From c13881026488f52edef18f19df8ba42c7bd18c3c Mon Sep 17 00:00:00 2001
From: Kevin Dew <kevindew@me.com>
Date: Thu, 12 Jan 2023 20:44:13 +0000
Subject: [PATCH] Disallow a base element via the content-security-policy

A base element can be used to change the destination of relative paths,
this can be used as part of XSS to include a script file on a host an
attacker controls.

To prevent this we disable all uses of the base element as it is not
used on all GOV.UK views, bar one exception.

The exception is for CSV previews which are rendered by Whitehall [1] on
a different hostname (assets). As this is only for one app the
convention would be to modify the CSP in app. It is also unclear at this
point in time when or whether we will enable the CSP on Whitehall
frontend.

[1]: https://github.com/alphagov/whitehall/pull/5764
---
 CHANGELOG.md                                          | 1 +
 lib/govuk_app_config/govuk_content_security_policy.rb | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index a1ca6809..a21ccc27 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,6 @@
 # Unreleased
 
+* Forbid base elements in the Content Security Policy
 * BREAKING: Content Security Policy forbids unsafe-inline script-src and data: image-src. It provides a nonce generator. Apps that can't support this will need to amend their CSP configuration in an initializer, see [example](https://github.com/alphagov/signon/commit/ddcf31f5c30b8fd334e4aea74986b24bf2b0e9be) in signon. Any apps that still use jQuery 1.x will need unsafe-inline for Firefox compatibility.
 
 # 4.13.0
diff --git a/lib/govuk_app_config/govuk_content_security_policy.rb b/lib/govuk_app_config/govuk_content_security_policy.rb
index f45b8ef4..55a407a4 100644
--- a/lib/govuk_app_config/govuk_content_security_policy.rb
+++ b/lib/govuk_app_config/govuk_content_security_policy.rb
@@ -28,6 +28,9 @@ def self.build_policy(policy)
     # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src
     policy.default_src :self
 
+    # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/base-uri
+    policy.base_uri :none
+
     # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src
     # Note: we purposely don't include `data:` here because it produces a security risk.
     policy.img_src :self,