From 53d863d4bbfe279e00433ef3672b040e2e6ef267 Mon Sep 17 00:00:00 2001
From: Kohei Suzuki <eagletmt@gmail.com>
Date: Sun, 18 Feb 2018 21:36:59 +0900
Subject: Skip generating empty CSP header when no policy is configured

`Rails.application.config.content_security_policy` is configured with no
policies by default. In this case, Content-Security-Policy header should
not be generated instead of generating the header with no directives.
Firefox also warns "Content Security Policy: Couldn't process unknown
directive ''".
---
 .../test/dispatch/content_security_policy_test.rb  | 22 ++++++++++++++++++++--
 1 file changed, 20 insertions(+), 2 deletions(-)

(limited to 'actionpack/test/dispatch')

diff --git a/actionpack/test/dispatch/content_security_policy_test.rb b/actionpack/test/dispatch/content_security_policy_test.rb
index 7c4a65a633..cfec81eeae 100644
--- a/actionpack/test/dispatch/content_security_policy_test.rb
+++ b/actionpack/test/dispatch/content_security_policy_test.rb
@@ -8,7 +8,7 @@ class ContentSecurityPolicyTest < ActiveSupport::TestCase
   end
 
   def test_build
-    assert_equal ";", @policy.build
+    assert_nil @policy.build
 
     @policy.script_src :self
     assert_equal "script-src 'self';", @policy.build
@@ -271,6 +271,10 @@ class ContentSecurityPolicyIntegrationTest < ActionDispatch::IntegrationTest
       head :ok
     end
 
+    def empty_policy
+      head :ok
+    end
+
     private
       def condition?
         params[:condition] == "true"
@@ -284,12 +288,14 @@ class ContentSecurityPolicyIntegrationTest < ActionDispatch::IntegrationTest
       get "/inline", to: "policy#inline"
       get "/conditional", to: "policy#conditional"
       get "/report-only", to: "policy#report_only"
+      get "/empty-policy", to: "policy#empty_policy"
     end
   end
 
   POLICY = ActionDispatch::ContentSecurityPolicy.new do |p|
     p.default_src :self
   end
+  EMPTY_POLICY = ActionDispatch::ContentSecurityPolicy.new
 
   class PolicyConfigMiddleware
     def initialize(app)
@@ -297,7 +303,12 @@ class ContentSecurityPolicyIntegrationTest < ActionDispatch::IntegrationTest
     end
 
     def call(env)
-      env["action_dispatch.content_security_policy"] = POLICY
+      env["action_dispatch.content_security_policy"] =
+        if env["PATH_INFO"] == "/empty-policy"
+          EMPTY_POLICY
+        else
+          POLICY
+        end
       env["action_dispatch.content_security_policy_report_only"] = false
       env["action_dispatch.show_exceptions"] = false
 
@@ -337,6 +348,13 @@ class ContentSecurityPolicyIntegrationTest < ActionDispatch::IntegrationTest
     assert_policy "default-src 'self'; report-uri /violations;", report_only: true
   end
 
+  def test_empty_policy
+    get "/empty-policy"
+    assert_response :success
+    assert_not response.headers.key?("Content-Security-Policy")
+    assert_not response.headers.key?("Content-Security-Policy-Report-Only")
+  end
+
   private
 
     def env_config
-- 
cgit v1.2.3