diff --git a/actionpack/lib/action_dispatch/http/content_security_policy.rb b/actionpack/lib/action_dispatch/http/content_security_policy.rb index 160c34536157ee163510ab41fc4d719d36008506..4883e23d242ceb1a97f8c715c6fa4cc8f7802fa3 100644 --- a/actionpack/lib/action_dispatch/http/content_security_policy.rb +++ b/actionpack/lib/action_dispatch/http/content_security_policy.rb @@ -21,10 +21,7 @@ def call(env) return response if policy_present?(headers) if policy = request.content_security_policy - built_policy = policy.build(request.controller_instance) - if built_policy - headers[header_name(request)] = built_policy - end + headers[header_name(request)] = policy.build(request.controller_instance) end response @@ -175,12 +172,7 @@ def upgrade_insecure_requests(enabled = true) end def build(context = nil) - built_directives = build_directives(context).compact - if built_directives.empty? - nil - else - built_directives.join("; ") + ";" - end + build_directives(context).compact.join("; ") + ";" end private diff --git a/actionpack/test/dispatch/content_security_policy_test.rb b/actionpack/test/dispatch/content_security_policy_test.rb index cfec81eeae2c58a3df904311911edd08ef523bc7..7c4a65a63311d44b0c82f8be045035ff976141ca 100644 --- a/actionpack/test/dispatch/content_security_policy_test.rb +++ b/actionpack/test/dispatch/content_security_policy_test.rb @@ -8,7 +8,7 @@ def setup end def test_build - assert_nil @policy.build + assert_equal ";", @policy.build @policy.script_src :self assert_equal "script-src 'self';", @policy.build @@ -271,10 +271,6 @@ def report_only head :ok end - def empty_policy - head :ok - end - private def condition? params[:condition] == "true" @@ -288,14 +284,12 @@ def condition? get "/inline", to: "policy#inline" get "/conditional", to: "policy#conditional" get "/report-only", to: "policy#report_only" - get "/empty-policy", to: "policy#empty_policy" end end POLICY = ActionDispatch::ContentSecurityPolicy.new do |p| p.default_src :self end - EMPTY_POLICY = ActionDispatch::ContentSecurityPolicy.new class PolicyConfigMiddleware def initialize(app) @@ -303,12 +297,7 @@ def initialize(app) end def call(env) - env["action_dispatch.content_security_policy"] = - if env["PATH_INFO"] == "/empty-policy" - EMPTY_POLICY - else - POLICY - end + env["action_dispatch.content_security_policy"] = POLICY env["action_dispatch.content_security_policy_report_only"] = false env["action_dispatch.show_exceptions"] = false @@ -348,13 +337,6 @@ def test_generates_report_only_content_security_policy assert_policy "default-src 'self'; report-uri /violations;", report_only: true end - def test_empty_policy - get "/empty-policy" - assert_response :success - assert_not response.headers.key?("Content-Security-Policy") - assert_not response.headers.key?("Content-Security-Policy-Report-Only") - end - private def env_config diff --git a/railties/test/application/content_security_policy_test.rb b/railties/test/application/content_security_policy_test.rb index 1539bf444022815c3a8b96cbf6a0a7f3090926fb..97f2957c33865d95d2a6d3d413c372bd432032c7 100644 --- a/railties/test/application/content_security_policy_test.rb +++ b/railties/test/application/content_security_policy_test.rb @@ -34,7 +34,7 @@ def index app("development") get "/" - assert_not last_response.headers.key?("Content-Security-Policy") + assert_equal ";", last_response.headers["Content-Security-Policy"] end test "global content security policy in an initializer" do