diff options
| author | Andrew White <pixeltrix@users.noreply.github.com> | 2018-02-19 14:55:05 +0000 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2018-02-19 14:55:05 +0000 |
| commit | dc6185b462dc423e9e6fa89a64aa54427ff7660d (patch) | |
| tree | 3c61ade55071b719d49421cb3af825795f8900c9 /railties | |
| parent | 0d41a76d0c693000005d79456dee7f9299f5e8d4 (diff) | |
| parent | d85283cc42b1a965944047a2f602153804126f77 (diff) | |
| download | rails-dc6185b462dc423e9e6fa89a64aa54427ff7660d.tar.gz rails-dc6185b462dc423e9e6fa89a64aa54427ff7660d.tar.bz2 rails-dc6185b462dc423e9e6fa89a64aa54427ff7660d.zip | |
Merge pull request #32054 from rails/fix-generation-of-empty-csp
Fix generation of empty content security policy
Diffstat (limited to 'railties')
| -rw-r--r-- | railties/lib/rails/application/configuration.rb | 6 | ||||
| -rw-r--r-- | railties/test/application/content_security_policy_test.rb | 40 |
2 files changed, 38 insertions, 8 deletions
diff --git a/railties/lib/rails/application/configuration.rb b/railties/lib/rails/application/configuration.rb index 46ad3557e3..1f765f302c 100644 --- a/railties/lib/rails/application/configuration.rb +++ b/railties/lib/rails/application/configuration.rb @@ -241,7 +241,11 @@ module Rails end def content_security_policy(&block) - @content_security_policy ||= ActionDispatch::ContentSecurityPolicy.new(&block) + if block_given? + @content_security_policy = ActionDispatch::ContentSecurityPolicy.new(&block) + else + @content_security_policy + end end class Custom #:nodoc: diff --git a/railties/test/application/content_security_policy_test.rb b/railties/test/application/content_security_policy_test.rb index 1539bf4440..0d28df16f8 100644 --- a/railties/test/application/content_security_policy_test.rb +++ b/railties/test/application/content_security_policy_test.rb @@ -16,7 +16,7 @@ module ApplicationTests teardown_app end - test "default content security policy is empty" do + test "default content security policy is nil" do controller :pages, <<-RUBY class PagesController < ApplicationController def index @@ -34,7 +34,33 @@ module ApplicationTests app("development") get "/" - assert_not last_response.headers.key?("Content-Security-Policy") + assert_nil last_response.headers["Content-Security-Policy"] + end + + test "empty content security policy is generated" do + controller :pages, <<-RUBY + class PagesController < ApplicationController + def index + render html: "<h1>Welcome to Rails!</h1>" + end + end + RUBY + + app_file "config/initializers/content_security_policy.rb", <<-RUBY + Rails.application.config.content_security_policy do |p| + end + RUBY + + app_file "config/routes.rb", <<-RUBY + Rails.application.routes.draw do + root to: "pages#index" + end + RUBY + + app("development") + + get "/" + assert_policy "" end test "global content security policy in an initializer" do @@ -61,7 +87,7 @@ module ApplicationTests app("development") get "/" - assert_policy "default-src 'self' https:;" + assert_policy "default-src 'self' https:" end test "global report only content security policy in an initializer" do @@ -90,7 +116,7 @@ module ApplicationTests app("development") get "/" - assert_policy "default-src 'self' https:;", report_only: true + assert_policy "default-src 'self' https:", report_only: true end test "override content security policy in a controller" do @@ -121,7 +147,7 @@ module ApplicationTests app("development") get "/" - assert_policy "default-src https://example.com;" + assert_policy "default-src https://example.com" end test "override content security policy to report only in a controller" do @@ -150,7 +176,7 @@ module ApplicationTests app("development") get "/" - assert_policy "default-src 'self' https:;", report_only: true + assert_policy "default-src 'self' https:", report_only: true end test "global content security policy added to rack app" do @@ -174,7 +200,7 @@ module ApplicationTests app("development") get "/" - assert_policy "default-src 'self' https:;" + assert_policy "default-src 'self' https:" end private |