Add YouTube image host to image_src policy

This is to support the upcoming YouTube card component [1] that makes use of YouTube thumbnails. Unlike most of the host directives in this file this one specifies the scheme to be https. My understanding is that it was an earlier mistake of ours not to specify schemes, since we expect any of these resources to be https. At a later point we can migrate the others. [1]: alphagov/govuk_publishing_components#3156
alphagov · Dec 30, 2022 · bdd2d09 · bdd2d09
1 parent 8d670d2
commit bdd2d09
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,6 @@
 # Unreleased
 
+* Allow `https://img.youtube.com` as a CSP image source
 * CSP only allows scripts, styles and fonts from self which reflects GOV.UK production behaviour
 * Set the default CSP behaviour to be allow communication only to self
 * Remove webchat scripts from the CSP, these are now handled in [government-frontend](https://github.com/alphagov/government-frontend/pull/2643)

diff --git a/lib/govuk_app_config/govuk_content_security_policy.rb b/lib/govuk_app_config/govuk_content_security_policy.rb
@@ -40,7 +40,9 @@ def self.build_policy(policy)
                    # Speedcurve real user monitoring (RUM) - as per: https://support.speedcurve.com/docs/add-rum-to-your-csp
                    "lux.speedcurve.com",
                    # Some content still links to an old domain we used to use
-                   "assets.digital.cabinet-office.gov.uk"
+                   "assets.digital.cabinet-office.gov.uk",
+                   # Allow YouTube thumbnails
+                   "https://img.youtube.com"
 
     # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src
     policy.script_src :self,