From 5299b57d596ea274f77f5ffee2b79c6ee0255508 Mon Sep 17 00:00:00 2001
From: Aaron Patterson <aaron@rubyonrails.org>
Date: Tue, 8 Mar 2022 13:23:15 -0800
Subject: [PATCH] Merge pull request #44635 from imtayadeway/tjw/api-csp-i

Generate content security policy for non-HTML responses
---
 .../http/content_security_policy.rb               |  7 -------
 .../test/dispatch/content_security_policy_test.rb | 15 +++++++++++++++
 2 files changed, 15 insertions(+), 7 deletions(-)

diff --git a/actionpack/lib/action_dispatch/http/content_security_policy.rb b/actionpack/lib/action_dispatch/http/content_security_policy.rb
index 7dedecef34..50a3ec4bd1 100644
--- a/actionpack/lib/action_dispatch/http/content_security_policy.rb
+++ b/actionpack/lib/action_dispatch/http/content_security_policy.rb
@@ -17,7 +17,6 @@ def call(env)
         request = ActionDispatch::Request.new env
         _, headers, _ = response = @app.call(env)
 
-        return response unless html_response?(headers)
         return response if policy_present?(headers)
 
         if policy = request.content_security_policy
@@ -31,12 +30,6 @@ def call(env)
       end
 
       private
-        def html_response?(headers)
-          if content_type = headers[CONTENT_TYPE]
-            content_type =~ /html/
-          end
-        end
-
         def header_name(request)
           if request.content_security_policy_report_only
             POLICY_REPORT_ONLY
diff --git a/actionpack/test/dispatch/content_security_policy_test.rb b/actionpack/test/dispatch/content_security_policy_test.rb
index a4634626bb..9fd49ead24 100644
--- a/actionpack/test/dispatch/content_security_policy_test.rb
+++ b/actionpack/test/dispatch/content_security_policy_test.rb
@@ -353,6 +353,11 @@ class PolicyController < ActionController::Base
 
     content_security_policy_report_only only: :report_only
 
+    content_security_policy only: :api do |p|
+      p.default_src :none
+      p.frame_ancestors :none
+    end
+
     def index
       head :ok
     end
@@ -381,6 +386,10 @@ def no_policy
       head :ok
     end
 
+    def api
+      render json: {}
+    end
+
     private
       def condition?
         params[:condition] == "true"
@@ -397,6 +406,7 @@ def condition?
       get "/script-src", to: "policy#script_src"
       get "/style-src", to: "policy#style_src"
       get "/no-policy", to: "policy#no_policy"
+      get "/api", to: "policy#api"
     end
   end
 
@@ -468,6 +478,11 @@ def test_generates_no_content_security_policy
     assert_nil response.headers["Content-Security-Policy-Report-Only"]
   end
 
+  def test_generates_api_security_policy
+    get "/api"
+    assert_policy "default-src 'none'; frame-ancestors 'none'"
+  end
+
   private
     def assert_policy(expected, report_only: false)
       assert_response :success
-- 
2.30.2