From ddcf31f5c30b8fd334e4aea74986b24bf2b0e9be Mon Sep 17 00:00:00 2001 From: Kevin Dew Date: Tue, 24 Jan 2023 09:38:47 +0000 Subject: [PATCH] Configure GovukContentSecurityPolicy for govuk_app_config changes This configures the content security policy in preparation for the breaking changes coming from https://github.com/alphagov/govuk_app_config/pull/279. As this app uses govuk_admin_template and that uses jQuery 1.x and inline script tags, then this app needs unsafe_inline for script and the nonce generator disabled. As an aside, It was a surprise that this application had configured the GovukContentSecurityPolicy as this had been initially done just in Frontend apps and it looks like this made it through in some outsourced Rails updates [1]. I'm leaving this config in so there is an example of an app outside of frontend using it to build on and as a case study in configuring an app. [1]: https://github.com/alphagov/signon/commit/45a5a51abe3fb07f885c17aec2b7b271e1874e5b --- config/initializers/content_security_policy.rb | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb index aa49407c8..bc596890b 100644 --- a/config/initializers/content_security_policy.rb +++ b/config/initializers/content_security_policy.rb @@ -1 +1,12 @@ -GovukContentSecurityPolicy.configure +GovukContentSecurityPolicy.configure do |policy| + # Ensures the ability to use inline JavaScript without protections. This is + # required for compatibility with govuk_admin_template which both uses script + # tags without nonces and uses jQuery 1.x which requires unsafe-inline in + # some browsers (Firefox is one) + script_policy_with_unsafe_inline = (policy.script_src + ["'unsafe-inline'"]).uniq + policy.script_src(*script_policy_with_unsafe_inline) +end + +# Disable any configured nonce generators so that unsafe-inline directives +# can be used +Rails.application.config.content_security_policy_nonce_generator = nil