From 9acd486cfcade463cadc394a0ea08bf5ddd63dc1 Mon Sep 17 00:00:00 2001 From: Bruce Bolt Date: Fri, 4 Sep 2020 14:42:19 +0100 Subject: [PATCH 1/3] Add googletagmanager.com to Google Analytics domains We are making requests to www.googletagmanager.com in govuk_publishing_components [1] but have not allowed this domain in the Content Security Policy, so requests are getting blocked. 1: https://github.com/alphagov/govuk_publishing_components/blob/21e5808e03e7c97721cefe533b315753db7c5403/app/views/govuk_publishing_components/components/_google_tag_manager_script.html.erb#L16 --- lib/govuk_app_config/govuk_content_security_policy.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/govuk_app_config/govuk_content_security_policy.rb b/lib/govuk_app_config/govuk_content_security_policy.rb index 6fe92135..7abe1ef0 100644 --- a/lib/govuk_app_config/govuk_content_security_policy.rb +++ b/lib/govuk_app_config/govuk_content_security_policy.rb @@ -17,7 +17,8 @@ module GovukContentSecurityPolicy GOOGLE_ANALYTICS_DOMAINS = %w[www.google-analytics.com ssl.google-analytics.com - stats.g.doubleclick.net].freeze + stats.g.doubleclick.net + www.googletagmanager.com].freeze def self.build_policy(policy) # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src From 899cdd9840af7935939037067f94805c8f6068ea Mon Sep 17 00:00:00 2001 From: Bruce Bolt Date: Fri, 4 Sep 2020 14:45:42 +0100 Subject: [PATCH 2/3] Add gstatic.com to Content Security Policy JavaScript and CSS from www.gstatic.com are being used in content-data-admin [1], but were being blocked by the Content Security Policy. Therefore adding this domain to the policy. 1: https://github.com/alphagov/content-data-admin/blob/2bbf6cd4bbae29ec02107f4341d526f7707be6d6/app/views/layouts/application.html.erb#L2 --- lib/govuk_app_config/govuk_content_security_policy.rb | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/lib/govuk_app_config/govuk_content_security_policy.rb b/lib/govuk_app_config/govuk_content_security_policy.rb index 7abe1ef0..6488f866 100644 --- a/lib/govuk_app_config/govuk_content_security_policy.rb +++ b/lib/govuk_app_config/govuk_content_security_policy.rb @@ -20,6 +20,8 @@ module GovukContentSecurityPolicy stats.g.doubleclick.net www.googletagmanager.com].freeze + GOOGLE_STATIC_DOMAINS = %w[www.gstatic.com].freeze + def self.build_policy(policy) # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src policy.default_src :https, :self, *GOVUK_DOMAINS @@ -36,6 +38,7 @@ def self.build_policy(policy) policy.script_src :self, *GOVUK_DOMAINS, *GOOGLE_ANALYTICS_DOMAINS, + *GOOGLE_STATIC_DOMAINS, # Allow JSONP call to Verify to check whether the user is logged in "www.signin.service.gov.uk", # Allow YouTube Embeds (Govspeak turns YouTube links into embeds) @@ -52,6 +55,7 @@ def self.build_policy(policy) # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src policy.style_src :self, *GOVUK_DOMAINS, + *GOOGLE_STATIC_DOMAINS, # We use the `style=""` attribute on some HTML elements :unsafe_inline From 04e1d4d404d391c7d9a56c27a9b1f0ba55bcb5ca Mon Sep 17 00:00:00 2001 From: Bruce Bolt Date: Fri, 4 Sep 2020 14:53:32 +0100 Subject: [PATCH 3/3] Update CHANGELOG to reflect changes to Content Security Policy --- CHANGELOG.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index d240f9ab..e2af88cc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,7 @@ +# Unreleased + +* Add www.googletagmanager.com and www.gstatic.com to Content Security Policy (https://github.com/alphagov/govuk_app_config/pull/153) + # 2.2.1 * Fix linting issues (https://github.com/alphagov/govuk_app_config/pull/149)