Skip to content

Commit

Permalink
Merge pull request #279 from alphagov/aspirational-csp
Browse files Browse the repository at this point in the history
Configure Content Security Policy to remove risky allowed properties
  • Loading branch information
kevindew authored Jan 26, 2023
2 parents 13083f8 + 414e539 commit 5478c06
Show file tree
Hide file tree
Showing 3 changed files with 36 additions and 15 deletions.
5 changes: 5 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,8 @@
# 5.0.0

* Forbid base elements in the Content Security Policy
* BREAKING: Content Security Policy forbids unsafe-inline script-src and data: image-src. It provides a nonce generator. Apps that can't support this will need to amend their CSP configuration in an initializer, see [example](https://github.com/alphagov/signon/commit/ddcf31f5c30b8fd334e4aea74986b24bf2b0e9be) in signon. Any apps that still use jQuery 1.x will need unsafe-inline for Firefox compatibility.

# 4.13.0

* Flush log writes to stdout immediately so that structured (JSON) logs are not lost on crash or delayed indefinitely.
Expand Down
44 changes: 30 additions & 14 deletions lib/govuk_app_config/govuk_content_security_policy.rb
Original file line number Diff line number Diff line change
Expand Up @@ -28,13 +28,12 @@ def self.build_policy(policy)
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src
policy.default_src :self

# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/base-uri
policy.base_uri :none

# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src
# Note: we purposely don't include `data:` here because it produces a security risk.
policy.img_src :self,
# This allows Base64 encoded images, but is a security
# risk as it can embed third party resources.
# As of December 2022, we intend to remove this prior
# to making the CSP live.
:data,
*GOVUK_DOMAINS,
*GOOGLE_ANALYTICS_DOMAINS, # Tracking pixels
# Speedcurve real user monitoring (RUM) - as per: https://support.speedcurve.com/docs/add-rum-to-your-csp
Expand All @@ -45,25 +44,28 @@ def self.build_policy(policy)
"https://img.youtube.com"

# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src
# Note: we purposely don't include `data:`, `unsafe-inline` or `unsafe-eval` because
# they are security risks, if you need them for a legacy app please only apply them at
# an app level.
policy.script_src :self,
*GOOGLE_ANALYTICS_DOMAINS,
*GOOGLE_STATIC_DOMAINS,
# Allow YouTube Embeds (Govspeak turns YouTube links into embeds)
"*.ytimg.com",
"www.youtube.com",
"www.youtube-nocookie.com",
# This allows inline scripts and thus is a XSS risk.
# As of December 2022, we intend to work towards removing
# this from apps that don't use jQuery 1.12 (which needs
# this) once we've set up nonces.
:unsafe_inline
"www.youtube-nocookie.com"

# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src
# Note: we purposely don't include `data:` or `unsafe-eval` because
# they are security risks, if you need them for a legacy app please only apply them at
# an app level.
policy.style_src :self,
*GOOGLE_STATIC_DOMAINS,
# This allows style="" attributes and style elements.
# As of December 2022, we intend to remove this prior
# to making the CSP live due to the security risks it has.
# This allows `style=""` attributes and `<style>` elements.
# As of January 2023 our intentions to remove this were scuppered
# by Govspeak [1] using inline styles on tables. Until that
# is resolved we'll keep unsafe_inline
# [1]: https://github.com/alphagov/govspeak/blob/5642fcc4231f215d1c58ad7feb30ca42fb8cfb91/lib/govspeak/html_sanitizer.rb#L72-L73
:unsafe_inline

# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/font-src
Expand Down Expand Up @@ -91,6 +93,20 @@ def self.build_policy(policy)
def self.configure
Rails.application.config.content_security_policy_report_only = ENV.include?("GOVUK_CSP_REPORT_ONLY")

# Sets a nonce per request that can be set on script-src and style-src
# directives depending on the value of Rails.application.config.content_security_policy_nonce_directives
#
# Note: if an application needs to set unsafe-inline they will need to
# unset this generator (by setting this config option to nil in their application)
Rails.application.config.content_security_policy_nonce_generator = ->(_request) { SecureRandom.base64(16) }

# This only applies the nonce generator to the script-src directive. We need this to
# use unsafe-inline for style-src as a nonce will override it.
#
# When we want to apply it to style-src we can remove this line as the Rails default
# is for both script-src and style-src
Rails.application.config.content_security_policy_nonce_directives = %w[script-src]

policy = Rails.application.config.content_security_policy(&method(:build_policy))

# # allow apps to customise the CSP by passing a block e.g:
Expand Down
2 changes: 1 addition & 1 deletion lib/govuk_app_config/version.rb
Original file line number Diff line number Diff line change
@@ -1,3 +1,3 @@
module GovukAppConfig
VERSION = "4.13.0".freeze
VERSION = "5.0.0".freeze
end

0 comments on commit 5478c06

Please sign in to comment.