govuk_app_config 4.11.1 → 4.12.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +9 -0
- data/{LICENSE.md → LICENCE} +0 -0
- data/README.md +1 -1
- data/lib/govuk_app_config/govuk_content_security_policy.rb +32 -32
- data/lib/govuk_app_config/version.rb +1 -1
- metadata +4 -4
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 7906015f743285fadae37a3b4c0754fcb3ef5d6c6d59ff5b8f67d0f0b43ce970
|
4
|
+
data.tar.gz: da302c7be0424e4b4b476669468e8cbb1b6a3f5b38a017ddac4999ec14e0b622
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: fac4b8128b250e74a9e71f165e6ca5eb431bd3f364a2efea18ceb696ce55d9e772fe73a04020811d6cbdd68341bd711fe07bc99e3f37d4ad371ea57b5446360d
|
7
|
+
data.tar.gz: adef9932375e8c63f002a99ef759e1a301fdfbd1f4ad21a7b089fcda8b33acf83dcb4b6c658e5ccf9872171fac6cf58c2e0a0bbfd2a31dd2fbf7323669ea746b
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,12 @@
|
|
1
|
+
# 4.12.0
|
2
|
+
|
3
|
+
* Allow `https://img.youtube.com` as a CSP image source
|
4
|
+
* CSP only allows scripts, styles and fonts from self which reflects GOV.UK production behaviour
|
5
|
+
* Set the default CSP behaviour to be allow communication only to self
|
6
|
+
* Remove webchat scripts from the CSP, these are now handled in [government-frontend](https://github.com/alphagov/government-frontend/pull/2643)
|
7
|
+
* Remove `www.signin.service.gov.uk` from the CSP as it is no-longer used in GOV.UK
|
8
|
+
* Disallow data fonts in the global Content Security policy
|
9
|
+
|
1
10
|
# 4.11.1
|
2
11
|
|
3
12
|
- Remove govuk_i18n plural rules file
|
data/{LICENSE.md → LICENCE}
RENAMED
File without changes
|
data/README.md
CHANGED
@@ -1,12 +1,12 @@
|
|
1
1
|
module GovukContentSecurityPolicy
|
2
2
|
# Generate a Content Security Policy (CSP) directive.
|
3
3
|
#
|
4
|
-
#
|
4
|
+
# Before making any changes please read our documentation: https://docs.publishing.service.gov.uk/manual/content-security-policy.html
|
5
5
|
#
|
6
|
-
#
|
6
|
+
# If you are making a change here you should consider 2 basic rules of thumb:
|
7
7
|
#
|
8
|
-
#
|
9
|
-
#
|
8
|
+
# 1. Are you creating a XSS risk? Adding unsafe-* declarations, allowing data: URLs or being overly permissive (e.g. https) risks these
|
9
|
+
# 2. Is this change needed globally, if it's just one or two apps the change should be applied in them directly.
|
10
10
|
|
11
11
|
GOVUK_DOMAINS = [
|
12
12
|
"*.publishing.service.gov.uk",
|
@@ -26,64 +26,56 @@ module GovukContentSecurityPolicy
|
|
26
26
|
|
27
27
|
def self.build_policy(policy)
|
28
28
|
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src
|
29
|
-
policy.default_src :
|
29
|
+
policy.default_src :self
|
30
30
|
|
31
31
|
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src
|
32
32
|
policy.img_src :self,
|
33
|
-
|
33
|
+
# This allows Base64 encoded images, but is a security
|
34
|
+
# risk as it can embed third party resources.
|
35
|
+
# As of December 2022, we intend to remove this prior
|
36
|
+
# to making the CSP live.
|
37
|
+
:data,
|
34
38
|
*GOVUK_DOMAINS,
|
35
39
|
*GOOGLE_ANALYTICS_DOMAINS, # Tracking pixels
|
36
40
|
# Speedcurve real user monitoring (RUM) - as per: https://support.speedcurve.com/docs/add-rum-to-your-csp
|
37
41
|
"lux.speedcurve.com",
|
38
42
|
# Some content still links to an old domain we used to use
|
39
|
-
"assets.digital.cabinet-office.gov.uk"
|
43
|
+
"assets.digital.cabinet-office.gov.uk",
|
44
|
+
# Allow YouTube thumbnails
|
45
|
+
"https://img.youtube.com"
|
40
46
|
|
41
47
|
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src
|
42
48
|
policy.script_src :self,
|
43
|
-
*GOVUK_DOMAINS,
|
44
49
|
*GOOGLE_ANALYTICS_DOMAINS,
|
45
50
|
*GOOGLE_STATIC_DOMAINS,
|
46
|
-
# Allow JSONP call to Verify to check whether the user is logged in
|
47
|
-
"www.signin.service.gov.uk",
|
48
51
|
# Allow YouTube Embeds (Govspeak turns YouTube links into embeds)
|
49
52
|
"*.ytimg.com",
|
50
53
|
"www.youtube.com",
|
51
54
|
"www.youtube-nocookie.com",
|
52
|
-
#
|
53
|
-
|
54
|
-
#
|
55
|
-
#
|
56
|
-
# and there's a better way to filter out junk reports
|
55
|
+
# This allows inline scripts and thus is a XSS risk.
|
56
|
+
# As of December 2022, we intend to work towards removing
|
57
|
+
# this from apps that don't use jQuery 1.12 (which needs
|
58
|
+
# this) once we've set up nonces.
|
57
59
|
:unsafe_inline
|
58
60
|
|
59
61
|
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src
|
60
62
|
policy.style_src :self,
|
61
|
-
*GOVUK_DOMAINS,
|
62
63
|
*GOOGLE_STATIC_DOMAINS,
|
63
|
-
#
|
64
|
+
# This allows style="" attributes and style elements.
|
65
|
+
# As of December 2022, we intend to remove this prior
|
66
|
+
# to making the CSP live due to the security risks it has.
|
64
67
|
:unsafe_inline
|
65
68
|
|
66
69
|
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/font-src
|
67
|
-
|
68
|
-
|
69
|
-
:data # Used by some legacy fonts
|
70
|
+
# Note: we purposely don't include data here because it produces a security risk.
|
71
|
+
policy.font_src :self
|
70
72
|
|
71
73
|
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src
|
72
74
|
policy.connect_src :self,
|
73
75
|
*GOVUK_DOMAINS,
|
74
76
|
*GOOGLE_ANALYTICS_DOMAINS,
|
75
77
|
# Speedcurve real user monitoring (RUM) - as per: https://support.speedcurve.com/docs/add-rum-to-your-csp
|
76
|
-
"lux.speedcurve.com"
|
77
|
-
# Allow connecting to web chat from HMRC contact pages
|
78
|
-
"www.tax.service.gov.uk",
|
79
|
-
# Allow JSON call to Nuance - HMRC web chat provider
|
80
|
-
"hmrc-uk.digital.nuance.com",
|
81
|
-
# Allow JSON call to klick2contact - HMPO web chat provider
|
82
|
-
"hmpowebchat.klick2contact.com",
|
83
|
-
# Allow JSON call to Eckoh - HMPO web chat provider
|
84
|
-
"omni.eckoh.uk",
|
85
|
-
# Allow connecting to Verify to check whether the user is logged in
|
86
|
-
"www.signin.service.gov.uk"
|
78
|
+
"lux.speedcurve.com"
|
87
79
|
|
88
80
|
# Disallow all <object>, <embed>, and <applet> elements
|
89
81
|
#
|
@@ -99,6 +91,14 @@ module GovukContentSecurityPolicy
|
|
99
91
|
def self.configure
|
100
92
|
Rails.application.config.content_security_policy_report_only = ENV.include?("GOVUK_CSP_REPORT_ONLY")
|
101
93
|
|
102
|
-
Rails.application.config.content_security_policy(&method(:build_policy))
|
94
|
+
policy = Rails.application.config.content_security_policy(&method(:build_policy))
|
95
|
+
|
96
|
+
# # allow apps to customise the CSP by passing a block e.g:
|
97
|
+
# GovukContentSecuirtyPolicy.configure do |policy|
|
98
|
+
# policy.image_src(*policy.image_src, "https://i.ytimg.com")
|
99
|
+
# end
|
100
|
+
yield(policy) if block_given?
|
101
|
+
|
102
|
+
policy
|
103
103
|
end
|
104
104
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: govuk_app_config
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 4.
|
4
|
+
version: 4.12.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- GOV.UK Dev
|
8
8
|
autorequire:
|
9
9
|
bindir: exe
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2023-01-03 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: logstasher
|
@@ -289,7 +289,7 @@ files:
|
|
289
289
|
- ".ruby-version"
|
290
290
|
- CHANGELOG.md
|
291
291
|
- Gemfile
|
292
|
-
-
|
292
|
+
- LICENCE
|
293
293
|
- README.md
|
294
294
|
- Rakefile
|
295
295
|
- bin/console
|
@@ -336,7 +336,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
336
336
|
- !ruby/object:Gem::Version
|
337
337
|
version: '0'
|
338
338
|
requirements: []
|
339
|
-
rubygems_version: 3.
|
339
|
+
rubygems_version: 3.4.2
|
340
340
|
signing_key:
|
341
341
|
specification_version: 4
|
342
342
|
summary: Base configuration for GOV.UK applications
|