8 files changed, 30 insertions, 15 deletions

diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md
index d48aa1081f..1843f058e0 100644
--- a/actionpack/CHANGELOG.md
+++ b/actionpack/CHANGELOG.md
@@ -5,11 +5,11 @@
     about the Content-Security-Policy header see MDN:
 
     https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
-    
+
     Example global policy:
-    
+
         # config/initializers/content_security_policy.rb
-        Rails.application.config.content_security_policy do
+        Rails.application.config.content_security_policy do |p|
           p.default_src :self, :https
           p.font_src    :self, :https, :data
           p.img_src     :self, :https, :data
@@ -17,9 +17,9 @@
           p.script_src  :self, :https
           p.style_src   :self, :https, :unsafe_inline
         end
-    
+
     Example controller overrides:
-    
+
         # Override policy inline
         class PostsController < ApplicationController
           content_security_policy do |p|
@@ -40,22 +40,22 @@
             p.base_uri :self, -> { "https://#{current_user.domain}.example.com" }
           end
         end
-        
+
     Allows you to also only report content violations for migrating
     legacy content using the `content_security_policy_report_only`
     configuration attribute, e.g;
-    
+
         # config/initializers/content_security_policy.rb
         Rails.application.config.content_security_policy_report_only = true
-        
+
         # controller override
         class PostsController < ApplicationController
           self.content_security_policy_report_only = true
         end
-    
+
     Note that this feature does not validate the header for performance
     reasons since the header is calculated at runtime.
-    
+
     *Andrew White*
 
 *   Make `assert_recognizes` to traverse mounted engines
diff --git a/actionview/lib/action_view/helpers/form_helper.rb b/actionview/lib/action_view/helpers/form_helper.rb
index f24e83ad9a..6185aa133f 100644
--- a/actionview/lib/action_view/helpers/form_helper.rb
+++ b/actionview/lib/action_view/helpers/form_helper.rb
@@ -478,7 +478,7 @@ module ActionView
 
       mattr_accessor :form_with_generates_remote_forms, default: true
 
-      mattr_accessor :form_with_generates_ids, default: true
+      mattr_accessor :form_with_generates_ids, default: false
 
       # Creates a form tag based on mixing URLs, scopes, or models.
       #
diff --git a/actionview/test/template/form_helper/form_with_test.rb b/actionview/test/template/form_helper/form_with_test.rb
index 4e268eaa16..0295ff627d 100644
--- a/actionview/test/template/form_helper/form_with_test.rb
+++ b/actionview/test/template/form_helper/form_with_test.rb
@@ -5,6 +5,15 @@ require "controller/fake_models"
 
 class FormWithTest < ActionView::TestCase
   include RenderERBUtils
+
+  setup do
+    @old_value = ActionView::Helpers::FormHelper.form_with_generates_ids
+    ActionView::Helpers::FormHelper.form_with_generates_ids = true
+  end
+
+  teardown do
+    ActionView::Helpers::FormHelper.form_with_generates_ids = @old_value
+  end
 end
 
 class FormWithActsLikeFormTagTest < FormWithTest
diff --git a/guides/source/rails_on_rack.md b/guides/source/rails_on_rack.md
index aa1476ecc0..8caddc785a 100644
--- a/guides/source/rails_on_rack.md
+++ b/guides/source/rails_on_rack.md
@@ -122,6 +122,7 @@ use ActiveRecord::Migration::CheckPending
 use ActionDispatch::Cookies
 use ActionDispatch::Session::CookieStore
 use ActionDispatch::Flash
+use ActionDispatch::ContentSecurityPolicy::Middleware
 use Rack::Head
 use Rack::ConditionalGet
 use Rack::ETag
diff --git a/railties/lib/rails/application/configuration.rb b/railties/lib/rails/application/configuration.rb
index 0ff0aeb73e..cbc04f8a48 100644
--- a/railties/lib/rails/application/configuration.rb
+++ b/railties/lib/rails/application/configuration.rb
@@ -73,10 +73,6 @@ module Rails
           end
 
           self.ssl_options = { hsts: { subdomains: true } }
-
-          if respond_to?(:action_view)
-            action_view.form_with_generates_ids = false
-          end
         when "5.1"
           load_defaults "5.0"
 
diff --git a/railties/lib/rails/generators/rails/app/app_generator.rb b/railties/lib/rails/generators/rails/app/app_generator.rb
index 1fdfc3ca52..874bd772c7 100644
--- a/railties/lib/rails/generators/rails/app/app_generator.rb
+++ b/railties/lib/rails/generators/rails/app/app_generator.rb
@@ -128,6 +128,7 @@ module Rails
       active_storage_config_exist    = File.exist?("config/storage.yml")
       rack_cors_config_exist         = File.exist?("config/initializers/cors.rb")
       assets_config_exist            = File.exist?("config/initializers/assets.rb")
+      csp_config_exist               = File.exist?("config/initializers/content_security_policy.rb")
 
       config
 
@@ -155,6 +156,10 @@ module Rails
         unless assets_config_exist
           remove_file "config/initializers/assets.rb"
         end
+
+        unless csp_config_exist
+          remove_file "config/initializers/content_security_policy.rb"
+        end
       end
     end
 
@@ -432,6 +437,7 @@ module Rails
       def delete_non_api_initializers_if_api_option
         if options[:api]
           remove_file "config/initializers/cookies_serializer.rb"
+          remove_file "config/initializers/content_security_policy.rb"
         end
       end
 
diff --git a/railties/test/generators/api_app_generator_test.rb b/railties/test/generators/api_app_generator_test.rb
index 7791d472d8..4815cf6362 100644
--- a/railties/test/generators/api_app_generator_test.rb
+++ b/railties/test/generators/api_app_generator_test.rb
@@ -72,6 +72,7 @@ class ApiAppGeneratorTest < Rails::Generators::TestCase
 
     assert_no_file "config/initializers/cookies_serializer.rb"
     assert_no_file "config/initializers/assets.rb"
+    assert_no_file "config/initializers/content_security_policy.rb"
   end
 
   def test_app_update_does_not_generate_unnecessary_bin_files
@@ -149,6 +150,7 @@ class ApiAppGeneratorTest < Rails::Generators::TestCase
          bin/yarn
          config/initializers/assets.rb
          config/initializers/cookies_serializer.rb
+         config/initializers/content_security_policy.rb
          lib/assets
          test/helpers
          tmp/cache/assets
diff --git a/railties/test/generators/app_generator_test.rb b/railties/test/generators/app_generator_test.rb
index ff69366875..87773fd6b9 100644
--- a/railties/test/generators/app_generator_test.rb
+++ b/railties/test/generators/app_generator_test.rb
@@ -56,6 +56,7 @@ DEFAULT_APP_FILES = %w(
   config/initializers/assets.rb
   config/initializers/backtrace_silencers.rb
   config/initializers/cookies_serializer.rb
+  config/initializers/content_security_policy.rb
   config/initializers/filter_parameter_logging.rb
   config/initializers/inflections.rb
   config/initializers/mime_types.rb