From 4ee415fe0eb7cd0eadb4663994b342872c82d68d Mon Sep 17 00:00:00 2001 From: Ruben Arakelyan Date: Mon, 1 Apr 2019 12:41:27 +0100 Subject: [PATCH] Allow all inline scripts in CSP This commit changes the content security policy to allow all inline scripts, until we can conclusively document all the inline scripts we use, and there's a better way to filter out junk reports. --- config/initializers/csp.rb | 15 ++------------- 1 file changed, 2 insertions(+), 13 deletions(-) diff --git a/config/initializers/csp.rb b/config/initializers/csp.rb index ea4c6572e..e9600ffa2 100644 --- a/config/initializers/csp.rb +++ b/config/initializers/csp.rb @@ -56,17 +56,6 @@ def self.build GOVUK_DOMAINS, GOOGLE_ANALYTICS_DOMAINS, - # Allow the script that adds `js-enabled` to the body from govuk_template - # https://github.com/alphagov/govuk_template/blob/79340eb91ad8c4279d16da302765d0946d89b1ca/source/views/layouts/govuk_template.html.erb#L40 - "'sha256-+6WnXIl4mbFTCARd8N3COQmT3bJJmo32N8q8ZSQAIcU='", - - # The same as above but with leading and trailing whitespace as used by the component guide - "'sha256-IWjjekDxqqURWMjVH447fuaAvoZKwpDwLS0ZdcJ+Ey4='", - - # ALlow the script that removes `js-enabled` from body if there's an error - # https://github.com/alphagov/govuk_template/blob/79340eb91ad8c4279d16da302765d0946d89b1ca/source/views/layouts/govuk_template.html.erb#L112-L113 - "'sha256-G29/qSW/JHHANtFhlrZVDZW1HOkCDRc78ggbqwwIJ2g='", - # Allow JSONP call to Verify to check whether the user is logged in # https://www.staging.publishing.service.gov.uk/log-in-file-self-assessment-tax-return/sign-in/prove-identity # https://github.com/alphagov/government-frontend/blob/71aca4df9b74366618a5a93acdb5cd2715f94f49/app/assets/javascripts/modules/track-radio-group.js @@ -76,8 +65,8 @@ def self.build "*.ytimg.com", "www.youtube.com", - # In browsers that don't support the sha256 whitelisting we allow unsafe - # inline scripts + # Allow all inline scripts until we can conclusively document all the inline scripts we use, + # and there's a better way to filter out junk reports "'unsafe-inline'" ]