RubyGems - govuk_app_config - Versions diffs - 4.11.1 → 4.12.0 - Mend

govuk_app_config 4.11.1 → 4.12.0

Files changed (7) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +9 -0
data/{LICENSE.md → LICENCE} +0 -0
data/README.md +1 -1
data/lib/govuk_app_config/govuk_content_security_policy.rb +32 -32
data/lib/govuk_app_config/version.rb +1 -1
metadata +4 -4

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3860b6855cbcf400a78ac81032a4db049ee483a6c60614eab68e19f9340331e2
-  data.tar.gz: 8151cbc7c4be367f57c8dbaafdc5755beb09e410f474d8a9830f1f3fc3e89382
+  metadata.gz: 7906015f743285fadae37a3b4c0754fcb3ef5d6c6d59ff5b8f67d0f0b43ce970
+  data.tar.gz: da302c7be0424e4b4b476669468e8cbb1b6a3f5b38a017ddac4999ec14e0b622
 SHA512:
-  metadata.gz: c2af9398cbf1d148e39f4d48b315bb7c10443f05737713c50f933ad4e3c3f69e4e45c5d19f79cfeb1a55f102e2477702cd77edd04a7d3ba654053d8b0caf7149
-  data.tar.gz: 553747a1e310ab22a5ccf2cc8da122dafc8fd46402262edefdf2bd2e897f510fdc976198f505f57b8657c256621d40b3d49931ec0f0822abc877eda94fcda41a
+  metadata.gz: fac4b8128b250e74a9e71f165e6ca5eb431bd3f364a2efea18ceb696ce55d9e772fe73a04020811d6cbdd68341bd711fe07bc99e3f37d4ad371ea57b5446360d
+  data.tar.gz: adef9932375e8c63f002a99ef759e1a301fdfbd1f4ad21a7b089fcda8b33acf83dcb4b6c658e5ccf9872171fac6cf58c2e0a0bbfd2a31dd2fbf7323669ea746b

data/CHANGELOG.md CHANGED Viewed

@@ -1,3 +1,12 @@
+# 4.12.0
+* Allow `https://img.youtube.com` as a CSP image source
+* CSP only allows scripts, styles and fonts from self which reflects GOV.UK production behaviour
+* Set the default CSP behaviour to be allow communication only to self
+* Remove webchat scripts from the CSP, these are now handled in [government-frontend](https://github.com/alphagov/government-frontend/pull/2643)
+* Remove `www.signin.service.gov.uk` from the CSP as it is no-longer used in GOV.UK
+* Disallow data fonts in the global Content Security policy
 # 4.11.1
 - Remove govuk_i18n plural rules file

data/{LICENSE.md → LICENCE} RENAMED Viewed

File without changes

data/README.md CHANGED Viewed

@@ -178,4 +178,4 @@ GovukPrometheusExporter.configure
 ## License
-[MIT License](LICENSE.md)
+[MIT License](LICENCE)

data/lib/govuk_app_config/govuk_content_security_policy.rb CHANGED Viewed

@@ -1,12 +1,12 @@
 module GovukContentSecurityPolicy
   # Generate a Content Security Policy (CSP) directive.
   #
-  # See https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP for more CSP info.
+  # Before making any changes please read our documentation: https://docs.publishing.service.gov.uk/manual/content-security-policy.html
   #
-  # The resulting policy should be checked with:
+  # If you are making a change here you should consider 2 basic rules of thumb:
   #
-  # - https://csp-evaluator.withgoogle.com
-  # - https://cspvalidator.org
+  # 1. Are you creating a XSS risk? Adding unsafe-* declarations, allowing data: URLs or being overly permissive (e.g. https) risks these
+  # 2. Is this change needed globally, if it's just one or two apps the change should be applied in them directly.
   GOVUK_DOMAINS = [
     "*.publishing.service.gov.uk",
@@ -26,64 +26,56 @@ module GovukContentSecurityPolicy
   def self.build_policy(policy)
     # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src
-    policy.default_src :https, :self, *GOVUK_DOMAINS
+    policy.default_src :self
     # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src
     policy.img_src :self,
-                   :data, # Base64 encoded images
+                   # This allows Base64 encoded images, but is a security
+                   # risk as it can embed third party resources.
+                   # As of December 2022, we intend to remove this prior
+                   # to making the CSP live.
+                   :data,
                    *GOVUK_DOMAINS,
                    *GOOGLE_ANALYTICS_DOMAINS, # Tracking pixels
                    # Speedcurve real user monitoring (RUM) - as per: https://support.speedcurve.com/docs/add-rum-to-your-csp
                    "lux.speedcurve.com",
                    # Some content still links to an old domain we used to use
-                   "assets.digital.cabinet-office.gov.uk"
+                   "assets.digital.cabinet-office.gov.uk",
+                   # Allow YouTube thumbnails
+                   "https://img.youtube.com"
     # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src
     policy.script_src :self,
-                      *GOVUK_DOMAINS,
                       *GOOGLE_ANALYTICS_DOMAINS,
                       *GOOGLE_STATIC_DOMAINS,
-                      # Allow JSONP call to Verify to check whether the user is logged in
-                      "www.signin.service.gov.uk",
                       # Allow YouTube Embeds (Govspeak turns YouTube links into embeds)
                       "*.ytimg.com",
                       "www.youtube.com",
                       "www.youtube-nocookie.com",
-                      # Allow JSONP call to Nuance - HMRC web chat provider
-                      "hmrc-uk.digital.nuance.com",
-                      # Allow all inline scripts until we can conclusively
-                      # document all the inline scripts we use,
-                      # and there's a better way to filter out junk reports
+                      # This allows inline scripts and thus is a XSS risk.
+                      # As of December 2022, we intend to work towards removing
+                      # this from apps that don't use jQuery 1.12 (which needs
+                      # this) once we've set up nonces.
                       :unsafe_inline
     # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src
     policy.style_src :self,
-                     *GOVUK_DOMAINS,
                      *GOOGLE_STATIC_DOMAINS,
-                     # We use the `style=""` attribute on some HTML elements
+                     # This allows style="" attributes and style elements.
+                     # As of December 2022, we intend to remove this prior
+                     # to making the CSP live due to the security risks it has.
                      :unsafe_inline
     # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/font-src
-    policy.font_src :self,
-                    *GOVUK_DOMAINS,
-                    :data # Used by some legacy fonts
+    # Note: we purposely don't include data here because it produces a security risk.
+    policy.font_src :self
     # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src
     policy.connect_src :self,
                        *GOVUK_DOMAINS,
                        *GOOGLE_ANALYTICS_DOMAINS,
                        # Speedcurve real user monitoring (RUM) - as per: https://support.speedcurve.com/docs/add-rum-to-your-csp
-                       "lux.speedcurve.com",
-                       # Allow connecting to web chat from HMRC contact pages
-                       "www.tax.service.gov.uk",
-                       # Allow JSON call to Nuance - HMRC web chat provider
-                       "hmrc-uk.digital.nuance.com",
-                       # Allow JSON call to klick2contact - HMPO web chat provider
-                       "hmpowebchat.klick2contact.com",
-                       # Allow JSON call to Eckoh - HMPO web chat provider
-                       "omni.eckoh.uk",
-                       # Allow connecting to Verify to check whether the user is logged in
-                       "www.signin.service.gov.uk"
+                       "lux.speedcurve.com"
     # Disallow all <object>, <embed>, and <applet> elements
     #
@@ -99,6 +91,14 @@ module GovukContentSecurityPolicy
   def self.configure
     Rails.application.config.content_security_policy_report_only = ENV.include?("GOVUK_CSP_REPORT_ONLY")
-    Rails.application.config.content_security_policy(&method(:build_policy))
+    policy = Rails.application.config.content_security_policy(&method(:build_policy))
+    # # allow apps to customise the CSP by passing a block e.g:
+    # GovukContentSecuirtyPolicy.configure do |policy|
+    #   policy.image_src(*policy.image_src, "https://i.ytimg.com")
+    # end
+    yield(policy) if block_given?
+    policy
   end
 end

data/lib/govuk_app_config/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module GovukAppConfig
-  VERSION = "4.11.1".freeze
+  VERSION = "4.12.0".freeze
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: govuk_app_config
 version: !ruby/object:Gem::Version
-  version: 4.11.1
+  version: 4.12.0
 platform: ruby
 authors:
 - GOV.UK Dev
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2022-12-12 00:00:00.000000000 Z
+date: 2023-01-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: logstasher
@@ -289,7 +289,7 @@ files:
 - ".ruby-version"
 - CHANGELOG.md
 - Gemfile
-- LICENSE.md
+- LICENCE
 - README.md
 - Rakefile
 - bin/console
@@ -336,7 +336,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.3.26
+rubygems_version: 3.4.2
 signing_key:
 specification_version: 4
 summary: Base configuration for GOV.UK applications