Don't accidentally create an empty CSP

Setting up the request environment was accidentally creating a CSP
as a consequence of accessing the option - only set the instance
variable if a block is passed.

railties/lib/rails/application/configuration.rb

@@ -241,7 +241,11 @@ def annotations
       end
 
       def content_security_policy(&block)
-        @content_security_policy ||= ActionDispatch::ContentSecurityPolicy.new(&block)
+        if block_given?
+          @content_security_policy = ActionDispatch::ContentSecurityPolicy.new(&block)
+        else
+          @content_security_policy
+        end
       end
 
       class Custom #:nodoc:

railties/test/application/content_security_policy_test.rb

@@ -16,7 +16,7 @@ def teardown
       teardown_app
     end
 
-    test "default content security policy is empty" do
+    test "default content security policy is nil" do
       controller :pages, <<-RUBY
         class PagesController < ApplicationController
           def index
@@ -34,7 +34,33 @@ def index
       app("development")
 
       get "/"
-      assert_equal ";", last_response.headers["Content-Security-Policy"]
+      assert_nil last_response.headers["Content-Security-Policy"]
+    end
+
+    test "empty content security policy is generated" do
+      controller :pages, <<-RUBY
+        class PagesController < ApplicationController
+          def index
+            render html: "<h1>Welcome to Rails!</h1>"
+          end
+        end
+      RUBY
+
+      app_file "config/initializers/content_security_policy.rb", <<-RUBY
+        Rails.application.config.content_security_policy do |p|
+        end
+      RUBY
+
+      app_file "config/routes.rb", <<-RUBY
+        Rails.application.routes.draw do
+          root to: "pages#index"
+        end
+      RUBY
+
+      app("development")
+
+      get "/"
+      assert_policy ";"
     end
 
     test "global content security policy in an initializer" do