govuk_app_config 7.2.1 → 8.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +4 -0
  3. data/lib/govuk_app_config/govuk_content_security_policy.rb +2 -9
  4. data/lib/govuk_app_config/version.rb +1 -1
  5. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: f921d89549f7203b1e80f23a4e7b4c7c20634120eac39d551a05ba41fc986625
4
- data.tar.gz: 7af7692a9eec9676df25822f2988d00fe73a863cfabf2e4294c51747f1bff743
3
+ metadata.gz: c1dd070d1b3a41bd0eb7345fa619c18b3c611d279e6688c8e3565c3dbdc92a2e
4
+ data.tar.gz: 14e16cb4227f681a38e36abceb7e693d0fec5db388d5d87ec195942be0e325d9
5
5
  SHA512:
6
- metadata.gz: f0e6360036a9b2c80c96899d00129a0e270fbb15b7d070d67fa54abe45c2c02f38ed3ed95c4aa0c055b4934217030f504c049b9ac09c7a0d0c3a2dfd0c3b00ee
7
- data.tar.gz: f5c29754f917bb57d50dfe8658d5d1c0c91fcfaded23ca2563595e59a40f46f59f52efb440d8599a7118b4182a2fce41c9286fa207fc13aff71b6d652ef3efc2
6
+ metadata.gz: 0c16cc5b73d5ffb2d1c5ec1ed0b6479f32a781b9747864454799f08302a719840bdc816317a78c76c9cbeeb8eec90c79958c3fbd9fac7a008bab828fe4a9a852
7
+ data.tar.gz: 11b23903b16b594015f04d00f6bfff838ce7e89d1dd25bcc15cea50f65cc2c36dbe910acf1cc0c3cc31786f2059d5560f968a1804546082c6f4c88aba1dca213
data/CHANGELOG.md CHANGED
@@ -1,3 +1,7 @@
1
+ # 8.0.0
2
+
3
+ * BREAKING: Content Security Policy forbids the use of inline style attributes.
4
+
1
5
  # 7.2.1
2
6
 
3
7
  * Allow prometheus binding to fail with a warning rather than a crash ([#294](https://github.com/alphagov/govuk_app_config/pull/294))
data/lib/govuk_app_config/govuk_content_security_policy.rb CHANGED
@@ -56,17 +56,10 @@ module GovukContentSecurityPolicy
56
56
  "www.youtube-nocookie.com"
57
57
 
58
58
  # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src
59
- # Note: we purposely don't include `data:` or `unsafe-eval` because
59
+ # Note: we purposely don't include `data:`, `unsafe-inline` or `unsafe-eval` because
60
60
  # they are security risks, if you need them for a legacy app please only apply them at
61
61
  # an app level.
62
- policy.style_src :self,
63
- *GOOGLE_STATIC_DOMAINS,
64
- # This allows `style=""` attributes and `<style>` elements.
65
- # As of January 2023 our intentions to remove this were scuppered
66
- # by Govspeak [1] using inline styles on tables. Until that
67
- # is resolved we'll keep unsafe_inline
68
- # [1]: https://github.com/alphagov/govspeak/blob/5642fcc4231f215d1c58ad7feb30ca42fb8cfb91/lib/govspeak/html_sanitizer.rb#L72-L73
69
- :unsafe_inline
62
+ policy.style_src :self, *GOOGLE_STATIC_DOMAINS
70
63
 
71
64
  # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/font-src
72
65
  # Note: we purposely don't include data here because it produces a security risk.
data/lib/govuk_app_config/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module GovukAppConfig
2
- VERSION = "7.2.1".freeze
2
+ VERSION = "8.0.0".freeze
3
3
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: govuk_app_config
3
3
  version: !ruby/object:Gem::Version
4
- version: 7.2.1
4
+ version: 8.0.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - GOV.UK Dev
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2023-05-11 00:00:00.000000000 Z
11
+ date: 2023-06-02 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: logstasher