Skip to content

Instantly share code, notes, and snippets.

@alexmuller

alexmuller/header_method.rb

Last active August 29, 2015 14:13
Show Gist options
  • Save alexmuller/df4c250c65367a4f44fb to your computer and use it in GitHub Desktop.
Save alexmuller/df4c250c65367a4f44fb to your computer and use it in GitHub Desktop.
Download ZIP
A firebreak project to enable Content-Security-Policy on GOV.UK
Raw
readme.md

Content-Security-Policy on GOV.UK

January 2015.

An application for reporting CSP violations

https://github.com/alphagov/event-store/

Inline JavaScript

We have a lot of inline JavaScript on GOV.UK. Some of it can't be removed for performance reasons, but there's a lot that's in the HTML that doesn't need to be.

So we need a way of whitelisting <script> blocks by with hash digests.

We want to use the Content-Security-Policy-Report-Only header, but this will generate reports for every inline <script> element because the latest browsers (Chrome 39 and Firefox 34) don't support script-src with a sha256 hash digest, they only support the CSP spec to level 1.

If we want to enable CSP, I think right now we need to use the 'unsafe-inline' option which will enable all inline JavaScript to be executed.

Raw
header_method.rb
def set_content_security_policy
asset_hosts = "http://static.dev.gov.uk http://assets-origin.dev.gov.uk"
default_src = "default-src 'none'"
script_src = "script-src #{asset_hosts} http://www.google-analytics.com 'unsafe-inline'"
style_src = "style-src #{asset_hosts} 'unsafe-inline'"
img_src = "img-src #{asset_hosts}"
report_uri = "report-uri http://www.dev.gov.uk:8080/e"
csp_header = "#{default_src}; #{script_src}; #{style_src}; #{img_src}; #{report_uri}"
headers['Content-Security-Policy-Report-Only'] = csp_header
end
Raw
home_page.rb
# root_controller.rb in alphagov/frontend
before_filter :set_content_security_policy, :only => [:index]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment