From 8e8137622ee2d86dd0468420e84949a30a78a6ae Mon Sep 17 00:00:00 2001 From: Kevin Dew Date: Thu, 27 Apr 2023 13:33:08 +0100 Subject: [PATCH] Forbid unsafe-inline for style attributes in CSP This continues the work from https://github.com/alphagov/govuk_app_config/pull/279 to remove risky properties from our Content Security Policy (CSP) by removing unsafe-inline from style properties. We have been to resolve the need for this property by updating Govspeak [1] [1]: https://github.com/alphagov/govspeak/pull/268 --- lib/govuk_app_config/govuk_content_security_policy.rb | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/lib/govuk_app_config/govuk_content_security_policy.rb b/lib/govuk_app_config/govuk_content_security_policy.rb index 55a407a4..20646e98 100644 --- a/lib/govuk_app_config/govuk_content_security_policy.rb +++ b/lib/govuk_app_config/govuk_content_security_policy.rb @@ -56,17 +56,10 @@ def self.build_policy(policy) "www.youtube-nocookie.com" # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src - # Note: we purposely don't include `data:` or `unsafe-eval` because + # Note: we purposely don't include `data:`, `unsafe-inline` or `unsafe-eval` because # they are security risks, if you need them for a legacy app please only apply them at # an app level. - policy.style_src :self, - *GOOGLE_STATIC_DOMAINS, - # This allows `style=""` attributes and `