From 57f9c36387f371cfb791aa660c733e9690443d04 Mon Sep 17 00:00:00 2001
From: Andrew White <andrew.white@unboxed.co>
Date: Mon, 19 Feb 2018 12:17:51 +0000
Subject: Don't accidentally create an empty CSP

Setting up the request environment was accidentally creating a CSP
as a consequence of accessing the option - only set the instance
variable if a block is passed.
---
 railties/lib/rails/application/configuration.rb    |  6 ++++-
 .../application/content_security_policy_test.rb    | 30 ++++++++++++++++++++--
 2 files changed, 33 insertions(+), 3 deletions(-)

(limited to 'railties')

diff --git a/railties/lib/rails/application/configuration.rb b/railties/lib/rails/application/configuration.rb
index 46ad3557e3..1f765f302c 100644
--- a/railties/lib/rails/application/configuration.rb
+++ b/railties/lib/rails/application/configuration.rb
@@ -241,7 +241,11 @@ module Rails
       end
 
       def content_security_policy(&block)
-        @content_security_policy ||= ActionDispatch::ContentSecurityPolicy.new(&block)
+        if block_given?
+          @content_security_policy = ActionDispatch::ContentSecurityPolicy.new(&block)
+        else
+          @content_security_policy
+        end
       end
 
       class Custom #:nodoc:
diff --git a/railties/test/application/content_security_policy_test.rb b/railties/test/application/content_security_policy_test.rb
index 97f2957c33..43f2b333f3 100644
--- a/railties/test/application/content_security_policy_test.rb
+++ b/railties/test/application/content_security_policy_test.rb
@@ -16,7 +16,7 @@ module ApplicationTests
       teardown_app
     end
 
-    test "default content security policy is empty" do
+    test "default content security policy is nil" do
       controller :pages, <<-RUBY
         class PagesController < ApplicationController
           def index
@@ -34,7 +34,33 @@ module ApplicationTests
       app("development")
 
       get "/"
-      assert_equal ";", last_response.headers["Content-Security-Policy"]
+      assert_nil last_response.headers["Content-Security-Policy"]
+    end
+
+    test "empty content security policy is generated" do
+      controller :pages, <<-RUBY
+        class PagesController < ApplicationController
+          def index
+            render html: "<h1>Welcome to Rails!</h1>"
+          end
+        end
+      RUBY
+
+      app_file "config/initializers/content_security_policy.rb", <<-RUBY
+        Rails.application.config.content_security_policy do |p|
+        end
+      RUBY
+
+      app_file "config/routes.rb", <<-RUBY
+        Rails.application.routes.draw do
+          root to: "pages#index"
+        end
+      RUBY
+
+      app("development")
+
+      get "/"
+      assert_policy ";"
     end
 
     test "global content security policy in an initializer" do
-- 
cgit v1.2.3