Configure GovukContentSecurityPolicy for govuk_app_config changes #2075
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This resolves this app having both a csp and content_security_policy.rb file. We choose the latter one as it is a Rails default that will get automatically added on Rails upgrades.
This configures the content security policy in preparation for the breaking changes coming from alphagov/govuk_app_config#279. As this app uses govuk_admin_template and that uses jQuery 1.x and inline script tags, then this app needs unsafe_inline for script and the nonce generator disabled. As an aside, It was a surprise that this application had configured the GovukContentSecurityPolicy as this had been initially done just in Frontend apps and it looks like this made it through in some outsourced Rails updates [1]. I'm leaving this config in so there is an example of an app outside of frontend using it to build on and as a case study in configuring an app. [1]: 45a5a51
BeckaL
reviewed
Jan 25, 2023
| # required for compatibility with govuk_admin_template which both uses script | ||
| # tags without nonces and uses jQuery 1.x which requires unsafe-inline in | ||
| # some browsers (Firefox is one) | ||
| script_policy_with_unsafe_inline = (policy.script_src + ["'unsafe-inline'"]).uniq |
There was a problem hiding this comment.
I'm assuming the double quotes here is intended and not a typo, but just checking?
There was a problem hiding this comment.
Yup, thanks. They're intentional - we need unsafe-inline in quotes.
BeckaL
approved these changes
Jan 25, 2023
|
Thanks for the review @BeckaL - yup I've had to learn this stuff quite quickly, it'll be a whole safe new future! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Trello: https://trello.com/c/lxxx5XLZ/178-govuk-has-a-half-implemented-content-security-policy-csp
This configures the content security policy in preparation for the
breaking changes coming from
alphagov/govuk_app_config#279. As this app uses
govuk_admin_template and that uses jQuery 1.x and inline script tags,
then this app needs unsafe_inline for script and the nonce generator
disabled.
As an aside, It was a surprise that this application had configured the
GovukContentSecurityPolicy as this had been initially done just in
Frontend apps and it looks like this made it through in some outsourced
Rails updates 1. I'm leaving this config in so there is an example of
an app outside of frontend using it to build on and as a case study in
configuring an app.
Follow these steps if you are doing a Rails upgrade.