diff options
author | Andrew White <andrew.white@unboxed.co> | 2018-02-19 12:00:29 +0000 |
---|---|---|
committer | Andrew White <andrew.white@unboxed.co> | 2018-02-19 12:00:29 +0000 |
commit | 52a1f1c226c2238e16d1a4d32faa8d1e6a36a26f (patch) | |
tree | 7c222df8b38bdd3cb285c95b0dd067ed9c63ae1b /actionpack | |
parent | f712ef27c55fc4210a722d447e05271adef1e57f (diff) | |
download | rails-52a1f1c226c2238e16d1a4d32faa8d1e6a36a26f.tar.gz rails-52a1f1c226c2238e16d1a4d32faa8d1e6a36a26f.tar.bz2 rails-52a1f1c226c2238e16d1a4d32faa8d1e6a36a26f.zip |
Revert "Merge pull request #32045 from eagletmt/skip-csp-header"
This reverts commit 86f7c269073a3a9e6ddec9b957deaa2716f2627d, reversing
changes made to 5ece2e4a4459065b5efd976aebd209bbf0cab89b.
If a policy is set then we should generate it even if it's empty.
However what is happening is that we're accidentally generating an
empty policy when the initializer is commented out by default.
Diffstat (limited to 'actionpack')
-rw-r--r-- | actionpack/lib/action_dispatch/http/content_security_policy.rb | 12 | ||||
-rw-r--r-- | actionpack/test/dispatch/content_security_policy_test.rb | 22 |
2 files changed, 4 insertions, 30 deletions
diff --git a/actionpack/lib/action_dispatch/http/content_security_policy.rb b/actionpack/lib/action_dispatch/http/content_security_policy.rb index 160c345361..4883e23d24 100644 --- a/actionpack/lib/action_dispatch/http/content_security_policy.rb +++ b/actionpack/lib/action_dispatch/http/content_security_policy.rb @@ -21,10 +21,7 @@ module ActionDispatch #:nodoc: return response if policy_present?(headers) if policy = request.content_security_policy - built_policy = policy.build(request.controller_instance) - if built_policy - headers[header_name(request)] = built_policy - end + headers[header_name(request)] = policy.build(request.controller_instance) end response @@ -175,12 +172,7 @@ module ActionDispatch #:nodoc: end def build(context = nil) - built_directives = build_directives(context).compact - if built_directives.empty? - nil - else - built_directives.join("; ") + ";" - end + build_directives(context).compact.join("; ") + ";" end private diff --git a/actionpack/test/dispatch/content_security_policy_test.rb b/actionpack/test/dispatch/content_security_policy_test.rb index cfec81eeae..7c4a65a633 100644 --- a/actionpack/test/dispatch/content_security_policy_test.rb +++ b/actionpack/test/dispatch/content_security_policy_test.rb @@ -8,7 +8,7 @@ class ContentSecurityPolicyTest < ActiveSupport::TestCase end def test_build - assert_nil @policy.build + assert_equal ";", @policy.build @policy.script_src :self assert_equal "script-src 'self';", @policy.build @@ -271,10 +271,6 @@ class ContentSecurityPolicyIntegrationTest < ActionDispatch::IntegrationTest head :ok end - def empty_policy - head :ok - end - private def condition? params[:condition] == "true" @@ -288,14 +284,12 @@ class ContentSecurityPolicyIntegrationTest < ActionDispatch::IntegrationTest get "/inline", to: "policy#inline" get "/conditional", to: "policy#conditional" get "/report-only", to: "policy#report_only" - get "/empty-policy", to: "policy#empty_policy" end end POLICY = ActionDispatch::ContentSecurityPolicy.new do |p| p.default_src :self end - EMPTY_POLICY = ActionDispatch::ContentSecurityPolicy.new class PolicyConfigMiddleware def initialize(app) @@ -303,12 +297,7 @@ class ContentSecurityPolicyIntegrationTest < ActionDispatch::IntegrationTest end def call(env) - env["action_dispatch.content_security_policy"] = - if env["PATH_INFO"] == "/empty-policy" - EMPTY_POLICY - else - POLICY - end + env["action_dispatch.content_security_policy"] = POLICY env["action_dispatch.content_security_policy_report_only"] = false env["action_dispatch.show_exceptions"] = false @@ -348,13 +337,6 @@ class ContentSecurityPolicyIntegrationTest < ActionDispatch::IntegrationTest assert_policy "default-src 'self'; report-uri /violations;", report_only: true end - def test_empty_policy - get "/empty-policy" - assert_response :success - assert_not response.headers.key?("Content-Security-Policy") - assert_not response.headers.key?("Content-Security-Policy-Report-Only") - end - private def env_config |