED

@@ -1,9 +1,6 @@
 module GovukContentSecurityPolicy
   # Generate a Content Security Policy (CSP) directive.
   #
-  #
-  # Extracted in a separate module to allow comments.
-  #
   # See https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP for more CSP info.
   #
   # The resulting policy should be checked with:
@@ -12,131 +9,75 @@ module GovukContentSecurityPolicy
   # - https://cspvalidator.org
   GOVUK_DOMAINS = [
-    "'self'",
     '*.publishing.service.gov.uk',
     "*.#{ENV['GOVUK_APP_DOMAIN_EXTERNAL'] || ENV['GOVUK_APP_DOMAIN'] || 'dev.gov.uk'}"
-  ].uniq.join(" ").freeze
-  GOOGLE_ANALYTICS_DOMAINS = "www.google-analytics.com ssl.google-analytics.com stats.g.doubleclick.net".freeze
+  ].uniq.freeze
-  def self.build
-    policies = []
+  GOOGLE_ANALYTICS_DOMAINS = %w(www.google-analytics.com
+                                ssl.google-analytics.com
+                                stats.g.doubleclick.net).freeze
-    # By default, only allow HTTPS connections, and allow loading things from
-    # the publishing domain
-    #
+  def self.build_policy(policy)
     # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src
-    policies << [
-      "default-src https",
-      GOVUK_DOMAINS
-    ]
+    policy.default_src :https, :self, *GOVUK_DOMAINS
-    # Allow images from the current domain, Google Analytics (the tracking pixel),
-    # and publishing domains.
     # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src
-    policies << [
-      "img-src",
-      # Allow `data:` images for Base64-encoded images in CSS like:
-      #
-      # https://github.com/alphagov/service-manual-frontend/blob/1db99ed48de0dfc794b9686a98e6c62f8435ae80/app/assets/stylesheets/modules/_search.scss#L106
-      "data:",
-      GOVUK_DOMAINS,
-      GOOGLE_ANALYTICS_DOMAINS,
+    policy.img_src :self,
+                   :data, # Base64 encoded images
+                   *GOVUK_DOMAINS,
+                   *GOOGLE_ANALYTICS_DOMAINS, # Tracking pixels
+                   # Some content still links to an old domain we used to use
+                   "assets.digital.cabinet-office.gov.uk"
-      # Some content still links to an old domain we used to use
-      "assets.digital.cabinet-office.gov.uk",
-    ]
-    # script-src determines the scripts that the browser can load
-    #
     # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src
-    policies << [
-      # Allow scripts from publishing domains
-      "script-src",
-      GOVUK_DOMAINS,
-      GOOGLE_ANALYTICS_DOMAINS,
-      # Allow JSONP call to Verify to check whether the user is logged in
-      # https://www.staging.publishing.service.gov.uk/log-in-file-self-assessment-tax-return/sign-in/prove-identity
-      # https://github.com/alphagov/government-frontend/blob/71aca4df9b74366618a5a93acdb5cd2715f94f49/app/assets/javascripts/modules/track-radio-group.js
-      "www.signin.service.gov.uk",
-      # Allow YouTube Embeds (Govspeak turns YouTube links into embeds)
-      "*.ytimg.com",
-      "www.youtube.com",
-      # Allow all inline scripts until we can conclusively document all the inline scripts we use,
-      # and there's a better way to filter out junk reports
-      "'unsafe-inline'"
-    ]
+    policy.script_src :self,
+                      *GOVUK_DOMAINS,
+                      *GOOGLE_ANALYTICS_DOMAINS,
+                      # Allow JSONP call to Verify to check whether the user is logged in
+                      "www.signin.service.gov.uk",
+                      # Allow YouTube Embeds (Govspeak turns YouTube links into embeds)
+                      "*.ytimg.com",
+                      "www.youtube.com",
+                      # Allow all inline scripts until we can conclusively
+                      # document all the inline scripts we use,
+                      # and there's a better way to filter out junk reports
+                      :unsafe_inline
-    # Allow styles from own domain and publishing domains.
-    #
     # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src
-    policies << [
-      "style-src",
-      GOVUK_DOMAINS,
-      # Also allow "unsafe-inline" styles, because we use the `style=""` attribute on some HTML elements
-      "'unsafe-inline'"
-    ]
+    policy.style_src :self,
+                     *GOVUK_DOMAINS,
+                     # We use the `style=""` attribute on some HTML elements
+                     :unsafe_inline
-    # Allow fonts to be loaded from data-uri's (this is the old way of doing things)
-    # or from the publishing asset domains.
-    #
-    # https://www.staging.publishing.service.gov.uk/apply-for-a-licence/test-licence/westminster/apply-1
-    #
     # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/font-src
-    policies << [
-      "font-src data:",
-      GOVUK_DOMAINS
-    ]
+    policy.font_src :self,
+                    *GOVUK_DOMAINS,
+                    :data # Used by some legacy fonts
     # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src
-    policies << [
-      # Scripts can only load data using Ajax from Google Analytics and the publishing domains
-      "connect-src",
-      GOVUK_DOMAINS,
-      GOOGLE_ANALYTICS_DOMAINS,
-      # Allow connecting to web chat from HMRC contact pages like
-      # https://www.staging.publishing.service.gov.uk/government/organisations/hm-revenue-customs/contact/child-benefit
-      "www.tax.service.gov.uk",
-      # Allow connecting to Verify to check whether the user is logged in
-      # https://github.com/alphagov/government-frontend/blob/71aca4df9b74366618a5a93acdb5cd2715f94f49/app/assets/javascripts/modules/track-radio-group.js
-      # https://www.staging.publishing.service.gov.uk/log-in-file-self-assessment-tax-return/sign-in/prove-identity
-      "www.signin.service.gov.uk",
-    ]
+    policy.connect_src :self,
+                       *GOVUK_DOMAINS,
+                       *GOOGLE_ANALYTICS_DOMAINS,
+                       # Allow connecting to web chat from HMRC contact pages
+                       "www.tax.service.gov.uk",
+                       # Allow connecting to Verify to check whether the user is logged in
+                       "www.signin.service.gov.uk"
     # Disallow all <object>, <embed>, and <applet> elements
     #
     # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/object-src
-    policies << [
-      "object-src 'none'"
-    ]
-    policies << [
-      "frame-src",
+    policy.object_src :none
-      # Allow YouTube embeds
-      "www.youtube.com",
-    ]
+    # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-src
+    policy.frame_src :self, *GOVUK_DOMAINS, "www.youtube.com" # Allow youtube embeds
-    policies.map { |str| str.join(" ") }.join("; ") + ";"
+    # AWS Lambda function that filters out junk reports.
+    policy.report_uri "https://jhpno0hk6b.execute-api.eu-west-2.amazonaws.com/production" if Rails.env.production?
   end
   def self.configure
-    # In test and development, use CSP for real to find issues. In production we only
-    # report violations to Sentry (https://sentry.io/govuk/govuk-frontend-csp) via an
-    # AWS Lambda function that filters out junk reports.
-    if Rails.env.production?
-      reporting = "report-uri https://jhpno0hk6b.execute-api.eu-west-2.amazonaws.com/production"
-      Rails.application.config.action_dispatch.default_headers['Content-Security-Policy-Report-Only'] = self.build + " " + reporting
-    else
-      Rails.application.config.action_dispatch.default_headers['Content-Security-Policy'] = self.build
-    end
+    Rails.application.config.content_security_policy_report_only = true if Rails.env.production?
+    Rails.application.config.content_security_policy(&method(:build_policy))
   end
 end

data/lib/govuk_app_config/version.rb CHANGED

@@ -1,3 +1,3 @@
 module GovukAppConfig
-  VERSION = "1.17.0"
+  VERSION = "1.18.1"
 end

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: govuk_app_config
 version: !ruby/object:Gem::Version
-  version: 1.17.0
+  version: 1.18.1
 platform: ruby
 authors:
 - GOV.UK Dev
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2019-05-29 00:00:00.000000000 Z
+date: 2019-06-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-xray-sdk
@@ -94,6 +94,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.15'
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement