Merge pull request #1205 from ministryofjustice/csp

Set Content Security Policy

Gemfile

@@ -15,7 +15,7 @@ gem 'fb-jwt-auth', '0.10.0'
 #     github: 'ministryofjustice/fb-metadata-presenter',
 #     branch: 'add-submission-complete-page'
 # gem 'metadata_presenter', path: '../fb-metadata-presenter'
-gem 'metadata_presenter', '3.0.5'
+gem 'metadata_presenter', '3.0.8'
 
 gem 'prometheus-client', '~> 2.1.0'
 gem 'puma', '~> 6.1'

Gemfile.lock

@@ -145,14 +145,45 @@ GEM
     ffi (1.15.5)
     globalid (1.1.0)
       activesupport (>= 5.0)
+    govspeak (7.1.1)
+      actionview (>= 6)
+      addressable (>= 2.3.8, < 3)
+      govuk_publishing_components (>= 35.1)
+      htmlentities (~> 4)
+      i18n (>= 0.7)
+      kramdown (>= 2.3.1)
+      nokogiri (~> 1.12)
+      rinku (~> 2.0)
+      sanitize (~> 6)
+    govuk_app_config (8.0.2)
+      logstasher (~> 2.1)
+      plek (>= 4, < 6)
+      prometheus_exporter (~> 2.0)
+      puma (>= 5.6, < 7.0)
+      rack-proxy (~> 0.7)
+      sentry-rails (~> 5.3)
+      sentry-ruby (~> 5.3)
+      statsd-ruby (~> 1.5)
     govuk_design_system_formbuilder (4.0.0)
       actionview (>= 6.1)
       activemodel (>= 6.1)
       activesupport (>= 6.1)
       html-attributes-utils (~> 1)
+    govuk_personalisation (0.13.0)
+      plek (>= 1.9.0)
+      rails (>= 6, < 8)
+    govuk_publishing_components (35.8.0)
+      govuk_app_config
+      govuk_personalisation (>= 0.7.0)
+      kramdown
+      plek
+      rails (>= 6)
+      rouge
+      sprockets (>= 3)
     hashdiff (1.0.1)
     html-attributes-utils (1.0.0)
       activesupport (>= 6.1.4.4)
+    htmlentities (4.3.4)
     i18n (1.14.1)
       concurrent-ruby (~> 1.0)
     jmespath (1.6.2)
@@ -165,6 +196,9 @@ GEM
     listen (3.8.0)
       rb-fsevent (~> 0.10, >= 0.10.3)
       rb-inotify (~> 0.9, >= 0.9.10)
+    logstasher (2.1.5)
+      activesupport (>= 5.2)
+      request_store
     loofah (2.21.3)
       crass (~> 1.0.2)
       nokogiri (>= 1.12.0)
@@ -175,10 +209,11 @@ GEM
       net-smtp
     marcel (1.0.2)
     matrix (0.4.2)
-    metadata_presenter (3.0.5)
+    metadata_presenter (3.0.8)
+      govspeak (~> 7.1)
       govuk_design_system_formbuilder (>= 2.1.5)
       json-schema (= 2.8.1)
-      kramdown (>= 2.3.0)
+      kramdown (>= 2.4.0)
       rails (>= 7.0.0)
       sassc-rails (= 2.1.2)
       sprockets
@@ -205,7 +240,10 @@ GEM
     parallel (1.23.0)
     parser (3.2.2.1)
       ast (~> 2.4.1)
+    plek (5.0.0)
     prometheus-client (2.1.0)
+    prometheus_exporter (2.0.8)
+      webrick
     public_suffix (5.0.1)
     puma (6.2.2)
       nio4r (~> 2.0)
@@ -252,7 +290,11 @@ GEM
     rb-inotify (0.10.1)
       ffi (~> 1.0)
     regexp_parser (2.8.1)
+    request_store (1.5.1)
+      rack (>= 1.4)
     rexml (3.2.5)
+    rinku (2.0.6)
+    rouge (4.1.2)
     rspec-core (3.12.2)
       rspec-support (~> 3.12.0)
     rspec-expectations (3.12.3)
@@ -298,6 +340,9 @@ GEM
       rubocop (~> 1.31)
     ruby-progressbar (1.13.0)
     ruby2_keywords (0.0.5)
+    sanitize (6.0.1)
+      crass (~> 1.0.2)
+      nokogiri (>= 1.12.0)
     sass-rails (6.0.0)
       sassc-rails (~> 2.1, >= 2.1.1)
     sassc (2.4.0)
@@ -340,6 +385,7 @@ GEM
       actionpack (>= 5.2)
       activesupport (>= 5.2)
       sprockets (>= 3.0.0)
+    statsd-ruby (1.5.0)
     terminal-table (3.0.2)
       unicode-display_width (>= 1.1.1, < 3)
     thor (1.2.2)
@@ -363,6 +409,7 @@ GEM
       rack-proxy (>= 0.6.1)
       railties (>= 5.2)
       semantic_range (>= 2.3.0)
+    webrick (1.8.1)
     websocket-driver (0.7.5)
       websocket-extensions (>= 0.1.0)
     websocket-extensions (0.1.5)
@@ -385,7 +432,7 @@ DEPENDENCIES
   fb-jwt-auth (= 0.10.0)
   jwt
   listen (~> 3.8)
-  metadata_presenter (= 3.0.5)
+  metadata_presenter (= 3.0.8)
   prometheus-client (~> 2.1.0)
   puma (~> 6.1)
   rails (= 7.0.5)

app/javascript/src/runner/analytics.js

@@ -1,32 +1,41 @@
-function accept (cookieName) {
+function accept(cookieName) {
   setAnalyticsCookie(cookieName, 'accepted')
   hideCookieMessage()
   window.location.replace(window.location.pathname+'?analytics=accepted')
 }
 
-function reject (cookieName) {
+function reject(cookieName) {
   setAnalyticsCookie(cookieName, 'rejected')
   removeAnalyticsCookies()
   hideCookieMessage()
   window.location.replace(window.location.pathname+'?analytics=rejected')
 }
 
-function setAnalyticsCookie (cookieName, cookieValue) {
+function setAnalyticsCookie(cookieName, cookieValue) {
   document.cookie = `${cookieName}=${cookieValue}; expires=${new Date(
     new Date().getTime() + 1000 * 60 * 60 * 24 * 365
   ).toUTCString()}; path=/`
 }
 
-function hideCookieMessage () {
-  document.getElementById('govuk-cookie-banner-message').style.display = 'none'
+function hideCookieMessage() {
+  const message = document.querySelector('[data-cookie-banner-element="message"]')
+  if(!message) return;
+
+  message.setAttribute('hidden', '')
 }
 
 function showMessage (messageType) {
-  document.getElementById(`govuk-cookie-banner-message-${messageType}`).style.display = 'block'
+  const message = document.querySelector(`[data-cookie-banner-element="message-${messageType}"]`);
+  if(!message) return;
+
+  message.removeAttribute('hidden');
 }
 
 function hideCookieBanner () {
-  document.getElementById('govuk-cookie-banner').style.display = 'none'
+  const banner = document.querySelector('[data-module="cookie-banner"]')
+  if(!banner) return;
+
+  banner.setAttribute('hidden', '')
 }
 
 function removeAnalyticsCookies () {

app/javascript/src/runner/index.js

@@ -13,6 +13,28 @@ function environment() {
   return location.pathname.search(/^\/services\/.*?\/preview\/$/) >= 0 ? ENVIRONMENT_PREVIEW : ENVIRONMENT_RUNNER;
 }
 
+function initializeCookieBanner() {
+  const banner  = document.querySelector('[data-module="cookie-banner"]');
+  if(!banner) return;
+
+  banner.addEventListener('click', function(event) {
+    if(event.target.matches('[data-cookie-banner-element="accept-button"]')) {
+      window.analytics.accept(event.target.dataset.cookieName);
+      return;
+    }
+
+    if(event.target.matches('[data-cookie-banner-element="reject-button"]')) {
+      window.analytics.reject(event.target.dataset.cookieName);
+      return;
+    }
+
+    if(event.target.matches('[data-cookie-banner-element="hide-button"]')) {
+      window.analytics.hideCookieBanner();
+      return;
+    }
+  })
+}
+
 /*
  * If the user has just accepted or rejected cookies show the confirmation
  * message in the cookie banner
@@ -34,7 +56,7 @@ function showAnalyticsConfirmationMessage() {
 function preventCookieBannerInPreview() {
   var cookieBanner = document.getElementById("govuk-cookie-banner");
   if(cookieBanner && environment() ==  ENVIRONMENT_PREVIEW) {
-    cookieBanner.style.display = "none";
+    cookieBanner.setAttibute('hidden');
   }
 }
 
@@ -66,5 +88,6 @@ contentLoaded(window, () => {
   preventCookieBannerInPreview();
   initializeTimeoutWarning();
   supportGovUkContent();
+  initializeCookieBanner();
   showAnalyticsConfirmationMessage();
 });

config/initializers/content_security_policy.rb

@@ -4,22 +4,26 @@
 # See the Securing Rails Applications Guide for more information:
 # https://guides.rubyonrails.org/security.html#content-security-policy-header
 
-# Rails.application.configure do
-#   config.content_security_policy do |policy|
-#     policy.default_src :self, :https
-#     policy.font_src    :self, :https, :data
-#     policy.img_src     :self, :https, :data
-#     policy.object_src  :none
-#     policy.script_src  :self, :https
-#     policy.style_src   :self, :https
-#     # Specify URI for violation reports
-#     # policy.report_uri "/csp-violation-report-endpoint"
-#   end
+Rails.application.configure do
+  config.content_security_policy do |policy|
+    policy.default_src :self, :https
+    policy.font_src    :self, :https, :data
+    policy.img_src     :self, :https, :data
+    policy.object_src  :none
+    policy.script_src  :self,
+                       "https://www.googletagmanager.com/",
+                       "'sha256-/00WcN7mhsXVmNcOlHH44RbwXUP6oVtwcewj3ZTEcxY='",
+                       "'sha256-6vsluniIV9AVB77S6y438x5foeFJFuwLLypiwVzYNbw='"
+    policy.style_src   :self, :https
+
+    # Specify URI for violation reports
+      policy.report_uri "report-uri #{ENV['SENTRY_CSP_URL']}"
+  end
 #
 #   # Generate session nonces for permitted importmap and inline scripts
-#   config.content_security_policy_nonce_generator = ->(request) { request.session.id.to_s }
-#   config.content_security_policy_nonce_directives = %w(script-src)
+  # config.content_security_policy_nonce_generator = ->(request) { request.session[:session_id] }
+  # config.content_security_policy_nonce_directives = %w(script-src)
 #
 #   # Report violations without enforcing the policy.
-#   # config.content_security_policy_report_only = true
-# end
+    config.content_security_policy_report_only = true
+end