From 190744cd8ed014915803fa805996be04dc750d9d Mon Sep 17 00:00:00 2001
From: Andrew White <andrew.white@unboxed.co>
Date: Thu, 8 Mar 2018 14:14:09 +0000
Subject: Always yield a CSP policy instance

If the app has the CSP disabled globally allow a controller action
to enable the policy for that request.
---
 railties/lib/rails/application_controller.rb | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

(limited to 'railties/lib')

diff --git a/railties/lib/rails/application_controller.rb b/railties/lib/rails/application_controller.rb
index 39f7791c18..b3fe822218 100644
--- a/railties/lib/rails/application_controller.rb
+++ b/railties/lib/rails/application_controller.rb
@@ -7,10 +7,8 @@ class Rails::ApplicationController < ActionController::Base # :nodoc:
   before_action :disable_content_security_policy_nonce!
 
   content_security_policy do |policy|
-    if policy
-      policy.script_src :unsafe_inline
-      policy.style_src :unsafe_inline
-    end
+    policy.script_src :unsafe_inline
+    policy.style_src :unsafe_inline
   end
 
   private
-- 
cgit v1.2.3