Disallow a base element via the content-security-policy

A base element can be used to change the destination of relative paths, this can be used as part of XSS to include a script file on a host an attacker controls. To prevent this we disable all uses of the base element as it is not used on all GOV.UK views, bar one exception. The exception is for CSV previews which are rendered by Whitehall [1] on a different hostname (assets). As this is only for one app the convention would be to modify the CSP in app. It is also unclear at this point in time when or whether we will enable the CSP on Whitehall frontend. [1]: alphagov/whitehall#5764
alphagov · Jan 12, 2023 · 32d86ae · 32d86ae
1 parent 5b9c7e3
commit 32d86ae
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 0 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,6 @@
 # Unreleased
 
+* Forbid base elements in the Content Security Policy
 * BREAKING: Content Security Policy forbids unsafe-inline (script and style) and data: images. It provides a nonce generator. Apps that can't support this will need to amend their CSP configuration in an initializer.
 
 # 4.13.0

diff --git a/lib/govuk_app_config/govuk_content_security_policy.rb b/lib/govuk_app_config/govuk_content_security_policy.rb
@@ -28,6 +28,9 @@ def self.build_policy(policy)
     # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src
     policy.default_src :self
 
+    # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/base-uri
+    policy.base_uri :none
+
     # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src
     # Note: we purposely don't include data here because it produces a security risk.
     policy.img_src :self,