Remove trailing semi-colon from CSP

Although the spec[1] is defined in such a way that a trailing semi-colon
is valid it also doesn't allow a semi-colon by itself to indicate an
empty policy. Therefore it's easier (and valid) just to omit it rather
than to detect whether the policy is empty or not.

[1]: https://www.w3.org/TR/CSP2/#policy-syntax

3 files changed, 39 insertions, 39 deletions

diff --git a/actionpack/lib/action_dispatch/http/content_security_policy.rb b/actionpack/lib/action_dispatch/http/content_security_policy.rb
index 4883e23d24..ffac3b8d99 100644
--- a/actionpack/lib/action_dispatch/http/content_security_policy.rb
+++ b/actionpack/lib/action_dispatch/http/content_security_policy.rb
@@ -172,7 +172,7 @@ module ActionDispatch #:nodoc:
     end
 
     def build(context = nil)
-      build_directives(context).compact.join("; ") + ";"
+      build_directives(context).compact.join("; ")
     end
 
     private
diff --git a/actionpack/test/dispatch/content_security_policy_test.rb b/actionpack/test/dispatch/content_security_policy_test.rb
index 7c4a65a633..5184e4f960 100644
--- a/actionpack/test/dispatch/content_security_policy_test.rb
+++ b/actionpack/test/dispatch/content_security_policy_test.rb
@@ -8,10 +8,10 @@ class ContentSecurityPolicyTest < ActiveSupport::TestCase
   end
 
   def test_build
-    assert_equal ";", @policy.build
+    assert_equal "", @policy.build
 
     @policy.script_src :self
-    assert_equal "script-src 'self';", @policy.build
+    assert_equal "script-src 'self'", @policy.build
   end
 
   def test_dup
@@ -25,34 +25,34 @@ class ContentSecurityPolicyTest < ActiveSupport::TestCase
 
   def test_mappings
     @policy.script_src :data
-    assert_equal "script-src data:;", @policy.build
+    assert_equal "script-src data:", @policy.build
 
     @policy.script_src :mediastream
-    assert_equal "script-src mediastream:;", @policy.build
+    assert_equal "script-src mediastream:", @policy.build
 
     @policy.script_src :blob
-    assert_equal "script-src blob:;", @policy.build
+    assert_equal "script-src blob:", @policy.build
 
     @policy.script_src :filesystem
-    assert_equal "script-src filesystem:;", @policy.build
+    assert_equal "script-src filesystem:", @policy.build
 
     @policy.script_src :self
-    assert_equal "script-src 'self';", @policy.build
+    assert_equal "script-src 'self'", @policy.build
 
     @policy.script_src :unsafe_inline
-    assert_equal "script-src 'unsafe-inline';", @policy.build
+    assert_equal "script-src 'unsafe-inline'", @policy.build
 
     @policy.script_src :unsafe_eval
-    assert_equal "script-src 'unsafe-eval';", @policy.build
+    assert_equal "script-src 'unsafe-eval'", @policy.build
 
     @policy.script_src :none
-    assert_equal "script-src 'none';", @policy.build
+    assert_equal "script-src 'none'", @policy.build
 
     @policy.script_src :strict_dynamic
-    assert_equal "script-src 'strict-dynamic';", @policy.build
+    assert_equal "script-src 'strict-dynamic'", @policy.build
 
     @policy.script_src :none, :report_sample
-    assert_equal "script-src 'none' 'report-sample';", @policy.build
+    assert_equal "script-src 'none' 'report-sample'", @policy.build
   end
 
   def test_fetch_directives
@@ -131,16 +131,16 @@ class ContentSecurityPolicyTest < ActiveSupport::TestCase
 
   def test_document_directives
     @policy.base_uri "https://example.com"
-    assert_match %r{base-uri https://example\.com;}, @policy.build
+    assert_match %r{base-uri https://example\.com}, @policy.build
 
     @policy.plugin_types "application/x-shockwave-flash"
-    assert_match %r{plugin-types application/x-shockwave-flash;}, @policy.build
+    assert_match %r{plugin-types application/x-shockwave-flash}, @policy.build
 
     @policy.sandbox
-    assert_match %r{sandbox;}, @policy.build
+    assert_match %r{sandbox}, @policy.build
 
     @policy.sandbox "allow-scripts", "allow-modals"
-    assert_match %r{sandbox allow-scripts allow-modals;}, @policy.build
+    assert_match %r{sandbox allow-scripts allow-modals}, @policy.build
 
     @policy.sandbox false
     assert_no_match %r{sandbox}, @policy.build
@@ -148,35 +148,35 @@ class ContentSecurityPolicyTest < ActiveSupport::TestCase
 
   def test_navigation_directives
     @policy.form_action :self
-    assert_match %r{form-action 'self';}, @policy.build
+    assert_match %r{form-action 'self'}, @policy.build
 
     @policy.frame_ancestors :self
-    assert_match %r{frame-ancestors 'self';}, @policy.build
+    assert_match %r{frame-ancestors 'self'}, @policy.build
   end
 
   def test_reporting_directives
     @policy.report_uri "/violations"
-    assert_match %r{report-uri /violations;}, @policy.build
+    assert_match %r{report-uri /violations}, @policy.build
   end
 
   def test_other_directives
     @policy.block_all_mixed_content
-    assert_match %r{block-all-mixed-content;}, @policy.build
+    assert_match %r{block-all-mixed-content}, @policy.build
 
     @policy.block_all_mixed_content false
     assert_no_match %r{block-all-mixed-content}, @policy.build
 
     @policy.require_sri_for :script, :style
-    assert_match %r{require-sri-for script style;}, @policy.build
+    assert_match %r{require-sri-for script style}, @policy.build
 
     @policy.require_sri_for "script", "style"
-    assert_match %r{require-sri-for script style;}, @policy.build
+    assert_match %r{require-sri-for script style}, @policy.build
 
     @policy.require_sri_for
     assert_no_match %r{require-sri-for}, @policy.build
 
     @policy.upgrade_insecure_requests
-    assert_match %r{upgrade-insecure-requests;}, @policy.build
+    assert_match %r{upgrade-insecure-requests}, @policy.build
 
     @policy.upgrade_insecure_requests false
     assert_no_match %r{upgrade-insecure-requests}, @policy.build
@@ -184,13 +184,13 @@ class ContentSecurityPolicyTest < ActiveSupport::TestCase
 
   def test_multiple_sources
     @policy.script_src :self, :https
-    assert_equal "script-src 'self' https:;", @policy.build
+    assert_equal "script-src 'self' https:", @policy.build
   end
 
   def test_multiple_directives
     @policy.script_src :self, :https
     @policy.style_src :self, :https
-    assert_equal "script-src 'self' https:; style-src 'self' https:;", @policy.build
+    assert_equal "script-src 'self' https:; style-src 'self' https:", @policy.build
   end
 
   def test_dynamic_directives
@@ -198,12 +198,12 @@ class ContentSecurityPolicyTest < ActiveSupport::TestCase
     controller = Struct.new(:request).new(request)
 
     @policy.script_src -> { request.host }
-    assert_equal "script-src www.example.com;", @policy.build(controller)
+    assert_equal "script-src www.example.com", @policy.build(controller)
   end
 
   def test_mixed_static_and_dynamic_directives
     @policy.script_src :self, -> { "foo.com" }, "bar.com"
-    assert_equal "script-src 'self' foo.com bar.com;", @policy.build(Object.new)
+    assert_equal "script-src 'self' foo.com bar.com", @policy.build(Object.new)
   end
 
   def test_invalid_directive_source
@@ -316,25 +316,25 @@ class ContentSecurityPolicyIntegrationTest < ActionDispatch::IntegrationTest
 
   def test_generates_content_security_policy_header
     get "/"
-    assert_policy "default-src 'self';"
+    assert_policy "default-src 'self'"
   end
 
   def test_generates_inline_content_security_policy
     get "/inline"
-    assert_policy "default-src https://example.com;"
+    assert_policy "default-src https://example.com"
   end
 
   def test_generates_conditional_content_security_policy
     get "/conditional", params: { condition: "true" }
-    assert_policy "default-src https://true.example.com;"
+    assert_policy "default-src https://true.example.com"
 
     get "/conditional", params: { condition: "false" }
-    assert_policy "default-src https://false.example.com;"
+    assert_policy "default-src https://false.example.com"
   end
 
   def test_generates_report_only_content_security_policy
     get "/report-only"
-    assert_policy "default-src 'self'; report-uri /violations;", report_only: true
+    assert_policy "default-src 'self'; report-uri /violations", report_only: true
   end
 
   private
diff --git a/railties/test/application/content_security_policy_test.rb b/railties/test/application/content_security_policy_test.rb
index 43f2b333f3..0d28df16f8 100644
--- a/railties/test/application/content_security_policy_test.rb
+++ b/railties/test/application/content_security_policy_test.rb
@@ -60,7 +60,7 @@ module ApplicationTests
       app("development")
 
       get "/"
-      assert_policy ";"
+      assert_policy ""
     end
 
     test "global content security policy in an initializer" do
@@ -87,7 +87,7 @@ module ApplicationTests
       app("development")
 
       get "/"
-      assert_policy "default-src 'self' https:;"
+      assert_policy "default-src 'self' https:"
     end
 
     test "global report only content security policy in an initializer" do
@@ -116,7 +116,7 @@ module ApplicationTests
       app("development")
 
       get "/"
-      assert_policy "default-src 'self' https:;", report_only: true
+      assert_policy "default-src 'self' https:", report_only: true
     end
 
     test "override content security policy in a controller" do
@@ -147,7 +147,7 @@ module ApplicationTests
       app("development")
 
       get "/"
-      assert_policy "default-src https://example.com;"
+      assert_policy "default-src https://example.com"
     end
 
     test "override content security policy to report only in a controller" do
@@ -176,7 +176,7 @@ module ApplicationTests
       app("development")
 
       get "/"
-      assert_policy "default-src 'self' https:;", report_only: true
+      assert_policy "default-src 'self' https:", report_only: true
     end
 
     test "global content security policy added to rack app" do
@@ -200,7 +200,7 @@ module ApplicationTests
       app("development")
 
       get "/"
-      assert_policy "default-src 'self' https:;"
+      assert_policy "default-src 'self' https:"
     end
 
     private