Revert "Merge pull request #32045 from eagletmt/skip-csp-header"

This reverts commit 86f7c269, reversing changes made to 5ece2e4a. If a policy is set then we should generate it even if it's empty. However what is happening is that we're accidentally generating an empty policy when the initializer is commented out by default.

Revert "Merge pull request #32045 from eagletmt/skip-csp-header"
This reverts commit 86f7c269, reversing changes made to 5ece2e4a. If a policy is set then we should generate it even if it's empty. However what is happening is that we're accidentally generating an empty policy when the initializer is commented out by default.
52a1f1c2 · Andrew White · f712ef27 · 52a1f1c2 · 52a1f1c2 · 52a1f1c2
3 changed file
--- a/actionpack/lib/action_dispatch/http/content_security_policy.rb
+++ b/actionpack/lib/action_dispatch/http/content_security_policy.rb
@@ -21,10 +21,7 @@ def call(env)
        return response if policy_present?(headers)

        if policy = request.content_security_policy
-          built_policy = policy.build(request.controller_instance)
-          if built_policy
-            headers[header_name(request)] = built_policy
-          end
+          headers[header_name(request)] = policy.build(request.controller_instance)
        end

        response
@@ -175,12 +172,7 @@ def upgrade_insecure_requests(enabled = true)
    end

    def build(context = nil)
-      built_directives = build_directives(context).compact
-      if built_directives.empty?
-        nil
-      else
-        built_directives.join("; ") + ";"
-      end
+      build_directives(context).compact.join("; ") + ";"
    end

    private

--- a/actionpack/test/dispatch/content_security_policy_test.rb
+++ b/actionpack/test/dispatch/content_security_policy_test.rb
@@ -8,7 +8,7 @@ def setup
  end

  def test_build
-    assert_nil @policy.build
+    assert_equal ";", @policy.build

    @policy.script_src :self
    assert_equal "script-src 'self';", @policy.build
@@ -271,10 +271,6 @@ def report_only
      head :ok
    end

-    def empty_policy
-      head :ok
-    end
-
    private
      def condition?
        params[:condition] == "true"
@@ -288,14 +284,12 @@ def condition?
      get "/inline", to: "policy#inline"
      get "/conditional", to: "policy#conditional"
      get "/report-only", to: "policy#report_only"
-      get "/empty-policy", to: "policy#empty_policy"
    end
  end

  POLICY = ActionDispatch::ContentSecurityPolicy.new do |p|
    p.default_src :self
  end
-  EMPTY_POLICY = ActionDispatch::ContentSecurityPolicy.new

  class PolicyConfigMiddleware
    def initialize(app)
@@ -303,12 +297,7 @@ def initialize(app)
    end

    def call(env)
-      env["action_dispatch.content_security_policy"] =
-        if env["PATH_INFO"] == "/empty-policy"
-          EMPTY_POLICY
-        else
-          POLICY
-        end
+      env["action_dispatch.content_security_policy"] = POLICY
      env["action_dispatch.content_security_policy_report_only"] = false
      env["action_dispatch.show_exceptions"] = false

@@ -348,13 +337,6 @@ def test_generates_report_only_content_security_policy
    assert_policy "default-src 'self'; report-uri /violations;", report_only: true
  end

-  def test_empty_policy
-    get "/empty-policy"
-    assert_response :success
-    assert_not response.headers.key?("Content-Security-Policy")
-    assert_not response.headers.key?("Content-Security-Policy-Report-Only")
-  end
-
  private

    def env_config

--- a/railties/test/application/content_security_policy_test.rb
+++ b/railties/test/application/content_security_policy_test.rb
@@ -34,7 +34,7 @@ def index
      app("development")

      get "/"
-      assert_not last_response.headers.key?("Content-Security-Policy")
+      assert_equal ";", last_response.headers["Content-Security-Policy"]
    end

    test "global content security policy in an initializer" do