Forbid unsafe-inline for style attributes in CSP

This continues the work from #279 to remove risky properties from our Content Security Policy (CSP) by removing unsafe-inline from style properties. We have been to resolve the need for this property by updating Govspeak [1] [1]: alphagov/govspeak#268
alphagov · Apr 27, 2023 · 8e81376 · 8e81376
1 parent c2daa9b
commit 8e81376
Showing 1 changed file with 2 additions and 9 deletions.
diff --git a/lib/govuk_app_config/govuk_content_security_policy.rb b/lib/govuk_app_config/govuk_content_security_policy.rb
@@ -56,17 +56,10 @@ def self.build_policy(policy)
                       "www.youtube-nocookie.com"
 
     # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src
-    # Note: we purposely don't include `data:` or `unsafe-eval` because
+    # Note: we purposely don't include `data:`, `unsafe-inline` or `unsafe-eval` because
     # they are security risks, if you need them for a legacy app please only apply them at
     # an app level.
-    policy.style_src :self,
-                     *GOOGLE_STATIC_DOMAINS,
-                     # This allows `style=""` attributes and `<style>` elements.
-                     # As of January 2023 our intentions to remove this were scuppered
-                     # by Govspeak [1] using inline styles on tables. Until that
-                     # is resolved we'll keep unsafe_inline
-                     # [1]: https://github.com/alphagov/govspeak/blob/5642fcc4231f215d1c58ad7feb30ca42fb8cfb91/lib/govspeak/html_sanitizer.rb#L72-L73
-                     :unsafe_inline
+    policy.style_src :self, *GOOGLE_STATIC_DOMAINS
 
     # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/font-src
     # Note: we purposely don't include data here because it produces a security risk.