Skip to content

Commit

Permalink
Disallow a base element via the content-security-policy
Browse files Browse the repository at this point in the history
A base element can be used to change the destination of relative paths,
this can be used as part of XSS to include a script file on a host an
attacker controls.

To prevent this we disable all uses of the base element as it is not
used on all GOV.UK views, bar one exception.

The exception is for CSV previews which are rendered by Whitehall [1] on
a different hostname (assets). As this is only for one app the
convention would be to modify the CSP in app. It is also unclear at this
point in time when or whether we will enable the CSP on Whitehall
frontend.

[1]: alphagov/whitehall#5764
  • Loading branch information
kevindew committed Jan 26, 2023
1 parent 7596544 commit c138810
Show file tree
Hide file tree
Showing 2 changed files with 4 additions and 0 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
# Unreleased

* Forbid base elements in the Content Security Policy
* BREAKING: Content Security Policy forbids unsafe-inline script-src and data: image-src. It provides a nonce generator. Apps that can't support this will need to amend their CSP configuration in an initializer, see [example](https://github.com/alphagov/signon/commit/ddcf31f5c30b8fd334e4aea74986b24bf2b0e9be) in signon. Any apps that still use jQuery 1.x will need unsafe-inline for Firefox compatibility.

# 4.13.0
Expand Down
3 changes: 3 additions & 0 deletions lib/govuk_app_config/govuk_content_security_policy.rb
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,9 @@ def self.build_policy(policy)
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src
policy.default_src :self

# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/base-uri
policy.base_uri :none

# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src
# Note: we purposely don't include `data:` here because it produces a security risk.
policy.img_src :self,
Expand Down

0 comments on commit c138810

Please sign in to comment.