From a9f652724c9fcf7bd406f53c1b4994e02b7363e5 Mon Sep 17 00:00:00 2001
From: Ruben Arakelyan <ruben.arakelyan@digital.cabinet-office.gov.uk>
Date: Fri, 1 Mar 2019 10:59:21 +0000
Subject: [PATCH] Add new SHA256 hash for inline JS CSP

This commit adds a new SHA256 hash for a version of the inline JavaScript detection script that has leading whitespace. It also swaps the hashes for two inline JavaScript scripts that were commented the wrong way around.
---
 config/initializers/csp.rb | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/config/initializers/csp.rb b/config/initializers/csp.rb
index 3421c2d71..93b6d4629 100644
--- a/config/initializers/csp.rb
+++ b/config/initializers/csp.rb
@@ -58,11 +58,14 @@ def self.build
 
       # Allow the script that adds `js-enabled` to the body from govuk_template
       # https://github.com/alphagov/govuk_template/blob/79340eb91ad8c4279d16da302765d0946d89b1ca/source/views/layouts/govuk_template.html.erb#L40
-      "'sha256-G29/qSW/JHHANtFhlrZVDZW1HOkCDRc78ggbqwwIJ2g='",
+      "'sha256-+6WnXIl4mbFTCARd8N3COQmT3bJJmo32N8q8ZSQAIcU='",
+
+      # The same as above but with leading whitespace as used by the component guide
+      "'sha256-+/sukrsYfvM/tHbNll4hTsl0mtvAQUFXZWdCg49lerI='",
 
       # ALlow the script that removes `js-enabled` from body if there's an error
       # https://github.com/alphagov/govuk_template/blob/79340eb91ad8c4279d16da302765d0946d89b1ca/source/views/layouts/govuk_template.html.erb#L112-L113
-      "'sha256-+6WnXIl4mbFTCARd8N3COQmT3bJJmo32N8q8ZSQAIcU='",
+      "'sha256-G29/qSW/JHHANtFhlrZVDZW1HOkCDRc78ggbqwwIJ2g='",
 
       # Allow JSONP call to Verify to check whether the user is logged in
       # https://www.staging.publishing.service.gov.uk/log-in-file-self-assessment-tax-return/sign-in/prove-identity