Skip to content

Commit

Permalink
Merge pull request #1300 from alphagov/use-csp-from-govuk-app-config
Browse files Browse the repository at this point in the history
Use CSP generator from govuk_app_config
  • Loading branch information
rubenarakelyan authored Apr 5, 2019
2 parents 687cdfe + f1fc52e commit ee653cb
Show file tree
Hide file tree
Showing 3 changed files with 4 additions and 141 deletions.
2 changes: 1 addition & 1 deletion Gemfile
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ gem 'uglifier', '>= 1.3.0'

gem 'gds-api-adapters', '~> 59.0'
gem 'govuk_ab_testing', '~> 2.4'
gem 'govuk_app_config', '~> 1.13'
gem 'govuk_app_config', '~> 1.14'
gem 'govuk_frontend_toolkit', '~> 8.1.0'
gem 'govuk_publishing_components', '~> 16.9.2'
gem 'plek', '~> 2.1'
Expand Down
4 changes: 2 additions & 2 deletions Gemfile.lock
Original file line number Diff line number Diff line change
Expand Up @@ -118,7 +118,7 @@ GEM
rubocop-rspec (~> 1.28)
scss_lint
govuk_ab_testing (2.4.1)
govuk_app_config (1.13.1)
govuk_app_config (1.14.0)
aws-xray-sdk (~> 0.10.0)
logstasher (~> 1.2.2)
sentry-raven (~> 2.7.1)
Expand Down Expand Up @@ -370,7 +370,7 @@ DEPENDENCIES
gds-api-adapters (~> 59.0)
govuk-lint
govuk_ab_testing (~> 2.4)
govuk_app_config (~> 1.13)
govuk_app_config (~> 1.14)
govuk_frontend_toolkit (~> 8.1.0)
govuk_publishing_components (~> 16.9.2)
govuk_schemas (~> 3.2)
Expand Down
139 changes: 1 addition & 138 deletions config/initializers/csp.rb
Original file line number Diff line number Diff line change
@@ -1,138 +1 @@
module CSP
# Generate a Content Security Policy (CSP) directive.
#
# This code should eventually be moved to https://github.com/alphagov/govuk_app_config
#
#
# Extracted in a separate module to allow comments.
#
# See https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP for more CSP info.
#
# The resulting policy should be checked with:
#
# - https://csp-evaluator.withgoogle.com
# - https://cspvalidator.org

GOVUK_DOMAINS = "'self' *.publishing.service.gov.uk localhost".freeze

GOOGLE_ANALYTICS_DOMAINS = "www.google-analytics.com ssl.google-analytics.com".freeze

def self.build
policies = []

# By default, only allow HTTPS connections, and allow loading things from
# the publishing domain
#
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src
policies << [
"default-src https",
GOVUK_DOMAINS
]

# Allow images from the current domain, Google Analytics (the tracking pixel),
# and publishing domains.
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src
policies << [
"img-src",

# Allow `data:` images for Base64-encoded images in CSS like:
#
# https://github.com/alphagov/service-manual-frontend/blob/1db99ed48de0dfc794b9686a98e6c62f8435ae80/app/assets/stylesheets/modules/_search.scss#L106
"data:",

GOVUK_DOMAINS,
GOOGLE_ANALYTICS_DOMAINS,

# Some content still links to an old domain we used to use
"assets.digital.cabinet-office.gov.uk",
]

# script-src determines the scripts that the browser can load
#
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src
policies << [
# Allow scripts from publishing domains
"script-src",
GOVUK_DOMAINS,
GOOGLE_ANALYTICS_DOMAINS,

# Allow JSONP call to Verify to check whether the user is logged in
# https://www.staging.publishing.service.gov.uk/log-in-file-self-assessment-tax-return/sign-in/prove-identity
# https://github.com/alphagov/government-frontend/blob/71aca4df9b74366618a5a93acdb5cd2715f94f49/app/assets/javascripts/modules/track-radio-group.js
"www.signin.service.gov.uk",

# Allow YouTube Embeds (Govspeak turns YouTube links into embeds)
"*.ytimg.com",
"www.youtube.com",

# Allow all inline scripts until we can conclusively document all the inline scripts we use,
# and there's a better way to filter out junk reports
"'unsafe-inline'"
]

# Allow styles from own domain and publishing domains.
#
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src
policies << [
"style-src",
GOVUK_DOMAINS,

# Also allow "unsafe-inline" styles, because we use the `style=""` attribute on some HTML elements
"'unsafe-inline'"
]

# Allow fonts to be loaded from data-uri's (this is the old way of doing things)
# or from the publishing asset domains.
#
# https://www.staging.publishing.service.gov.uk/apply-for-a-licence/test-licence/westminster/apply-1
#
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/font-src
policies << [
"font-src data:",
GOVUK_DOMAINS
]

# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src
policies << [
# Scripts can only load data using Ajax from Google Analytics and the publishing domains
"connect-src",
GOVUK_DOMAINS,
GOOGLE_ANALYTICS_DOMAINS,

# Allow connecting to web chat from HMRC contact pages like
# https://www.staging.publishing.service.gov.uk/government/organisations/hm-revenue-customs/contact/child-benefit
"www.tax.service.gov.uk",

# Allow connecting to Verify to check whether the user is logged in
# https://github.com/alphagov/government-frontend/blob/71aca4df9b74366618a5a93acdb5cd2715f94f49/app/assets/javascripts/modules/track-radio-group.js
# https://www.staging.publishing.service.gov.uk/log-in-file-self-assessment-tax-return/sign-in/prove-identity
"www.signin.service.gov.uk",
]

# Disallow all <object>, <embed>, and <applet> elements
#
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/object-src
policies << [
"object-src 'none'"
]

policies << [
"frame-src",

# Allow YouTube embeds
"www.youtube.com",
]

policies.map { |str| str.join(" ") }.join("; ") + ";"
end
end

# In test and development, use CSP for real to find issues. In production we only
# report violations to Sentry (https://sentry.io/govuk/govuk-frontend-csp) via an
# AWS Lambda function that filters out junk reports.
if Rails.env.production?
reporting = "report-uri https://jhpno0hk6b.execute-api.eu-west-2.amazonaws.com/production"
Rails.application.config.action_dispatch.default_headers['Content-Security-Policy-Report-Only'] = CSP.build + " " + reporting
else
Rails.application.config.action_dispatch.default_headers['Content-Security-Policy'] = CSP.build
end
GovukContentSecurityPolicy.configure

0 comments on commit ee653cb

Please sign in to comment.