From 9aec88f9e5f86a4351fecd53a59aa80bc54d977e Mon Sep 17 00:00:00 2001 From: Kevin Dew Date: Tue, 24 Jan 2023 22:43:13 +0000 Subject: [PATCH 1/2] Move Content Security Policy config to conventional file This resolves this app having both a csp and content_security_policy.rb file. We choose the latter one as it is a Rails default that will get automatically added on Rails upgrades. --- .../initializers/content_security_policy.rb | 26 +------------------ config/initializers/csp.rb | 1 - 2 files changed, 1 insertion(+), 26 deletions(-) delete mode 100644 config/initializers/csp.rb diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb index 54f47cf15..aa49407c8 100644 --- a/config/initializers/content_security_policy.rb +++ b/config/initializers/content_security_policy.rb @@ -1,25 +1 @@ -# Be sure to restart your server when you modify this file. - -# Define an application-wide content security policy. -# See the Securing Rails Applications Guide for more information: -# https://guides.rubyonrails.org/security.html#content-security-policy-header - -# Rails.application.configure do -# config.content_security_policy do |policy| -# policy.default_src :self, :https -# policy.font_src :self, :https, :data -# policy.img_src :self, :https, :data -# policy.object_src :none -# policy.script_src :self, :https -# policy.style_src :self, :https -# # Specify URI for violation reports -# # policy.report_uri "/csp-violation-report-endpoint" -# end -# -# # Generate session nonces for permitted importmap and inline scripts -# config.content_security_policy_nonce_generator = ->(request) { request.session.id.to_s } -# config.content_security_policy_nonce_directives = %w(script-src) -# -# # Report violations without enforcing the policy. -# # config.content_security_policy_report_only = true -# end +GovukContentSecurityPolicy.configure diff --git a/config/initializers/csp.rb b/config/initializers/csp.rb deleted file mode 100644 index aa49407c8..000000000 --- a/config/initializers/csp.rb +++ /dev/null @@ -1 +0,0 @@ -GovukContentSecurityPolicy.configure From 3a2a4717fd258e13516cd1692560583746c1cba8 Mon Sep 17 00:00:00 2001 From: Kevin Dew Date: Tue, 24 Jan 2023 22:47:22 +0000 Subject: [PATCH 2/2] Comment out GovukContentSecurityPolicy GOV.UK hadn't intended for this app to have the GOV.UK Content Security Policy yet, with us first planning to roll out this to frontend app. It looks like this was added as part of an outsourced Rails update [1], where the dev couldn't have known about our nuanced context. As this is an app that doesn't receive a lot of developer attention I'm disabling this as I don't want breaking changes to the CSP [2] to end up in this app. [1]: https://github.com/alphagov/support/pull/815 [2]: https://github.com/alphagov/govuk_app_config/pull/279 --- config/initializers/content_security_policy.rb | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb index aa49407c8..3b0f0c9d0 100644 --- a/config/initializers/content_security_policy.rb +++ b/config/initializers/content_security_policy.rb @@ -1 +1,6 @@ -GovukContentSecurityPolicy.configure +# Eventually we'll want to use the GOV.UK Content Security Policy in this app, +# however as of January 2023 we're scoping it to only frontend apps +# +# For more info on the GOV.UK CSP see: https://docs.publishing.service.gov.uk/manual/content-security-policy.html +# +# GovukContentSecurityPolicy.configure