Skip generating empty CSP header when no policy is configured
`Rails.application.config.content_security_policy` is configured with no policies by default. In this case, Content-Security-Policy header should not be generated instead of generating the header with no directives. Firefox also warns "Content Security Policy: Couldn't process unknown directive ''".
This commit is contained in:
parent
099a28bbec
commit
53d863d4bb
@ -21,7 +21,10 @@ def call(env)
|
||||
return response if policy_present?(headers)
|
||||
|
||||
if policy = request.content_security_policy
|
||||
headers[header_name(request)] = policy.build(request.controller_instance)
|
||||
built_policy = policy.build(request.controller_instance)
|
||||
if built_policy
|
||||
headers[header_name(request)] = built_policy
|
||||
end
|
||||
end
|
||||
|
||||
response
|
||||
@ -172,7 +175,12 @@ def upgrade_insecure_requests(enabled = true)
|
||||
end
|
||||
|
||||
def build(context = nil)
|
||||
build_directives(context).compact.join("; ") + ";"
|
||||
built_directives = build_directives(context).compact
|
||||
if built_directives.empty?
|
||||
nil
|
||||
else
|
||||
built_directives.join("; ") + ";"
|
||||
end
|
||||
end
|
||||
|
||||
private
|
||||
|
@ -8,7 +8,7 @@ def setup
|
||||
end
|
||||
|
||||
def test_build
|
||||
assert_equal ";", @policy.build
|
||||
assert_nil @policy.build
|
||||
|
||||
@policy.script_src :self
|
||||
assert_equal "script-src 'self';", @policy.build
|
||||
@ -271,6 +271,10 @@ def report_only
|
||||
head :ok
|
||||
end
|
||||
|
||||
def empty_policy
|
||||
head :ok
|
||||
end
|
||||
|
||||
private
|
||||
def condition?
|
||||
params[:condition] == "true"
|
||||
@ -284,12 +288,14 @@ def condition?
|
||||
get "/inline", to: "policy#inline"
|
||||
get "/conditional", to: "policy#conditional"
|
||||
get "/report-only", to: "policy#report_only"
|
||||
get "/empty-policy", to: "policy#empty_policy"
|
||||
end
|
||||
end
|
||||
|
||||
POLICY = ActionDispatch::ContentSecurityPolicy.new do |p|
|
||||
p.default_src :self
|
||||
end
|
||||
EMPTY_POLICY = ActionDispatch::ContentSecurityPolicy.new
|
||||
|
||||
class PolicyConfigMiddleware
|
||||
def initialize(app)
|
||||
@ -297,7 +303,12 @@ def initialize(app)
|
||||
end
|
||||
|
||||
def call(env)
|
||||
env["action_dispatch.content_security_policy"] = POLICY
|
||||
env["action_dispatch.content_security_policy"] =
|
||||
if env["PATH_INFO"] == "/empty-policy"
|
||||
EMPTY_POLICY
|
||||
else
|
||||
POLICY
|
||||
end
|
||||
env["action_dispatch.content_security_policy_report_only"] = false
|
||||
env["action_dispatch.show_exceptions"] = false
|
||||
|
||||
@ -337,6 +348,13 @@ def test_generates_report_only_content_security_policy
|
||||
assert_policy "default-src 'self'; report-uri /violations;", report_only: true
|
||||
end
|
||||
|
||||
def test_empty_policy
|
||||
get "/empty-policy"
|
||||
assert_response :success
|
||||
assert_not response.headers.key?("Content-Security-Policy")
|
||||
assert_not response.headers.key?("Content-Security-Policy-Report-Only")
|
||||
end
|
||||
|
||||
private
|
||||
|
||||
def env_config
|
||||
|
@ -34,7 +34,7 @@ def index
|
||||
app("development")
|
||||
|
||||
get "/"
|
||||
assert_equal ";", last_response.headers["Content-Security-Policy"]
|
||||
assert_not last_response.headers.key?("Content-Security-Policy")
|
||||
end
|
||||
|
||||
test "global content security policy in an initializer" do
|
||||
|
Loading…
Reference in New Issue
Block a user