RubyGems - govuk_app_config - Versions diffs - 7.2.1 → 8.0.0 - Mend

govuk_app_config 7.2.1 → 8.0.0

Files changed (5) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f921d89549f7203b1e80f23a4e7b4c7c20634120eac39d551a05ba41fc986625
-  data.tar.gz: 7af7692a9eec9676df25822f2988d00fe73a863cfabf2e4294c51747f1bff743
+  metadata.gz: c1dd070d1b3a41bd0eb7345fa619c18b3c611d279e6688c8e3565c3dbdc92a2e
+  data.tar.gz: 14e16cb4227f681a38e36abceb7e693d0fec5db388d5d87ec195942be0e325d9
 SHA512:
-  metadata.gz: f0e6360036a9b2c80c96899d00129a0e270fbb15b7d070d67fa54abe45c2c02f38ed3ed95c4aa0c055b4934217030f504c049b9ac09c7a0d0c3a2dfd0c3b00ee
-  data.tar.gz: f5c29754f917bb57d50dfe8658d5d1c0c91fcfaded23ca2563595e59a40f46f59f52efb440d8599a7118b4182a2fce41c9286fa207fc13aff71b6d652ef3efc2
+  metadata.gz: 0c16cc5b73d5ffb2d1c5ec1ed0b6479f32a781b9747864454799f08302a719840bdc816317a78c76c9cbeeb8eec90c79958c3fbd9fac7a008bab828fe4a9a852
+  data.tar.gz: 11b23903b16b594015f04d00f6bfff838ce7e89d1dd25bcc15cea50f65cc2c36dbe910acf1cc0c3cc31786f2059d5560f968a1804546082c6f4c88aba1dca213

data/CHANGELOG.md CHANGED Viewed

@@ -1,3 +1,7 @@
+# 8.0.0
+* BREAKING: Content Security Policy forbids the use of inline style attributes.
 # 7.2.1
 * Allow prometheus binding to fail with a warning rather than a crash ([#294](https://github.com/alphagov/govuk_app_config/pull/294))

@@ -56,17 +56,10 @@ module GovukContentSecurityPolicy
                       "www.youtube-nocookie.com"
     # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src
-    # Note: we purposely don't include `data:` or `unsafe-eval` because
+    # Note: we purposely don't include `data:`, `unsafe-inline` or `unsafe-eval` because
     # they are security risks, if you need them for a legacy app please only apply them at
     # an app level.
-    policy.style_src :self,
-                     *GOOGLE_STATIC_DOMAINS,
-                     # This allows `style=""` attributes and `<style>` elements.
-                     # As of January 2023 our intentions to remove this were scuppered
-                     # by Govspeak [1] using inline styles on tables. Until that
-                     # is resolved we'll keep unsafe_inline
-                     # [1]: https://github.com/alphagov/govspeak/blob/5642fcc4231f215d1c58ad7feb30ca42fb8cfb91/lib/govspeak/html_sanitizer.rb#L72-L73
-                     :unsafe_inline
+    policy.style_src :self, *GOOGLE_STATIC_DOMAINS
     # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/font-src
     # Note: we purposely don't include data here because it produces a security risk.

data/lib/govuk_app_config/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module GovukAppConfig
-  VERSION = "7.2.1".freeze
+  VERSION = "8.0.0".freeze
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: govuk_app_config
 version: !ruby/object:Gem::Version
-  version: 7.2.1
+  version: 8.0.0
 platform: ruby
 authors:
 - GOV.UK Dev
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2023-05-11 00:00:00.000000000 Z
+date: 2023-06-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: logstasher