From 75965449b5dcf6acbc64669975ef21b3ef150a28 Mon Sep 17 00:00:00 2001
From: Kevin Dew <kevindew@me.com>
Date: Thu, 12 Jan 2023 20:21:09 +0000
Subject: [PATCH 1/3] Apply December 2022 CSP intentions

This removes unsafe-inline from script and data images.

It sets a nonce-generator which will apply to script-src. Having a nonce in a
CSP will cause any unsafe-inline rules to be ignored, so if an app needs them
they will have to both add the directive unsafe-inline to script-src and
also disable the nonce-generator.

I initially planned for this to remove unsafe-inline from style as well,
however I learnt in the latter stages of testing, that there is Govspeak
that uses inline style attributes [1][2] (example page: [3]). I have
ideas on how to fix this but it will take some time, so I'm deferring
this until later.

[1]: https://kramdown.gettalong.org/syntax.html#tables
[2]: https://github.com/alphagov/govspeak/blob/5642fcc4231f215d1c58ad7feb30ca42fb8cfb91/lib/govspeak/html_sanitizer.rb#L72-L73
[3]: https://www.gov.uk/government/statistics/non-association-independent-schools-inspections-and-outcomes-in-england-august-2022/main-findings-non-association-independent-schools-inspections-and-outcomes-in-england-august-2022
---
 CHANGELOG.md                                  |  4 ++
 .../govuk_content_security_policy.rb          | 41 ++++++++++++-------
 2 files changed, 31 insertions(+), 14 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 0cfc4b17..a1ca6809 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,7 @@
+# Unreleased
+
+* BREAKING: Content Security Policy forbids unsafe-inline script-src and data: image-src. It provides a nonce generator. Apps that can't support this will need to amend their CSP configuration in an initializer, see [example](https://github.com/alphagov/signon/commit/ddcf31f5c30b8fd334e4aea74986b24bf2b0e9be) in signon. Any apps that still use jQuery 1.x will need unsafe-inline for Firefox compatibility.
+
 # 4.13.0
 
 * Flush log writes to stdout immediately so that structured (JSON) logs are not lost on crash or delayed indefinitely.
diff --git a/lib/govuk_app_config/govuk_content_security_policy.rb b/lib/govuk_app_config/govuk_content_security_policy.rb
index dfe6c2c3..f45b8ef4 100644
--- a/lib/govuk_app_config/govuk_content_security_policy.rb
+++ b/lib/govuk_app_config/govuk_content_security_policy.rb
@@ -29,12 +29,8 @@ def self.build_policy(policy)
     policy.default_src :self
 
     # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src
+    # Note: we purposely don't include `data:` here because it produces a security risk.
     policy.img_src :self,
-                   # This allows Base64 encoded images, but is a security
-                   # risk as it can embed third party resources.
-                   # As of December 2022, we intend to remove this prior
-                   # to making the CSP live.
-                   :data,
                    *GOVUK_DOMAINS,
                    *GOOGLE_ANALYTICS_DOMAINS, # Tracking pixels
                    # Speedcurve real user monitoring (RUM) - as per: https://support.speedcurve.com/docs/add-rum-to-your-csp
@@ -45,25 +41,28 @@ def self.build_policy(policy)
                    "https://img.youtube.com"
 
     # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src
+    # Note: we purposely don't include `data:`, `unsafe-inline` or `unsafe-eval` because
+    # they are security risks, if you need them for a legacy app please only apply them at
+    # an app level.
     policy.script_src :self,
                       *GOOGLE_ANALYTICS_DOMAINS,
                       *GOOGLE_STATIC_DOMAINS,
                       # Allow YouTube Embeds (Govspeak turns YouTube links into embeds)
                       "*.ytimg.com",
                       "www.youtube.com",
-                      "www.youtube-nocookie.com",
-                      # This allows inline scripts and thus is a XSS risk.
-                      # As of December 2022, we intend to work towards removing
-                      # this from apps that don't use jQuery 1.12 (which needs
-                      # this) once we've set up nonces.
-                      :unsafe_inline
+                      "www.youtube-nocookie.com"
 
     # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src
+    # Note: we purposely don't include `data:` or `unsafe-eval` because
+    # they are security risks, if you need them for a legacy app please only apply them at
+    # an app level.
     policy.style_src :self,
                      *GOOGLE_STATIC_DOMAINS,
-                     # This allows style="" attributes and style elements.
-                     # As of December 2022, we intend to remove this prior
-                     # to making the CSP live due to the security risks it has.
+                     # This allows `style=""` attributes and `<style>` elements.
+                     # As of January 2023 our intentions to remove this were scuppered
+                     # by Govspeak [1] using inline styles on tables. Until that
+                     # is resolved we'll keep unsafe_inline
+                     # [1]: https://github.com/alphagov/govspeak/blob/5642fcc4231f215d1c58ad7feb30ca42fb8cfb91/lib/govspeak/html_sanitizer.rb#L72-L73
                      :unsafe_inline
 
     # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/font-src
@@ -91,6 +90,20 @@ def self.build_policy(policy)
   def self.configure
     Rails.application.config.content_security_policy_report_only = ENV.include?("GOVUK_CSP_REPORT_ONLY")
 
+    # Sets a nonce per request that can be set on script-src and style-src
+    # directives depending on the value of Rails.application.config.content_security_policy_nonce_directives
+    #
+    # Note: if an application needs to set unsafe-inline they will need to
+    # unset this generator (by setting this config option to nil in their application)
+    Rails.application.config.content_security_policy_nonce_generator = ->(_request) { SecureRandom.base64(16) }
+
+    # This only applies the nonce generator to the script-src directive. We need this to
+    # use unsafe-inline for style-src as a nonce will override it.
+    #
+    # When we want to apply it to style-src we can remove this line as the Rails default
+    # is for both script-src and style-src
+    Rails.application.config.content_security_policy_nonce_directives = %w[script-src]
+
     policy = Rails.application.config.content_security_policy(&method(:build_policy))
 
     # # allow apps to customise the CSP by passing a block e.g:

From c13881026488f52edef18f19df8ba42c7bd18c3c Mon Sep 17 00:00:00 2001
From: Kevin Dew <kevindew@me.com>
Date: Thu, 12 Jan 2023 20:44:13 +0000
Subject: [PATCH 2/3] Disallow a base element via the content-security-policy

A base element can be used to change the destination of relative paths,
this can be used as part of XSS to include a script file on a host an
attacker controls.

To prevent this we disable all uses of the base element as it is not
used on all GOV.UK views, bar one exception.

The exception is for CSV previews which are rendered by Whitehall [1] on
a different hostname (assets). As this is only for one app the
convention would be to modify the CSP in app. It is also unclear at this
point in time when or whether we will enable the CSP on Whitehall
frontend.

[1]: https://github.com/alphagov/whitehall/pull/5764
---
 CHANGELOG.md                                          | 1 +
 lib/govuk_app_config/govuk_content_security_policy.rb | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index a1ca6809..a21ccc27 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,6 @@
 # Unreleased
 
+* Forbid base elements in the Content Security Policy
 * BREAKING: Content Security Policy forbids unsafe-inline script-src and data: image-src. It provides a nonce generator. Apps that can't support this will need to amend their CSP configuration in an initializer, see [example](https://github.com/alphagov/signon/commit/ddcf31f5c30b8fd334e4aea74986b24bf2b0e9be) in signon. Any apps that still use jQuery 1.x will need unsafe-inline for Firefox compatibility.
 
 # 4.13.0
diff --git a/lib/govuk_app_config/govuk_content_security_policy.rb b/lib/govuk_app_config/govuk_content_security_policy.rb
index f45b8ef4..55a407a4 100644
--- a/lib/govuk_app_config/govuk_content_security_policy.rb
+++ b/lib/govuk_app_config/govuk_content_security_policy.rb
@@ -28,6 +28,9 @@ def self.build_policy(policy)
     # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src
     policy.default_src :self
 
+    # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/base-uri
+    policy.base_uri :none
+
     # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src
     # Note: we purposely don't include `data:` here because it produces a security risk.
     policy.img_src :self,

From 414e539759766984bc5a53e72be5ca90dbabe684 Mon Sep 17 00:00:00 2001
From: Kevin Dew <kevindew@me.com>
Date: Mon, 23 Jan 2023 10:23:39 +0000
Subject: [PATCH 3/3] Release as version 5.0.0

---
 CHANGELOG.md                    | 2 +-
 lib/govuk_app_config/version.rb | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index a21ccc27..f9769eb4 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,4 +1,4 @@
-# Unreleased
+# 5.0.0
 
 * Forbid base elements in the Content Security Policy
 * BREAKING: Content Security Policy forbids unsafe-inline script-src and data: image-src. It provides a nonce generator. Apps that can't support this will need to amend their CSP configuration in an initializer, see [example](https://github.com/alphagov/signon/commit/ddcf31f5c30b8fd334e4aea74986b24bf2b0e9be) in signon. Any apps that still use jQuery 1.x will need unsafe-inline for Firefox compatibility.
diff --git a/lib/govuk_app_config/version.rb b/lib/govuk_app_config/version.rb
index 4f44d8bb..b52a143e 100644
--- a/lib/govuk_app_config/version.rb
+++ b/lib/govuk_app_config/version.rb
@@ -1,3 +1,3 @@
 module GovukAppConfig
-  VERSION = "4.13.0".freeze
+  VERSION = "5.0.0".freeze
 end