publishing_platform_app_config 0.1.0 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 11e94f7bba1b501b8bff7c62ad70627dfa8b963ddba0a57ce9c308713556c065
-  data.tar.gz: 0f4081a9a9aafdf33f303bc6b514805aaaf113b1717769d100437f6ba3d220fc
+  metadata.gz: ea7eb6a338b040aba9272faf3130d42aed758692158ef9a010bf038e5b887ef4
+  data.tar.gz: 599d4301e0865e826df615ec3f715a326f95bd1bfc5588f6fe2d33cd363b606b
 SHA512:
-  metadata.gz: a87d39eeceeb4cc6dc18553d09d602d7e53665ceb5bdbc91c2ec25682316f174635a195e986ff92f4ea5d60d4aebadb665a4b9f747ec85e2e0fcc62fd2d355d1
-  data.tar.gz: 41a93c4372595ec6a7d6404dc2cd0503567a1ba592024c78e7ce4baef0a0af72ae8f747184aa9f00ea1f3f585ab4a171185f4c3004a02e3d4fc7d3f2b65c8c43
+  metadata.gz: db2c14514990234c81df6dd6728d3281402401125c51f2328218b98cb50c06c049dac67a968f25f6f0ee52cebae21d2158d7f9d26fb99d3da6a0452077d422e7
+  data.tar.gz: d1fe89fb6a497fff2a5abdb181edb40633dc1467c11e85a610e3a4957b311281118068f948fb17355a1c8a3ee891c15e4ad3a45729302dae810ac01b63f90bcd

data/lib/publishing_platform_app_config/publishing_platform_content_security_policy.rb

@@ -0,0 +1,109 @@
+module PublishingPlatformContentSecurityPolicy
+  # Generate a Content Security Policy (CSP) directive.
+  #
+  # If you are making a change here you should consider 2 basic rules of thumb:
+  #
+  # 1. Are you creating a XSS risk? Adding unsafe-* declarations, allowing data: URLs or being overly permissive (e.g. https) risks these
+  # 2. Is this change needed globally, if it's just one or two apps the change should be applied in them directly.
+
+  PUBLISHING_PLATFORM_DOMAINS = [
+    "*.publishing-platform.co.uk",
+    "*.dev.publishing-platform.co.uk",
+  ].uniq.freeze
+
+  GOOGLE_ANALYTICS_DOMAINS = %w[www.google-analytics.com
+                                ssl.google-analytics.com
+                                stats.g.doubleclick.net
+                                www.googletagmanager.com
+                                www.region1.google-analytics.com
+                                region1.google-analytics.com].freeze
+
+  GOOGLE_STATIC_DOMAINS = %w[www.gstatic.com].freeze
+
+  def self.build_policy(policy)
+    # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src
+    policy.default_src :self
+
+    # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/base-uri
+    policy.base_uri :none
+
+    # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src
+    # Note: we purposely don't include `data:` here because it produces a security risk.
+    policy.img_src :self,
+                   *PUBLISHING_PLATFORM_DOMAINS,
+                   *GOOGLE_ANALYTICS_DOMAINS, # Tracking pixels
+                   # Allow YouTube thumbnails
+                   "https://img.youtube.com",
+                   "https://i.ytimg.com"
+
+    # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src
+    # Note: we purposely don't include `data:`, `unsafe-inline` or `unsafe-eval` because
+    # they are security risks, if you need them for a legacy app please only apply them at
+    # an app level.
+    policy.script_src :self,
+                      *GOOGLE_ANALYTICS_DOMAINS,
+                      *GOOGLE_STATIC_DOMAINS,
+                      # Allow YouTube Embeds
+                      "*.ytimg.com",
+                      "www.youtube.com",
+                      "www.youtube-nocookie.com"
+
+    # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src
+    # Note: we purposely don't include `data:`, `unsafe-inline` or `unsafe-eval` because
+    # they are security risks, if you need them for a legacy app please only apply them at
+    # an app level.
+    policy.style_src :self, *GOOGLE_STATIC_DOMAINS
+
+    # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/font-src
+    # Note: we purposely don't include data here because it produces a security risk.
+    policy.font_src :self
+
+    # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src
+    policy.connect_src :self,
+                       *PUBLISHING_PLATFORM_DOMAINS,
+                       *GOOGLE_ANALYTICS_DOMAINS
+
+    # Disallow all <object>, <embed>, and <applet> elements
+    #
+    # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/object-src
+    policy.object_src :none
+
+    # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-src
+    policy.frame_src :self, *PUBLISHING_PLATFORM_DOMAINS, "www.youtube.com", "www.youtube-nocookie.com" # Allow youtube embeds
+
+    # Disallow non-publishing-platform.co.uk domains from embeding a page using <frame>, <iframe>, <object>, or <embed> to prevent clickjacking
+    #
+    # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
+    policy.frame_ancestors :self, *PUBLISHING_PLATFORM_DOMAINS
+
+    policy.report_uri ENV["PUBLISHING_PLATFORM_CSP_REPORT_URI"] if ENV.include?("PUBLISHING_PLATFORM_CSP_REPORT_URI")
+  end
+
+  def self.configure
+    Rails.application.config.content_security_policy_report_only = ENV.include?("PUBLISHING_PLATFORM_CSP_REPORT_ONLY")
+
+    # Sets a nonce per request that can be set on script-src and style-src
+    # directives depending on the value of Rails.application.config.content_security_policy_nonce_directives
+    #
+    # Note: if an application needs to set unsafe-inline they will need to
+    # unset this generator (by setting this config option to nil in their application)
+    Rails.application.config.content_security_policy_nonce_generator = ->(_request) { SecureRandom.base64(16) }
+
+    # This only applies the nonce generator to the script-src directive. We need this to
+    # use unsafe-inline for style-src as a nonce will override it.
+    #
+    # When we want to apply it to style-src we can remove this line as the Rails default
+    # is for both script-src and style-src
+    Rails.application.config.content_security_policy_nonce_directives = %w[script-src]
+
+    policy = Rails.application.config.content_security_policy(&method(:build_policy))
+
+    # # allow apps to customise the CSP by passing a block e.g:
+    # PublishingPlatformContentSecurityPolicy.configure do |policy|
+    #   policy.image_src(*policy.image_src, "https://i.ytimg.com")
+    # end
+    yield(policy) if block_given?
+
+    policy
+  end
+end

data/lib/publishing_platform_app_config/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module PublishingPlatformAppConfig
-  VERSION = "0.1.0"
+  VERSION = "0.2.0"
 end

data/lib/publishing_platform_app_config.rb

@@ -2,5 +2,6 @@ require "publishing_platform_app_config/version"
 require "publishing_platform_app_config/publishing_platform_error"
 
 if defined?(Rails)
+  require "publishing_platform_app_config/publishing_platform_content_security_policy"
   require "publishing_platform_app_config/railtie"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: publishing_platform_app_config
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.2.0
 platform: ruby
 authors:
 - Publishing Platform
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2024-07-11 00:00:00.000000000 Z
+date: 2024-08-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: sentry-rails
@@ -69,6 +69,7 @@ files:
 - bin/console
 - bin/setup
 - lib/publishing_platform_app_config.rb
+- lib/publishing_platform_app_config/publishing_platform_content_security_policy.rb
 - lib/publishing_platform_app_config/publishing_platform_error.rb
 - lib/publishing_platform_app_config/publishing_platform_error/configuration.rb
 - lib/publishing_platform_app_config/railtie.rb