From f66a977fc7ae30d2a07124ad91924c4ee638a703 Mon Sep 17 00:00:00 2001
From: Kasper Timm Hansen <kaspth@gmail.com>
Date: Tue, 8 Jan 2019 22:16:58 +0100
Subject: Revert "Merge pull request #34387 from
 yhirano55/rails_info_properties_json"

We had a discussion on the Core team and we don't want to expose this information
as a JSON endpoint and not by default.

It doesn't make sense to expose this JSON locally and this controller is only
accessible in dev, so the proposed access from a production app seems off.

This reverts commit 8eaffe7e89719ac62ff29c2e4208cfbeb1cd1c38, reversing
changes made to b6e4305c3bca4c673996d0af9db0f4cfbf50215e.
---
 .../config/initializers/content_security_policy.rb.tt         |  4 ----
 railties/railties.gemspec                                     |  3 ---
 railties/test/generators/app_generator_test.rb                | 11 -----------
 3 files changed, 18 deletions(-)

(limited to 'railties')

diff --git a/railties/lib/rails/generators/rails/app/templates/config/initializers/content_security_policy.rb.tt b/railties/lib/rails/generators/rails/app/templates/config/initializers/content_security_policy.rb.tt
index c517b0f96b..d3bcaa5ec8 100644
--- a/railties/lib/rails/generators/rails/app/templates/config/initializers/content_security_policy.rb.tt
+++ b/railties/lib/rails/generators/rails/app/templates/config/initializers/content_security_policy.rb.tt
@@ -11,10 +11,6 @@
 #   policy.object_src  :none
 #   policy.script_src  :self, :https
 #   policy.style_src   :self, :https
-<%- unless options[:skip_javascript] -%>
-#   # If you are using webpack-dev-server then specify webpack-dev-server host
-#   policy.connect_src :self, :https, "http://localhost:3035", "ws://localhost:3035" if Rails.env.development?
-<%- end -%>
 
 #   # Specify URI for violation reports
 #   # policy.report_uri "/csp-violation-report-endpoint"
diff --git a/railties/railties.gemspec b/railties/railties.gemspec
index 1bfb0dfe48..e7de51f52a 100644
--- a/railties/railties.gemspec
+++ b/railties/railties.gemspec
@@ -30,9 +30,6 @@ Gem::Specification.new do |s|
     "changelog_uri"   => "https://github.com/rails/rails/blob/v#{version}/railties/CHANGELOG.md"
   }
 
-  # NOTE: Please read our dependency guidelines before updating versions:
-  # https://edgeguides.rubyonrails.org/security.html#dependency-management-and-cves
-
   s.add_dependency "activesupport", version
   s.add_dependency "actionpack",    version
 
diff --git a/railties/test/generators/app_generator_test.rb b/railties/test/generators/app_generator_test.rb
index 47e401c34f..a421ac326d 100644
--- a/railties/test/generators/app_generator_test.rb
+++ b/railties/test/generators/app_generator_test.rb
@@ -230,14 +230,6 @@ class AppGeneratorTest < Rails::Generators::TestCase
     assert_equal "false\n", output
   end
 
-  def test_csp_initializer_include_connect_src_example
-    run_generator
-
-    assert_file "config/initializers/content_security_policy.rb" do |content|
-      assert_match(/#   policy\.connect_src/, content)
-    end
-  end
-
   def test_app_update_keep_the_cookie_serializer_if_it_is_already_configured
     app_root = File.join(destination_root, "myapp")
     run_generator [app_root]
@@ -845,9 +837,6 @@ class AppGeneratorTest < Rails::Generators::TestCase
     end
 
     assert_no_gem "webpacker"
-    assert_file "config/initializers/content_security_policy.rb" do |content|
-      assert_no_match(/policy\.connect_src/, content)
-    end
   end
 
   def test_webpack_option_with_js_framework
-- 
cgit v1.2.3