include the HTTP Permissions-Policy on non-HTML Content-Types

[CVE-2024-28103]

The application configurable Permissions-Policy is only
served on responses with an HTML related Content-Type.

This change allows all Content-Types to serve the
configured Permissions-Policy as there are many non-HTML
Content-Types that would benefit from this header.
(examples include image/svg+xml and application/xml)

Author: fresh-eggs

actionpack/lib/action_dispatch/http/permissions_policy.rb

@@ -37,7 +37,6 @@ def initialize(app)
       def call(env)
         _, headers, _ = response = @app.call(env)
 
-        return response unless html_response?(headers)
         return response if policy_present?(headers)
 
         request = ActionDispatch::Request.new(env)
@@ -54,12 +53,6 @@ def call(env)
       end
 
       private
-        def html_response?(headers)
-          if content_type = headers[Rack::CONTENT_TYPE]
-            content_type.include?("html")
-          end
-        end
-
         def policy_present?(headers)
           headers[ActionDispatch::Constants::FEATURE_POLICY]
         end

actionpack/test/dispatch/permissions_policy_test.rb

@@ -69,12 +69,12 @@ def call(env)
     assert_equal "gyroscope 'self'", response.headers[ActionDispatch::Constants::FEATURE_POLICY]
   end
 
-  test "non-html requests will not set a policy" do
+  test "non-html requests will set a policy" do
     @app = build_app(->(env) { [200, { Rack::CONTENT_TYPE => "application/json" }, []] })
 
     get "/index"
 
-    assert_nil response.headers[ActionDispatch::Constants::FEATURE_POLICY]
+    assert_equal "gyroscope 'self'", response.headers[ActionDispatch::Constants::FEATURE_POLICY]
   end
 
   test "existing policies will not be overwritten" do