Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update content security policy #2834

Closed
MartinJJones opened this issue Jun 27, 2022 · 0 comments · Fixed by #3164
Closed

Update content security policy #2834

MartinJJones opened this issue Jun 27, 2022 · 0 comments · Fixed by #3164
Assignees
Labels
acknowledged This issue has been triaged. in progress In progress issues are being worked on but may not be a high priority.

Comments

@MartinJJones
Copy link
Contributor

What

The content security policy (CSP) currently allows unsafe-eval for JS so that the component-guide browser can use AXE. Relevant project issues:

We can now remove the code that allows unsafe-eval for JS:
https://github.com/alphagov/govuk_publishing_components/blob/main/app/controllers/govuk_publishing_components/application_controller.rb#L13-L17

The issue was fixed in version 3.3.1 of axe-core:
dequelabs/axe-core#1707

We are currently using version 3.5.5:
https://github.com/alphagov/govuk_publishing_components/blob/main/yarn.lock#L360

@andysellick andysellick added the in progress In progress issues are being worked on but may not be a high priority. label Aug 4, 2022
@MartinJJones MartinJJones added the acknowledged This issue has been triaged. label Sep 29, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
acknowledged This issue has been triaged. in progress In progress issues are being worked on but may not be a high priority.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants