From 35858f1d9d57f6c4050a8d9ab754bd5d088b4523 Mon Sep 17 00:00:00 2001
From: Zack Deveau <zack.ref@gmail.com>
Date: Tue, 27 Feb 2024 10:03:50 -0500
Subject: [PATCH] include the HTTP Permissions-Policy on non-HTML Content-Types

[CVE-2024-28103]

The application configurable Permissions-Policy is only
served on responses with an HTML related Content-Type.

This change allows all Content-Types to serve the
configured Permissions-Policy as there are many non-HTML
Content-Types that would benefit from this header.
(examples include image/svg+xml and application/xml)

---
 .../lib/action_dispatch/http/permissions_policy.rb         | 7 -------
 1 file changed, 7 deletions(-)

diff --git a/actionpack-7.0.7/lib/action_dispatch/http/permissions_policy.rb b/actionpack-7.0.7/lib/action_dispatch/http/permissions_policy.rb
index 5666ad0..6ec9087 100644
--- a/actionpack-7.0.7/lib/action_dispatch/http/permissions_policy.rb
+++ b/actionpack-7.0.7/lib/action_dispatch/http/permissions_policy.rb
@@ -37,7 +37,6 @@ module ActionDispatch # :nodoc:
         request = ActionDispatch::Request.new(env)
         _, headers, _ = response = @app.call(env)
 
-        return response unless html_response?(headers)
         return response if policy_present?(headers)
 
         if policy = request.permissions_policy
@@ -52,12 +51,6 @@ module ActionDispatch # :nodoc:
       end
 
       private
-        def html_response?(headers)
-          if content_type = headers[CONTENT_TYPE]
-            /html/.match?(content_type)
-          end
-        end
-
         def policy_present?(headers)
           headers[POLICY]
         end
-- 
2.27.0