From 30fad8279b4f0df645d0b025cc78296c07e66472 Mon Sep 17 00:00:00 2001
From: Amadren <sazert103@californiacolleges.edu>
Date: Wed, 15 Mar 2017 14:10:02 +0100
Subject: [PATCH] Improve csp for a better cloudflare support

closes #7367
---
 Changelog.md                          | 1 +
 config/diaspora.yml.example           | 3 ++-
 config/initializers/secure_headers.rb | 2 +-
 3 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/Changelog.md b/Changelog.md
index bb31193bad4..2ea388d951c 100644
--- a/Changelog.md
+++ b/Changelog.md
@@ -9,6 +9,7 @@
 * Cleanup rtl css [#7374](https://github.com/diaspora/diaspora/pull/7374)
 * Increase visual spacing between list items [#7401](https://github.com/diaspora/diaspora/pull/7401)
 * Remove unused gem and cucumber step [#7410](https://github.com/diaspora/diaspora/pull/7410)
+* Disable CSP header when `report_only` and no `report_uri` is set [#7367](https://github.com/diaspora/diaspora/pull/7367)
 
 ## Bug fixes
 * Don't hide posts when blocking someone from the profile [#7379](https://github.com/diaspora/diaspora/pull/7379)
diff --git a/config/diaspora.yml.example b/config/diaspora.yml.example
index 833f36bb0ac..7d8b99ee6db 100644
--- a/config/diaspora.yml.example
+++ b/config/diaspora.yml.example
@@ -567,10 +567,11 @@ configuration: ## Section
     ## party domains from services that are included in diaspora*, like OEmbed
     ## scripts, so you can safely activate it by setting `report_only` to false. If
     ## you customized diaspora* (edited templates or added own JS), additional work
-    ## may be required. You can test the policy with the "report_uri". Our default CSP
+    ## may be required. You can test the policy with the `report_uri`. Our default CSP
     ## does not work with Google analytics or Piwik, because they inject JS code that
     ## is blocked by CSP.
     csp:
+
       ## Report-Only header (default=true)
       ## By default diaspora* adds only a "Content-Security-Policy-Report-Only" header. If you set
       ## this to false, the "Content-Security-Policy" header is added instead.
diff --git a/config/initializers/secure_headers.rb b/config/initializers/secure_headers.rb
index 84e2415c789..99d3fd2c51a 100644
--- a/config/initializers/secure_headers.rb
+++ b/config/initializers/secure_headers.rb
@@ -44,7 +44,7 @@
 
   if AppConfig.settings.csp.report_only?
     config.csp = SecureHeaders::OPT_OUT
-    config.csp_report_only = csp
+    config.csp_report_only = csp if AppConfig.settings.csp.report_uri.present?
   else
     config.csp = csp
   end