From 0ac0c014f34a1275376f6f0c787e507f3d1ec7fa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Oliver=20G=C3=BCnther?= <mail@oliverguenther.de>
Date: Thu, 7 Mar 2019 09:02:56 +0100
Subject: [PATCH] [29673] Avoid stale? with CSP nonces

Not all headers treat 304 responses equally, some do replay the CSP
headers from the original 200 GET, but we cannot rely on that.

If the header is not replayed, the frontend-cached nonces will not be
valid resulting in a CSP violation.

```
References:
https://github.com/w3c/webappsec-csp/issues/161
https://bugs.chromium.org/p/chromium/issues/detail?id=174301
```

https://community.openproject.com/wp/29673
---
 app/controllers/activities_controller.rb | 36 +++++++++---------------
 1 file changed, 13 insertions(+), 23 deletions(-)

diff --git a/app/controllers/activities_controller.rb b/app/controllers/activities_controller.rb
index 909bc14052..6a8ce6e0fb 100644
--- a/app/controllers/activities_controller.rb
+++ b/app/controllers/activities_controller.rb
@@ -52,30 +52,20 @@ class ActivitiesController < ApplicationController
 
     events = @activity.events(@date_from, @date_to)
     censor_events_from_projects_with_disabled_activity!(events) unless @project
-
-    if events.empty? || stale?(etag: [@activity.scope,
-                                      @date_to,
-                                      @date_from,
-                                      @with_subprojects,
-                                      @author,
-                                      events.first,
-                                      User.current,
-                                      current_language,
-                                      DesignColor.overwritten])
-      respond_to do |format|
-        format.html do
-          @events_by_day = events.group_by { |e| e.event_datetime.in_time_zone(User.current.time_zone).to_date }
-          render layout: false if request.xhr?
-        end
-        format.atom do
-          title = l(:label_activity)
-          if @author
-            title = @author.name
-          elsif @activity.scope.size == 1
-            title = l("label_#{@activity.scope.first.singularize}_plural")
-          end
-          render_feed(events, title: "#{@project || Setting.app_title}: #{title}")
+    
+    respond_to do |format|
+      format.html do
+        @events_by_day = events.group_by { |e| e.event_datetime.in_time_zone(User.current.time_zone).to_date }
+        render layout: false if request.xhr?
+      end
+      format.atom do
+        title = l(:label_activity)
+        if @author
+          title = @author.name
+        elsif @activity.scope.size == 1
+          title = l("label_#{@activity.scope.first.singularize}_plural")
         end
+        render_feed(events, title: "#{@project || Setting.app_title}: #{title}")
       end
     end