Merge pull request #32045 from eagletmt/skip-csp-header

Skip generating empty CSP header when no policy is configured

Merge pull request #32045 from eagletmt/skip-csp-header
Skip generating empty CSP header when no policy is configured
86f7c269 · Guillermo Iguaran · GitHub · 5ece2e4a · 53d863d4 · 86f7c269
3 changed file
--- a/actionpack/lib/action_dispatch/http/content_security_policy.rb
+++ b/actionpack/lib/action_dispatch/http/content_security_policy.rb
@@ -21,7 +21,10 @@ def call(env)
        return response if policy_present?(headers)

        if policy = request.content_security_policy
-          headers[header_name(request)] = policy.build(request.controller_instance)
+          built_policy = policy.build(request.controller_instance)
+          if built_policy
+            headers[header_name(request)] = built_policy
+          end
        end

        response
@@ -172,7 +175,12 @@ def upgrade_insecure_requests(enabled = true)
    end

    def build(context = nil)
-      build_directives(context).compact.join("; ") + ";"
+      built_directives = build_directives(context).compact
+      if built_directives.empty?
+        nil
+      else
+        built_directives.join("; ") + ";"
+      end
    end

    private

--- a/actionpack/test/dispatch/content_security_policy_test.rb
+++ b/actionpack/test/dispatch/content_security_policy_test.rb
@@ -8,7 +8,7 @@ def setup
  end

  def test_build
-    assert_equal ";", @policy.build
+    assert_nil @policy.build

    @policy.script_src :self
    assert_equal "script-src 'self';", @policy.build
@@ -271,6 +271,10 @@ def report_only
      head :ok
    end

+    def empty_policy
+      head :ok
+    end
+
    private
      def condition?
        params[:condition] == "true"
@@ -284,12 +288,14 @@ def condition?
      get "/inline", to: "policy#inline"
      get "/conditional", to: "policy#conditional"
      get "/report-only", to: "policy#report_only"
+      get "/empty-policy", to: "policy#empty_policy"
    end
  end

  POLICY = ActionDispatch::ContentSecurityPolicy.new do |p|
    p.default_src :self
  end
+  EMPTY_POLICY = ActionDispatch::ContentSecurityPolicy.new

  class PolicyConfigMiddleware
    def initialize(app)
@@ -297,7 +303,12 @@ def initialize(app)
    end

    def call(env)
-      env["action_dispatch.content_security_policy"] = POLICY
+      env["action_dispatch.content_security_policy"] =
+        if env["PATH_INFO"] == "/empty-policy"
+          EMPTY_POLICY
+        else
+          POLICY
+        end
      env["action_dispatch.content_security_policy_report_only"] = false
      env["action_dispatch.show_exceptions"] = false

@@ -337,6 +348,13 @@ def test_generates_report_only_content_security_policy
    assert_policy "default-src 'self'; report-uri /violations;", report_only: true
  end

+  def test_empty_policy
+    get "/empty-policy"
+    assert_response :success
+    assert_not response.headers.key?("Content-Security-Policy")
+    assert_not response.headers.key?("Content-Security-Policy-Report-Only")
+  end
+
  private

    def env_config

--- a/railties/test/application/content_security_policy_test.rb
+++ b/railties/test/application/content_security_policy_test.rb
@@ -34,7 +34,7 @@ def index
      app("development")

      get "/"
-      assert_equal ";", last_response.headers["Content-Security-Policy"]
+      assert_not last_response.headers.key?("Content-Security-Policy")
    end

    test "global content security policy in an initializer" do