From 32d86aebce4d1f5300a3fd0fa9bc62f1a8e014b8 Mon Sep 17 00:00:00 2001
From: Kevin Dew <kevindew@me.com>
Date: Thu, 12 Jan 2023 20:44:13 +0000
Subject: [PATCH] Disallow a base element via the content-security-policy

A base element can be used to change the destination of relative paths,
this can be used as part of XSS to include a script file on a host an
attacker controls.

To prevent this we disable all uses of the base element as it is not
used on all GOV.UK views, bar one exception.

The exception is for CSV previews which are rendered by Whitehall [1] on
a different hostname (assets). As this is only for one app the
convention would be to modify the CSP in app. It is also unclear at this
point in time when or whether we will enable the CSP on Whitehall
frontend.

[1]: https://github.com/alphagov/whitehall/pull/5764
---
 CHANGELOG.md                                          | 1 +
 lib/govuk_app_config/govuk_content_security_policy.rb | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index c8ca7796..8d5f8293 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,6 @@
 # Unreleased
 
+* Forbid base elements in the Content Security Policy
 * BREAKING: Content Security Policy forbids unsafe-inline (script and style) and data: images. It provides a nonce generator. Apps that can't support this will need to amend their CSP configuration in an initializer.
 
 # 4.13.0
diff --git a/lib/govuk_app_config/govuk_content_security_policy.rb b/lib/govuk_app_config/govuk_content_security_policy.rb
index e8d46b35..11808151 100644
--- a/lib/govuk_app_config/govuk_content_security_policy.rb
+++ b/lib/govuk_app_config/govuk_content_security_policy.rb
@@ -28,6 +28,9 @@ def self.build_policy(policy)
     # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src
     policy.default_src :self
 
+    # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/base-uri
+    policy.base_uri :none
+
     # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src
     # Note: we purposely don't include data here because it produces a security risk.
     policy.img_src :self,