Skip generating empty CSP header when no policy is configured

`Rails.application.config.content_security_policy` is configured with no
policies by default. In this case, Content-Security-Policy header should
not be generated instead of generating the header with no directives.
Firefox also warns "Content Security Policy: Couldn't process unknown
directive ''".

1 files changed, 10 insertions, 2 deletions

diff --git a/actionpack/lib/action_dispatch/http/content_security_policy.rb b/actionpack/lib/action_dispatch/http/content_security_policy.rb
index 4883e23d24..160c345361 100644
--- a/actionpack/lib/action_dispatch/http/content_security_policy.rb
+++ b/actionpack/lib/action_dispatch/http/content_security_policy.rb
@@ -21,7 +21,10 @@ module ActionDispatch #:nodoc:
         return response if policy_present?(headers)
 
         if policy = request.content_security_policy
-          headers[header_name(request)] = policy.build(request.controller_instance)
+          built_policy = policy.build(request.controller_instance)
+          if built_policy
+            headers[header_name(request)] = built_policy
+          end
         end
 
         response
@@ -172,7 +175,12 @@ module ActionDispatch #:nodoc:
     end
 
     def build(context = nil)
-      build_directives(context).compact.join("; ") + ";"
+      built_directives = build_directives(context).compact
+      if built_directives.empty?
+        nil
+      else
+        built_directives.join("; ") + ";"
+      end
     end
 
     private