Improve csp for a better cloudflare support

closes #7367

Changelog.md

@@ -9,6 +9,7 @@
 * Cleanup rtl css [#7374](https://github.com/diaspora/diaspora/pull/7374)
 * Increase visual spacing between list items [#7401](https://github.com/diaspora/diaspora/pull/7401)
 * Remove unused gem and cucumber step [#7410](https://github.com/diaspora/diaspora/pull/7410)
+* Disable CSP header when `report_only` and no `report_uri` is set [#7367](https://github.com/diaspora/diaspora/pull/7367)
 
 ## Bug fixes
 * Don't hide posts when blocking someone from the profile [#7379](https://github.com/diaspora/diaspora/pull/7379)

config/diaspora.yml.example

@@ -567,10 +567,11 @@ configuration: ## Section
     ## party domains from services that are included in diaspora*, like OEmbed
     ## scripts, so you can safely activate it by setting `report_only` to false. If
     ## you customized diaspora* (edited templates or added own JS), additional work
-    ## may be required. You can test the policy with the "report_uri". Our default CSP
+    ## may be required. You can test the policy with the `report_uri`. Our default CSP
     ## does not work with Google analytics or Piwik, because they inject JS code that
     ## is blocked by CSP.
     csp:
+
       ## Report-Only header (default=true)
       ## By default diaspora* adds only a "Content-Security-Policy-Report-Only" header. If you set
       ## this to false, the "Content-Security-Policy" header is added instead.

config/initializers/secure_headers.rb

@@ -44,7 +44,7 @@ SecureHeaders::Configuration.default do |config|
 
   if AppConfig.settings.csp.report_only?
     config.csp = SecureHeaders::OPT_OUT
-    config.csp_report_only = csp
+    config.csp_report_only = csp if AppConfig.settings.csp.report_uri.present?
   else
     config.csp = csp
   end