diff options
| author | Andrew White <andrew.white@unboxed.co> | 2018-02-19 12:17:51 +0000 |
|---|---|---|
| committer | Andrew White <andrew.white@unboxed.co> | 2018-02-19 12:17:51 +0000 |
| commit | 57f9c36387f371cfb791aa660c733e9690443d04 (patch) | |
| tree | 3598add85e49a8e6f40c5e5c8130b4e331c27889 /railties | |
| parent | 52a1f1c226c2238e16d1a4d32faa8d1e6a36a26f (diff) | |
| download | rails-57f9c36387f371cfb791aa660c733e9690443d04.tar.gz rails-57f9c36387f371cfb791aa660c733e9690443d04.tar.bz2 rails-57f9c36387f371cfb791aa660c733e9690443d04.zip | |
Don't accidentally create an empty CSP
Setting up the request environment was accidentally creating a CSP
as a consequence of accessing the option - only set the instance
variable if a block is passed.
Diffstat (limited to 'railties')
| -rw-r--r-- | railties/lib/rails/application/configuration.rb | 6 | ||||
| -rw-r--r-- | railties/test/application/content_security_policy_test.rb | 30 |
2 files changed, 33 insertions, 3 deletions
diff --git a/railties/lib/rails/application/configuration.rb b/railties/lib/rails/application/configuration.rb index 46ad3557e3..1f765f302c 100644 --- a/railties/lib/rails/application/configuration.rb +++ b/railties/lib/rails/application/configuration.rb @@ -241,7 +241,11 @@ module Rails end def content_security_policy(&block) - @content_security_policy ||= ActionDispatch::ContentSecurityPolicy.new(&block) + if block_given? + @content_security_policy = ActionDispatch::ContentSecurityPolicy.new(&block) + else + @content_security_policy + end end class Custom #:nodoc: diff --git a/railties/test/application/content_security_policy_test.rb b/railties/test/application/content_security_policy_test.rb index 97f2957c33..43f2b333f3 100644 --- a/railties/test/application/content_security_policy_test.rb +++ b/railties/test/application/content_security_policy_test.rb @@ -16,7 +16,7 @@ module ApplicationTests teardown_app end - test "default content security policy is empty" do + test "default content security policy is nil" do controller :pages, <<-RUBY class PagesController < ApplicationController def index @@ -34,7 +34,33 @@ module ApplicationTests app("development") get "/" - assert_equal ";", last_response.headers["Content-Security-Policy"] + assert_nil last_response.headers["Content-Security-Policy"] + end + + test "empty content security policy is generated" do + controller :pages, <<-RUBY + class PagesController < ApplicationController + def index + render html: "<h1>Welcome to Rails!</h1>" + end + end + RUBY + + app_file "config/initializers/content_security_policy.rb", <<-RUBY + Rails.application.config.content_security_policy do |p| + end + RUBY + + app_file "config/routes.rb", <<-RUBY + Rails.application.routes.draw do + root to: "pages#index" + end + RUBY + + app("development") + + get "/" + assert_policy ";" end test "global content security policy in an initializer" do |