From 190744cd8ed014915803fa805996be04dc750d9d Mon Sep 17 00:00:00 2001
From: Andrew White <andrew.white@unboxed.co>
Date: Thu, 8 Mar 2018 14:14:09 +0000
Subject: Always yield a CSP policy instance

If the app has the CSP disabled globally allow a controller action
to enable the policy for that request.
---
 actionpack/lib/action_controller/metal/content_security_policy.rb | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'actionpack/lib/action_controller/metal')

diff --git a/actionpack/lib/action_controller/metal/content_security_policy.rb b/actionpack/lib/action_controller/metal/content_security_policy.rb
index 67682e7f4f..b8fab4ebe3 100644
--- a/actionpack/lib/action_controller/metal/content_security_policy.rb
+++ b/actionpack/lib/action_controller/metal/content_security_policy.rb
@@ -17,7 +17,7 @@ module ActionController #:nodoc:
       def content_security_policy(enabled = true, **options, &block)
         before_action(options) do
           if block_given?
-            policy = request.content_security_policy.clone
+            policy = current_content_security_policy
             yield policy
             request.content_security_policy = policy
           end
@@ -44,5 +44,9 @@ module ActionController #:nodoc:
       def content_security_policy_nonce
         request.content_security_policy_nonce
       end
+
+      def current_content_security_policy
+        request.content_security_policy.try(:clone) || ActionDispatch::ContentSecurityPolicy.new
+      end
   end
 end
-- 
cgit v1.2.3