From a9f652724c9fcf7bd406f53c1b4994e02b7363e5 Mon Sep 17 00:00:00 2001 From: Ruben Arakelyan <ruben.arakelyan@digital.cabinet-office.gov.uk> Date: Fri, 1 Mar 2019 10:59:21 +0000 Subject: [PATCH] Add new SHA256 hash for inline JS CSP This commit adds a new SHA256 hash for a version of the inline JavaScript detection script that has leading whitespace. It also swaps the hashes for two inline JavaScript scripts that were commented the wrong way around. --- config/initializers/csp.rb | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/config/initializers/csp.rb b/config/initializers/csp.rb index 3421c2d71..93b6d4629 100644 --- a/config/initializers/csp.rb +++ b/config/initializers/csp.rb @@ -58,11 +58,14 @@ def self.build # Allow the script that adds `js-enabled` to the body from govuk_template # https://github.com/alphagov/govuk_template/blob/79340eb91ad8c4279d16da302765d0946d89b1ca/source/views/layouts/govuk_template.html.erb#L40 - "'sha256-G29/qSW/JHHANtFhlrZVDZW1HOkCDRc78ggbqwwIJ2g='", + "'sha256-+6WnXIl4mbFTCARd8N3COQmT3bJJmo32N8q8ZSQAIcU='", + + # The same as above but with leading whitespace as used by the component guide + "'sha256-+/sukrsYfvM/tHbNll4hTsl0mtvAQUFXZWdCg49lerI='", # ALlow the script that removes `js-enabled` from body if there's an error # https://github.com/alphagov/govuk_template/blob/79340eb91ad8c4279d16da302765d0946d89b1ca/source/views/layouts/govuk_template.html.erb#L112-L113 - "'sha256-+6WnXIl4mbFTCARd8N3COQmT3bJJmo32N8q8ZSQAIcU='", + "'sha256-G29/qSW/JHHANtFhlrZVDZW1HOkCDRc78ggbqwwIJ2g='", # Allow JSONP call to Verify to check whether the user is logged in # https://www.staging.publishing.service.gov.uk/log-in-file-self-assessment-tax-return/sign-in/prove-identity