A firebreak project to enable Content-Security-Policy on GOV.UK

readme.md

Content-Security-Policy on GOV.UK

January 2015.

An application for reporting CSP violations

https://github.com/alphagov/event-store/

Inline JavaScript

We have a lot of inline JavaScript on GOV.UK. Some of it can't be removed for performance reasons, but there's a lot that's in the HTML that doesn't need to be.

So we need a way of whitelisting <script> blocks by with hash digests.

We want to use the Content-Security-Policy-Report-Only header, but this will generate reports for every inline <script> element because the latest browsers (Chrome 39 and Firefox 34) don't support script-src with a sha256 hash digest, they only support the CSP spec to level 1.

If we want to enable CSP, I think right now we need to use the 'unsafe-inline' option which will enable all inline JavaScript to be executed.

header_method.rb

def set_content_security_policy
  asset_hosts = "http://static.dev.gov.uk http://assets-origin.dev.gov.uk"

  default_src = "default-src 'none'"
  script_src = "script-src #{asset_hosts} http://www.google-analytics.com 'unsafe-inline'"
  style_src = "style-src #{asset_hosts} 'unsafe-inline'"
  img_src = "img-src #{asset_hosts}"
  report_uri = "report-uri http://www.dev.gov.uk:8080/e"

  csp_header = "#{default_src}; #{script_src}; #{style_src}; #{img_src}; #{report_uri}"

  headers['Content-Security-Policy-Report-Only'] = csp_header
end

home_page.rb

# root_controller.rb in alphagov/frontend
before_filter :set_content_security_policy, :only => [:index]