RubyGems - govuk_app_config - Versions diffs - 4.11.1 → 4.12.0 - Mend

govuk_app_config 4.11.1 → 4.12.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +9 -0
data/{LICENSE.md → LICENCE} +0 -0
data/README.md +1 -1
data/lib/govuk_app_config/govuk_content_security_policy.rb +32 -32
data/lib/govuk_app_config/version.rb +1 -1
metadata +4 -4

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3860b6855cbcf400a78ac81032a4db049ee483a6c60614eab68e19f9340331e2
-  data.tar.gz: 8151cbc7c4be367f57c8dbaafdc5755beb09e410f474d8a9830f1f3fc3e89382
+  metadata.gz: 7906015f743285fadae37a3b4c0754fcb3ef5d6c6d59ff5b8f67d0f0b43ce970
+  data.tar.gz: da302c7be0424e4b4b476669468e8cbb1b6a3f5b38a017ddac4999ec14e0b622
 SHA512:
-  metadata.gz: c2af9398cbf1d148e39f4d48b315bb7c10443f05737713c50f933ad4e3c3f69e4e45c5d19f79cfeb1a55f102e2477702cd77edd04a7d3ba654053d8b0caf7149
-  data.tar.gz: 553747a1e310ab22a5ccf2cc8da122dafc8fd46402262edefdf2bd2e897f510fdc976198f505f57b8657c256621d40b3d49931ec0f0822abc877eda94fcda41a
+  metadata.gz: fac4b8128b250e74a9e71f165e6ca5eb431bd3f364a2efea18ceb696ce55d9e772fe73a04020811d6cbdd68341bd711fe07bc99e3f37d4ad371ea57b5446360d
+  data.tar.gz: adef9932375e8c63f002a99ef759e1a301fdfbd1f4ad21a7b089fcda8b33acf83dcb4b6c658e5ccf9872171fac6cf58c2e0a0bbfd2a31dd2fbf7323669ea746b

data/CHANGELOG.md CHANGED Viewed

@@ -1,3 +1,12 @@
+# 4.12.0
+* Allow `https://img.youtube.com` as a CSP image source
+* CSP only allows scripts, styles and fonts from self which reflects GOV.UK production behaviour
+* Set the default CSP behaviour to be allow communication only to self
+* Remove webchat scripts from the CSP, these are now handled in [government-frontend](https://github.com/alphagov/government-frontend/pull/2643)
+* Remove `www.signin.service.gov.uk` from the CSP as it is no-longer used in GOV.UK
+* Disallow data fonts in the global Content Security policy
 # 4.11.1
 - Remove govuk_i18n plural rules file

data/{LICENSE.md → LICENCE} RENAMED Viewed

File without changes

data/README.md CHANGED Viewed

@@ -178,4 +178,4 @@ GovukPrometheusExporter.configure
 ## License
-[MIT License](LICENSE.md)
+[MIT License](LICENCE)

data/lib/govuk_app_config/govuk_content_security_policy.rb CHANGED Viewed

@@ -1,12 +1,12 @@
 module GovukContentSecurityPolicy
   # Generate a Content Security Policy (CSP) directive.
   #
-  # See https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP for more CSP info.
+  # Before making any changes please read our documentation: https://docs.publishing.service.gov.uk/manual/content-security-policy.html
   #
-  # The resulting policy should be checked with:
+  # If you are making a change here you should consider 2 basic rules of thumb:
   #
-  # - https://csp-evaluator.withgoogle.com
-  # - https://cspvalidator.org
+  # 1. Are you creating a XSS risk? Adding unsafe-* declarations, allowing data: URLs or being overly permissive (e.g. https) risks these
+  # 2. Is this change needed globally, if it's just one or two apps the change should be applied in them directly.
   GOVUK_DOMAINS = [
     "*.publishing.service.gov.uk",
@@ -26,64 +26,56 @@ module GovukContentSecurityPolicy
   def self.build_policy(policy)
     # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src
-    policy.default_src :https, :self, *GOVUK_DOMAINS
+    policy.default_src :self
     # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src
     policy.img_src :self,
-                   :data, # Base64 encoded images
+                   # This allows Base64 encoded images, but is a security
+                   # risk as it can embed third party resources.
+                   # As of December 2022, we intend to remove this prior
+                   # to making the CSP live.
+                   :data,
                    *GOVUK_DOMAINS,
                    *GOOGLE_ANALYTICS_DOMAINS, # Tracking pixels
                    # Speedcurve real user monitoring (RUM) - as per: https://support.speedcurve.com/docs/add-rum-to-your-csp
                    "lux.speedcurve.com",
                    # Some content still links to an old domain we used to use
-                   "assets.digital.cabinet-office.gov.uk"
+                   "assets.digital.cabinet-office.gov.uk",
+                   # Allow YouTube thumbnails
+                   "https://img.youtube.com"
     # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src
     policy.script_src :self,
-                      *GOVUK_DOMAINS,
                       *GOOGLE_ANALYTICS_DOMAINS,
                       *GOOGLE_STATIC_DOMAINS,
-                      # Allow JSONP call to Verify to check whether the user is logged in
-                      "www.signin.service.gov.uk",
                       # Allow YouTube Embeds (Govspeak turns YouTube links into embeds)
                       "*.ytimg.com",
                       "www.youtube.com",
                       "www.youtube-nocookie.com",
-                      # Allow JSONP call to Nuance - HMRC web chat provider
-                      "hmrc-uk.digital.nuance.com",
-                      # Allow all inline scripts until we can conclusively
-                      # document all the inline scripts we use,
-                      # and there's a better way to filter out junk reports
+                      # This allows inline scripts and thus is a XSS risk.
+                      # As of December 2022, we intend to work towards removing
+                      # this from apps that don't use jQuery 1.12 (which needs
+                      # this) once we've set up nonces.
                       :unsafe_inline
     # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src
     policy.style_src :self,
-                     *GOVUK_DOMAINS,
                      *GOOGLE_STATIC_DOMAINS,
-                     # We use the `style=""` attribute on some HTML elements
+                     # This allows style="" attributes and style elements.
+                     # As of December 2022, we intend to remove this prior
+                     # to making the CSP live due to the security risks it has.
                      :unsafe_inline
     # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/font-src
-    policy.font_src :self,
-                    *GOVUK_DOMAINS,
-                    :data # Used by some legacy fonts
+    # Note: we purposely don't include data here because it produces a security risk.
+    policy.font_src :self
     # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src
     policy.connect_src :self,
                        *GOVUK_DOMAINS,
                        *GOOGLE_ANALYTICS_DOMAINS,
                        # Speedcurve real user monitoring (RUM) - as per: https://support.speedcurve.com/docs/add-rum-to-your-csp
-                       "lux.speedcurve.com",
-                       # Allow connecting to web chat from HMRC contact pages
-                       "www.tax.service.gov.uk",
-                       # Allow JSON call to Nuance - HMRC web chat provider
-                       "hmrc-uk.digital.nuance.com",
-                       # Allow JSON call to klick2contact - HMPO web chat provider
-                       "hmpowebchat.klick2contact.com",
-                       # Allow JSON call to Eckoh - HMPO web chat provider
-                       "omni.eckoh.uk",
-                       # Allow connecting to Verify to check whether the user is logged in
-                       "www.signin.service.gov.uk"
+                       "lux.speedcurve.com"
     # Disallow all <object>, <embed>, and <applet> elements
     #
@@ -99,6 +91,14 @@ module GovukContentSecurityPolicy
   def self.configure
     Rails.application.config.content_security_policy_report_only = ENV.include?("GOVUK_CSP_REPORT_ONLY")
-    Rails.application.config.content_security_policy(&method(:build_policy))
+    policy = Rails.application.config.content_security_policy(&method(:build_policy))
+    # # allow apps to customise the CSP by passing a block e.g:
+    # GovukContentSecuirtyPolicy.configure do |policy|
+    #   policy.image_src(*policy.image_src, "https://i.ytimg.com")
+    # end
+    yield(policy) if block_given?
+    policy
   end
 end

data/lib/govuk_app_config/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module GovukAppConfig
-  VERSION = "4.11.1".freeze
+  VERSION = "4.12.0".freeze
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: govuk_app_config
 version: !ruby/object:Gem::Version
-  version: 4.11.1
+  version: 4.12.0
 platform: ruby
 authors:
 - GOV.UK Dev
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2022-12-12 00:00:00.000000000 Z
+date: 2023-01-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: logstasher
@@ -289,7 +289,7 @@ files:
 - ".ruby-version"
 - CHANGELOG.md
 - Gemfile
-- LICENSE.md
+- LICENCE
 - README.md
 - Rakefile
 - bin/console
@@ -336,7 +336,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.3.26
+rubygems_version: 3.4.2
 signing_key:
 specification_version: 4
 summary: Base configuration for GOV.UK applications