From 2248637ed1c1c8ea43bc81e1014a8213f0a54696 Mon Sep 17 00:00:00 2001 From: Kevin Dew Date: Tue, 24 Jan 2023 22:57:35 +0000 Subject: [PATCH 1/2] Move Content Security Policy config to conventional file This resolves this app having both a csp and content_security_policy.rb file. We choose the latter one as it is a Rails default that will get automatically added on Rails upgrades. --- .../initializers/content_security_policy.rb | 26 +------------------ config/initializers/csp.rb | 1 - 2 files changed, 1 insertion(+), 26 deletions(-) delete mode 100644 config/initializers/csp.rb diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb index 54f47cf1..aa49407c 100644 --- a/config/initializers/content_security_policy.rb +++ b/config/initializers/content_security_policy.rb @@ -1,25 +1 @@ -# Be sure to restart your server when you modify this file. - -# Define an application-wide content security policy. -# See the Securing Rails Applications Guide for more information: -# https://guides.rubyonrails.org/security.html#content-security-policy-header - -# Rails.application.configure do -# config.content_security_policy do |policy| -# policy.default_src :self, :https -# policy.font_src :self, :https, :data -# policy.img_src :self, :https, :data -# policy.object_src :none -# policy.script_src :self, :https -# policy.style_src :self, :https -# # Specify URI for violation reports -# # policy.report_uri "/csp-violation-report-endpoint" -# end -# -# # Generate session nonces for permitted importmap and inline scripts -# config.content_security_policy_nonce_generator = ->(request) { request.session.id.to_s } -# config.content_security_policy_nonce_directives = %w(script-src) -# -# # Report violations without enforcing the policy. -# # config.content_security_policy_report_only = true -# end +GovukContentSecurityPolicy.configure diff --git a/config/initializers/csp.rb b/config/initializers/csp.rb deleted file mode 100644 index aa49407c..00000000 --- a/config/initializers/csp.rb +++ /dev/null @@ -1 +0,0 @@ -GovukContentSecurityPolicy.configure From 376792658126c2c8f7a0cb785e9fdd2b17024008 Mon Sep 17 00:00:00 2001 From: Kevin Dew Date: Tue, 24 Jan 2023 22:58:37 +0000 Subject: [PATCH 2/2] Comment out GovukContentSecurityPolicy GOV.UK hadn't intended for this app to have the GOV.UK Content Security Policy yet, with us first planning to roll out this to frontend app. It looks like this was added as part of an outsourced Rails update [1], where the dev couldn't have known about our nuanced context. As this is an app that doesn't receive a lot of developer attention I'm disabling this as I don't want breaking changes to the CSP [2] to end up in this app. [1]: https://github.com/alphagov/content-data-admin/pull/812 [2]: https://github.com/alphagov/govuk_app_config/pull/279 --- config/initializers/content_security_policy.rb | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb index aa49407c..3b0f0c9d 100644 --- a/config/initializers/content_security_policy.rb +++ b/config/initializers/content_security_policy.rb @@ -1 +1,6 @@ -GovukContentSecurityPolicy.configure +# Eventually we'll want to use the GOV.UK Content Security Policy in this app, +# however as of January 2023 we're scoping it to only frontend apps +# +# For more info on the GOV.UK CSP see: https://docs.publishing.service.gov.uk/manual/content-security-policy.html +# +# GovukContentSecurityPolicy.configure