HOTT-4467: Add CSP policy to Duty Calculator app (#730)

Co-authored-by: Rasika.Abeyrathna <Rasika.Abeyrathna@hmcts.net>
trade-tariff · Dec 12, 2023 · ee0f6be · ee0f6be
1 parent 76892df
commit ee0f6be
Show file tree

Hide file tree

Showing 4 changed files with 27 additions and 25 deletions.
diff --git a/app/views/layouts/_google_tag_manager.html.erb b/app/views/layouts/_google_tag_manager.html.erb
@@ -1,9 +1,11 @@
 <% if usage_enabled? -%>
   <!-- Google Tag Manager -->
-  <script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
+  <%= javascript_tag nonce: true do -%>
+    (function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
     new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],
           j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=
           'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);
-      })(window,document,'script','dataLayer','GTM-MNNT6SX');</script>
+      })(window,document,'script','dataLayer','GTM-MNNT6SX');
+  <% end -%>
   <!-- End Google Tag Manager -->
 <%- end %>
diff --git a/app/views/layouts/application.html.erb b/app/views/layouts/application.html.erb
@@ -21,9 +21,9 @@
 
   <body class="govuk-template__body ">
     <%= render partial: 'layouts/google_tag_manager_no_script' %>
-    <script>
+    <%= javascript_tag nonce: true do -%>
       document.body.className = ((document.body.className) ? document.body.className + ' js-enabled' : 'js-enabled');
-    </script>
+    <% end -%>
 
     <a href="#main-content" class="govuk-skip-link" data-module="govuk-skip-link">Skip to main content</a>
 

diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb
@@ -4,23 +4,23 @@
 # For further information see the following documentation
 # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
 
-# Rails.application.configure do
-#   config.content_security_policy do |policy|
-#     policy.default_src :self, :https
-#     policy.font_src    :self, :https, :data
-#     policy.img_src     :self, :https, :data
-#     policy.object_src  :none
-#     policy.script_src  :self, :https
-#     policy.style_src   :self, :https
-#     # Specify URI for violation reports
-#     # policy.report_uri "/csp-violation-report-endpoint"
-#   end
-#
-#   # Generate session nonces for permitted importmap and inline scripts
-#   config.content_security_policy_nonce_generator = ->(request) { request.session.id.to_s }
-#   config.content_security_policy_nonce_directives = %w(script-src)
-#
-#   # Report CSP violations to a specified URI. See:
-#   # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
-#   # config.content_security_policy_report_only = true
-# end
+Rails.application.configure do
+  config.content_security_policy do |policy|
+    policy.default_src :self
+    policy.font_src    :self, :data
+    policy.img_src     :self, :data
+    policy.object_src  :none
+    policy.script_src  :self
+    # policy.style_src   :self
+    # Specify URI for violation reports
+    policy.report_uri ENV['SENTRY_CSP_ENDPOINT'] if ENV['SENTRY_CSP_ENDPOINT'].present?
+  end
+
+  # Generate session nonces for permitted importmap and inline scripts
+  config.content_security_policy_nonce_generator = ->(request) { request.session.id.to_s }
+  # config.content_security_policy_nonce_directives = %w(script-src)
+
+  # Report CSP violations to a specified URI. See:
+  # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
+  # config.content_security_policy_report_only = true
+end
diff --git a/config/routes.rb b/config/routes.rb
@@ -1,5 +1,5 @@
 Rails.application.routes.draw do
-  root to: proc { [404, {}, ['Not found.']] }
+  root to: proc { [404, {'Content-Type' => 'text/html'}, ['Not found.']] }
 
   get 'healthcheckz', to: 'healthcheck#checkz'