Defer creation of Request object until the object is in need

amatsuda · amatsuda · commit c0f16c16a3fd · 2022-12-15T11:55:03.000+09:00
diff --git a/actionpack/lib/action_dispatch/http/content_security_policy.rb b/actionpack/lib/action_dispatch/http/content_security_policy.rb
@@ -32,7 +32,6 @@ def initialize(app)
       end
 
       def call(env)
-        request = ActionDispatch::Request.new env
         status, headers, _ = response = @app.call(env)
 
         # Returning CSP headers with a 304 Not Modified is harmful, since nonces in the new
@@ -41,6 +40,8 @@ def call(env)
 
         return response if policy_present?(headers)
 
+        request = ActionDispatch::Request.new env
+
         if policy = request.content_security_policy
           nonce = request.content_security_policy_nonce
           nonce_directives = request.content_security_policy_nonce_directives
diff --git a/actionpack/lib/action_dispatch/http/permissions_policy.rb b/actionpack/lib/action_dispatch/http/permissions_policy.rb
@@ -34,12 +34,13 @@ def initialize(app)
       end
 
       def call(env)
-        request = ActionDispatch::Request.new(env)
         _, headers, _ = response = @app.call(env)
 
         return response unless html_response?(headers)
         return response if policy_present?(headers)
 
+        request = ActionDispatch::Request.new(env)
+
         if policy = request.permissions_policy
           headers[POLICY] = policy.build(request.controller_instance)
         end
