actionpack 4.2.10 → 5.2.4.6

data/CHANGELOG.md

@@ -1,670 +1,504 @@
-## Rails 4.2.10 (September 27, 2017) ##
+## Rails 5.2.4.6 (May 05, 2021) ##
 
-*   Fix regression in behavior of `normalize_path`.
+*   Prevent regex DoS in HTTP token authentication
+    CVE-2021-22904
 
-    In Rails 5 there was a change to ensure the encoding of the original string
-    in a path was maintained. This was incorrectly backported to Rails 4.2 which
-    caused a regression.
+*   Prevent string polymorphic route arguments.
 
-    *Eileen M. Uchitelle*
-
-## Rails 4.2.9 (June 26, 2017) ##
-
-*   Use more specific check for :format in route path
-
-    The current check for whether to add an optional format to the path is very lax
-    and will match things like `:format_id` where there are nested resources, e.g:
-
-    ``` ruby
-    resources :formats do
-      resources :items
-    end
-    ```
+    `url_for` supports building polymorphic URLs via an array
+    of arguments (usually symbols and records). If a developer passes a
+    user input array, strings can result in unwanted route helper calls.
 
-    Fix this by using a more restrictive regex pattern that looks for the patterns
-    `(.:format)`, `.:format` or `/` at the end of the path. Note that we need to
-    allow for multiple closing parenthesis since the route may be of this form:
+    CVE-2021-22885
 
-    ``` ruby
-    get "/books(/:action(.:format))", controller: "books"
-    ```
-
-    This probably isn't what's intended since it means that the default index action
-    route doesn't support a format but we have a test for it so we need to allow it.
-
-    Fixes #28517.
-
-    *Andrew White*
+    *Gannon McGibbon*
 
-
-## Rails 4.2.8 (February 21, 2017) ##
+## Rails 5.2.4.5 (February 10, 2021) ##
 
 *   No changes.
 
 
-## Rails 4.2.7 (July 12, 2016) ##
+## Rails 5.2.4.4 (September 09, 2020) ##
 
 *   No changes.
 
 
-## Rails 4.2.6 (March 07, 2016) ##
-
-*   No changes.
+## Rails 5.2.4.3 (May 18, 2020) ##
 
+*   [CVE-2020-8166] HMAC raw CSRF token before masking it, so it cannot be used to reconstruct a per-form token
 
-## Rails 4.2.5.2 (February 26, 2016) ##
+*   [CVE-2020-8164] Return self when calling #each, #each_pair, and #each_value instead of the raw @parameters hash
 
-*   Do not allow render with unpermitted parameter.
 
-    Fixes CVE-2016-2098.
+## Rails 5.2.4.1 (December 18, 2019) ##
 
-    *Arthur Neves*
+*   Fix possible information leak / session hijacking vulnerability.
 
+    The `ActionDispatch::Session::MemcacheStore` is still vulnerable given it requires the
+    gem dalli to be updated as well.
 
-## Rails 4.2.5.1 (January 25, 2015) ##
-
-*   No changes.
+    CVE-2019-16782.
 
 
-## Rails 4.2.5 (November 12, 2015) ##
+## Rails 5.2.4 (November 27, 2019) ##
 
-*   `ActionController::TestCase` can teardown gracefully if an error is raised
-    early in the `setup` chain.
+*   No changes.
 
-    *Yves Senn*
 
-*   Parse RSS/ATOM responses as XML, not HTML.
+## Rails 5.2.3 (March 27, 2019) ##
 
-    *Alexander Kaupanin*
+*   Allow using `public` and `no-cache` together in the the Cache Control header.
 
-*   Fix regression in mounted engine named routes generation for app deployed to
-    a subdirectory. `relative_url_root` was prepended to the path twice (e.g.
-    "/subdir/subdir/engine_path" instead of "/subdir/engine_path")
+    Before this change, even if `public` was specified in the Cache Control header,
+    it was excluded when `no-cache` was included. This change preserves the
+    `public` value as is.
 
-    Fixes #20920. Fixes #21459.
+    Fixes #34780.
 
-    *Matthew Erhard*
+    *Yuji Yaginuma*
 
-*   `url_for` does not modify its arguments when generating polymorphic URLs.
+*   Allow `nil` params for `ActionController::TestCase`.
 
-    *Bernerd Schaefer*
+    *Ryo Nakamura*
 
-*   Update `ActionController::TestSession#fetch` to behave more like
-    `ActionDispatch::Request::Session#fetch` when using non-string keys.
 
-    *Jeremy Friesen*
+## Rails 5.2.2.1 (March 11, 2019) ##
 
+*   No changes.
 
-## Rails 4.2.4 (August 24, 2015) ##
 
-*   ActionController::TestSession now accepts a default value as well as
-    a block for generating a default value based off the key provided.
+## Rails 5.2.2 (December 04, 2018) ##
 
-    This fixes calls to session#fetch in ApplicationController instances that
-    take more two arguments or a block from raising `ArgumentError: wrong
-    number of arguments (2 for 1)` when performing controller tests.
+*   Reset Capybara sessions if failed system test screenshot raising an exception.
 
-    *Matthew Gerrior*
+    Reset Capybara sessions if `take_failed_screenshot` raise exception
+    in system test `after_teardown`.
 
-*   Fix to keep original header instance in `ActionDispatch::SSL`
+    *Maxim Perepelitsa*
 
-    `ActionDispatch::SSL` changes headers to `Hash`.
-    So some headers will be broken if there are some middlewares
-    on `ActionDispatch::SSL` and if it uses `Rack::Utils::HeaderHash`.
+*   Use request object for context if there's no controller
 
-    *Fumiaki Matsushima*
+    There is no controller instance when using a redirect route or a
+    mounted rack application so pass the request object as the context
+    when resolving dynamic CSP sources in this scenario.
 
+    Fixes #34200.
 
-## Rails 4.2.3 (June 25, 2015) ##
+    *Andrew White*
 
-*   Fix rake routes not showing the right format when
-    nesting multiple routes.
+*   Apply mapping to symbols returned from dynamic CSP sources
 
-    See #18373.
+    Previously if a dynamic source returned a symbol such as :self it
+    would be converted to a string implicity, e.g:
 
-    *Ravil Bayramgalin*
+        policy.default_src -> { :self }
 
-*   Fix regression where a gzip file response would have a Content-type,
-    even when it was a 304 status code.
+    would generate the header:
 
-    See #19271.
+        Content-Security-Policy: default-src self
 
-    *Kohei Suzuki*
+    and now it generates:
 
-*   Fix handling of empty X_FORWARDED_HOST header in raw_host_with_port
+        Content-Security-Policy: default-src 'self'
 
-    Previously, an empty X_FORWARDED_HOST header would cause
-    Actiondispatch::Http:URL.raw_host_with_port to return nil, causing
-    Actiondispatch::Http:URL.host to raise a NoMethodError.
+    *Andrew White*
 
-    *Adam Forsyth*
+*   Fix `rails routes -c` for controller name consists of multiple word.
 
-*   Fallback to `ENV['RAILS_RELATIVE_URL_ROOT']` in `url_for`.
+    *Yoshiyuki Kinjo*
 
-    Fixed an issue where the `RAILS_RELATIVE_URL_ROOT` environment variable is not
-    prepended to the path when `url_for` is called. If `SCRIPT_NAME` (used by Rack)
-    is set, it takes precedence.
+*   Call the `#redirect_to` block in controller context.
 
-    Fixes #5122.
+    *Steven Peckins*
 
-    *Yasyf Mohamedali*
 
-*   Fix regression in functional tests. Responses should have default headers
-    assigned.
+## Rails 5.2.1.1 (November 27, 2018) ##
 
-    See #18423.
+*   No changes.
 
-    *Jeremy Kemper*, *Yves Senn*
 
+## Rails 5.2.1 (August 07, 2018) ##
 
-## Rails 4.2.2 (June 16, 2015) ##
+*   Prevent `?null=` being passed on JSON encoded test requests.
 
-* No Changes *
+    `RequestEncoder#encode_params` won't attempt to parse params if
+    there are none.
 
+    So call like this will no longer append a `?null=` query param.
 
-## Rails 4.2.1 (March 19, 2015) ##
+        get foos_url, as: :json
 
-*   Non-string authenticity tokens do not raise NoMethodError when decoding
-    the masked token.
+    *Alireza Bashiri*
 
-    *Ville Lautanala*
+*   Ensure `ActionController::Parameters#transform_values` and
+    `ActionController::Parameters#transform_values!` converts hashes into
+    parameters.
 
-*   Explicitly ignored wildcard verbs when searching for HEAD routes before fallback
+    *Kevin Sjöberg*
 
-    Fixes an issue where a mounted rack app at root would intercept the HEAD
-    request causing an incorrect behavior during the fall back to GET requests.
+*   Fix strong parameters `permit!` with nested arrays.
 
-    Example:
-    ```ruby
-    draw do
-        get '/home' => 'test#index'
-        mount rack_app, at: '/'
-    end
-    head '/home'
-    assert_response :success
+    Given:
+    ```
+    params = ActionController::Parameters.new(nested_arrays: [[{ x: 2, y: 3 }, { x: 21, y: 42 }]])
+    params.permit!
     ```
-    In this case, a HEAD request runs through the routes the first time and fails
-    to match anything. Then, it runs through the list with the fallback and matches
-    `get '/home'`. The original behavior would match the rack app in the first pass.
-
-    *Terence Sun*
-
-*   Preserve default format when generating URLs
-
-    Fixes an issue that would cause the format set in default_url_options to be
-    lost when generating URLs with fewer positional arguments than parameters in
-    the route definition.
-
-    Backport of #18627
-
-    *Tekin Suleyman*, *Dominic Baggott*
-
-*   Default headers, removed in controller actions, are no longer reapplied on
-    the test response.
-
-    *Jonas Baumann*
-
-*   Ensure `append_info_to_payload` is called even if an exception is raised.
-
-    Fixes an issue where when an exception is raised in the request the additonal
-    payload data is not available.
-
-    See:
-    * #14903
-    * https://github.com/roidrage/lograge/issues/37
-
-    *Dieter Komendera*, *Margus Pärt*
-
-*   Correctly rely on the response's status code to handle calls to `head`.
-
-    *Robin Dupret*
-
-*   Using `head` method returns empty response_body instead
-    of returning a single space " ".
-
-    The old behavior was added as a workaround for a bug in an early
-    version of Safari, where the HTTP headers are not returned correctly
-    if the response body has a 0-length. This is been fixed since and
-    the workaround is no longer necessary.
-
-    Fixes #18253.
-
-    *Prathamesh Sonpatki*
-
-*   Fix how polymorphic routes works with objects that implement `to_model`.
-
-    *Travis Grathwell*
-
-*   Fixed handling of positional url helper arguments when `format: false`.
-
-    Fixes #17819.
-
-    *Andrew White*, *Tatiana Soukiassian*
-
-*   Fixed usage of optional scopes in URL helpers.
-
-    *Alex Robbin*
-
-
-## Rails 4.2.0 (December 20, 2014) ##
-
-*   Add `ActionController::Parameters#to_unsafe_h` to return an unfiltered
-    `Hash` representation of Parameters object. This is now a preferred way to
-    retrieve unfiltered parameters as we will stop inheriting `AC::Parameters`
-    object in Rails 5.0.
-
-    *Prem Sichanugrist*
-
-*   Restore handling of a bare `Authorization` header, without `token=`
-    prefix.
-
-    Fixes #17108.
-
-    *Guo Xiang Tan*
-
-*   Deprecate use of string keys in URL helpers.
-
-    Use symbols instead.
-    Fixes #16958.
-
-    *Byron Bischoff*, *Melanie Gilman*
-
-*   Deprecate the `only_path` option on `*_path` helpers.
-
-    In cases where this option is set to `true`, the option is redundant and can
-    be safely removed; otherwise, the corresponding `*_url` helper should be
-    used instead.
-
-    Fixes #17294.
-
-    *Dan Olson*, *Godfrey Chan*
-
-*   Improve Journey compliance to RFC 3986.
-
-    The scanner in Journey failed to recognize routes that use literals
-    from the sub-delims section of RFC 3986. It's now able to parse those
-    authorized delimiters and route as expected.
-
-    Fixes #17212.
-
-    *Nicolas Cavigneaux*
-
-*   Deprecate implicit Array conversion for Response objects. It was added
-    (using `#to_ary`) so we could conveniently use implicit splatting:
-
-        status, headers, body = response
-
-    But it also means `response + response` works and `[response].flatten`
-    cascades down to the Rack body. Nonsense behavior. Instead, rely on
-    explicit conversion and splatting with `#to_a`:
-
-        status, header, body = *response
-
-    *Jeremy Kemper*
-
-*   Don't rescue `IPAddr::InvalidAddressError`.
-
-    `IPAddr::InvalidAddressError` does not exist in Ruby 1.9.3
-    and fails for JRuby in 1.9 mode.
-
-    *Peter Suschlik*
-
-*   Fix bug where the router would ignore any constraints added to redirect
-    routes.
-
-    Fixes #16605.
-
-    *Agis Anastasopoulos*
 
-*   Allow `config.action_dispatch.trusted_proxies` to accept an IPAddr object.
+    `params[:nested_arrays][0][0].permitted?` will now return `true` instead of `false`.
 
-    Example:
+    *Steve Hull*
 
-        # config/environments/production.rb
-        config.action_dispatch.trusted_proxies = IPAddr.new('4.8.15.0/16')
+*   Reset `RAW_POST_DATA` and `CONTENT_LENGTH` request environment between test requests in
+    `ActionController::TestCase` subclasses.
 
-    *Sam Aarons*
+    *Eugene Kenny*
 
-*   Avoid duplicating routes for HEAD requests.
+*   Output only one Content-Security-Policy nonce header value per request.
 
-    Instead of duplicating the routes, we will first match the HEAD request to
-    HEAD routes. If no match is found, we will then map the HEAD request to
-    GET routes.
+    Fixes #32597.
 
-    *Guo Xiang Tan*, *Andrew White*
+    *Andrey Novikov*, *Andrew White*
 
-*   Requests that hit `ActionDispatch::Static` can now take advantage
-    of gzipped assets on disk. By default a gzip asset will be served if
-    the client supports gzip and a compressed file is on disk.
+*   Only disable GPUs for headless Chrome on Windows.
 
-    *Richard Schneeman*
+    It is not necessary anymore for Linux and macOS machines.
 
-*   `ActionController::Parameters` will stop inheriting from `Hash` and
-    `HashWithIndifferentAccess` in the next major release. If you use any method
-    that is not available on `ActionController::Parameters` you should consider
-    calling `#to_h` to convert it to a `Hash` first before calling that method.
+    https://bugs.chromium.org/p/chromium/issues/detail?id=737678#c1
 
-    *Prem Sichanugrist*
+    *Stefan Wrobel*
 
-*   `ActionController::Parameters#to_h` now returns a `Hash` with unpermitted
-    keys removed. This change is to reflect on a security concern where some
-    method performed on an `ActionController::Parameters` may yield a `Hash`
-    object which does not maintain `permitted?` status. If you would like to
-    get a `Hash` with all the keys intact, duplicate and mark it as permitted
-    before calling `#to_h`.
+*   Fix system tests transactions not closed between examples.
 
-        params = ActionController::Parameters.new({
-          name: 'Senjougahara Hitagi',
-          oddity: 'Heavy stone crab'
-        })
-        params.to_h
-        # => {}
+    *Sergey Tarasov*
 
-        unsafe_params = params.dup.permit!
-        unsafe_params.to_h
-        # => {"name"=>"Senjougahara Hitagi", "oddity"=>"Heavy stone crab"}
 
-        safe_params = params.permit(:name)
-        safe_params.to_h
-        # => {"name"=>"Senjougahara Hitagi"}
+## Rails 5.2.0 (April 09, 2018) ##
 
-    This change is consider a stopgap as we cannot change the code to stop
-    `ActionController::Parameters` to inherit from `HashWithIndifferentAccess`
-    in the next minor release.
+*   Check exclude before flagging cookies as secure.
 
-    *Prem Sichanugrist*
+    *Catherine Khuu*
 
-*   Deprecated `TagAssertions`.
+*   Always yield a CSP policy instance from `content_security_policy`
 
-    *Kasper Timm Hansen*
+    This allows a controller action to enable the policy individually
+    for a controller and/or specific actions.
 
-*   Use the Active Support JSON encoder for cookie jars using the `:json` or
-    `:hybrid` serializer. This allows you to serialize custom Ruby objects into
-    cookies by defining the `#as_json` hook on such objects.
+    *Andrew White*
 
-    Fixes #16520.
+*   Add the ability to disable the global CSP in a controller, e.g:
 
-    *Godfrey Chan*
+        class LegacyPagesController < ApplicationController
+          content_security_policy false, only: :index
+        end
 
-*   Add `config.action_dispatch.cookies_digest` option for setting custom
-    digest. The default remains the same - 'SHA1'.
+    *Andrew White*
 
-    *Łukasz Strzałkowski*
+*   Add alias method `to_hash` to `to_h` for `cookies`.
+    Add alias method `to_h` to `to_hash` for `session`.
 
-*   Move `respond_with` (and the class-level `respond_to`) to
-    the `responders` gem.
+    *Igor Kasyanchuk*
 
-    *José Valim*
+*   Update the default HSTS max-age value to 31536000 seconds (1 year)
+    to meet the minimum max-age requirement for https://hstspreload.org/.
 
-*   When your templates change, browser caches bust automatically.
+    *Grant Bourque*
 
-    New default: the template digest is automatically included in your ETags.
-    When you call `fresh_when @post`, the digest for `posts/show.html.erb`
-    is mixed in so future changes to the HTML will blow HTTP caches for you.
-    This makes it easy to HTTP-cache many more of your actions.
+*   Add support for automatic nonce generation for Rails UJS.
 
-    If you render a different template, you can now pass the `:template`
-    option to include its digest instead:
+    Because the UJS library creates a script tag to process responses it
+    normally requires the script-src attribute of the content security
+    policy to include 'unsafe-inline'.
 
-        fresh_when @post, template: 'widgets/show'
+    To work around this we generate a per-request nonce value that is
+    embedded in a meta tag in a similar fashion to how CSRF protection
+    embeds its token in a meta tag. The UJS library can then read the
+    nonce value and set it on the dynamically generated script tag to
+    enable it to execute without needing 'unsafe-inline' enabled.
 
-    Pass `template: false` to skip the lookup. To turn this off entirely, set:
+    Nonce generation isn't 100% safe - if your script tag is including
+    user generated content in someway then it may be possible to exploit
+    an XSS vulnerability which can take advantage of the nonce. It is
+    however an improvement on a blanket permission for inline scripts.
 
-        config.action_controller.etag_with_template_digest = false
+    It is also possible to use the nonce within your own script tags by
+    using `nonce: true` to set the nonce value on the tag, e.g
 
-    *Jeremy Kemper*
+        <%= javascript_tag nonce: true do %>
+          alert('Hello, World!');
+        <% end %>
 
-*   Remove deprecated `AbstractController::Helpers::ClassMethods::MissingHelperError`
-    in favor of `AbstractController::Helpers::MissingHelperError`.
+    Fixes #31689.
 
-    *Yves Senn*
+    *Andrew White*
 
-*   Fix `assert_template` not being able to assert that no files were rendered.
+*   Matches behavior of `Hash#each` in `ActionController::Parameters#each`.
 
-    *Guo Xiang Tan*
+    Rails 5.0 introduced a bug when looping through controller params using `each`. Only the keys of params hash were passed to the block, e.g.
 
-*   Extract source code for the entire exception stack trace for
-    better debugging and diagnosis.
+        # Parameters: {"param"=>"1", "param_two"=>"2"}
+        def index
+          params.each do |name|
+            puts name
+          end
+        end
 
-    *Ryan Dao*
+        # Prints
+        # param
+        # param_two
 
-*   Allows ActionDispatch::Request::LOCALHOST to match any IPv4 127.0.0.0/8
-    loopback address.
+    In Rails 5.2 the bug has been fixed and name will be an array (which was the behavior for all versions prior to 5.0), instead of a string.
 
-    *Earl St Sauver*, *Sven Riedel*
+    To fix the code above simply change as per example below:
 
-*   Preserve original path in `ShowExceptions` middleware by stashing it as
-    `env["action_dispatch.original_path"]`
+        # Parameters: {"param"=>"1", "param_two"=>"2"}
+        def index
+          params.each do |name, value|
+            puts name
+          end
+        end
 
-    `ActionDispatch::ShowExceptions` overwrites `PATH_INFO` with the status code
-    for the exception defined in `ExceptionWrapper`, so the path
-    the user was visiting when an exception occurred was not previously
-    available to any custom exceptions_app. The original `PATH_INFO` is now
-    stashed in `env["action_dispatch.original_path"]`.
+        # Prints
+        # param
+        # param_two
 
-    *Grey Baker*
+    *Dominic Cleal*
 
-*   Use `String#bytesize` instead of `String#size` when checking for cookie
-    overflow.
+*   Add `Referrer-Policy` header to default headers set.
 
-    *Agis Anastasopoulos*
+    *Guillermo Iguaran*
 
-*   `render nothing: true` or rendering a `nil` body no longer add a single
-    space to the response body.
+*   Changed the system tests to set Puma as default server only when the
+    user haven't specified manually another server.
 
-    The old behavior was added as a workaround for a bug in an early version of
-    Safari, where the HTTP headers are not returned correctly if the response
-    body has a 0-length. This is been fixed since and the workaround is no
-    longer necessary.
+    *Guillermo Iguaran*
 
-    Use `render body: ' '` if the old behavior is desired.
+*   Add secure `X-Download-Options` and `X-Permitted-Cross-Domain-Policies` to
+    default headers set.
 
-    See #14883 for details.
+    *Guillermo Iguaran*
 
-    *Godfrey Chan*
+*   Add headless firefox support to System Tests.
 
-*   Prepend a JS comment to JSONP callbacks. Addresses CVE-2014-4671
-    ("Rosetta Flash").
+    *bogdanvlviv*
 
-    *Greg Campbell*
+*   Changed the default system test screenshot output from `inline` to `simple`.
 
-*   Because URI paths may contain non US-ASCII characters we need to force
-    the encoding of any unescaped URIs to UTF-8 if they are US-ASCII.
-    This essentially replicates the functionality of the monkey patch to
-    URI.parser.unescape in active_support/core_ext/uri.rb.
+    `inline` works well for iTerm2 but not everyone uses iTerm2. Some terminals like
+    Terminal.app ignore the `inline` and output the path to the file since it can't
+    render the image. Other terminals, like those on Ubuntu, cannot handle the image
+    inline, but also don't handle it gracefully and instead of outputting the file
+    path, it dumps binary into the terminal.
 
-    Fixes #16104.
+    Commit 9d6e28 fixes this by changing the default for screenshot to be `simple`.
 
-    *Karl Entwistle*
+    *Eileen M. Uchitelle*
 
-*   Generate shallow paths for all children of shallow resources.
+*   Register most popular audio/video/font mime types supported by modern browsers.
 
-    Fixes #15783.
+    *Guillermo Iguaran*
 
-    *Seb Jacobs*
+*   Fix optimized url helpers when using relative url root.
 
-*   JSONP responses are now rendered with the `text/javascript` content type
-    when rendering through a `respond_to` block.
+    Fixes #31220.
 
-    Fixes #15081.
+    *Andrew White*
 
-    *Lucas Mazza*
+*   Add DSL for configuring Content-Security-Policy header.
 
-*   Add `config.action_controller.always_permitted_parameters` to configure which
-    parameters are permitted globally. The default value of this configuration is
-    `['controller', 'action']`.
+    The DSL allows you to configure a global Content-Security-Policy
+    header and then override within a controller. For more information
+    about the Content-Security-Policy header see MDN:
 
-    *Gary S. Weaver*, *Rafael Chacon*
+    https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
 
-*   Fix env['PATH_INFO'] missing leading slash when a rack app mounted at '/'.
+    Example global policy:
 
-    Fixes #15511.
+        # config/initializers/content_security_policy.rb
+        Rails.application.config.content_security_policy do |p|
+          p.default_src :self, :https
+          p.font_src    :self, :https, :data
+          p.img_src     :self, :https, :data
+          p.object_src  :none
+          p.script_src  :self, :https
+          p.style_src   :self, :https, :unsafe_inline
+        end
 
-    *Larry Lv*
+    Example controller overrides:
 
-*   ActionController::Parameters#require now accepts `false` values.
+        # Override policy inline
+        class PostsController < ApplicationController
+          content_security_policy do |p|
+            p.upgrade_insecure_requests true
+          end
+        end
 
-    Fixes #15685.
+        # Using literal values
+        class PostsController < ApplicationController
+          content_security_policy do |p|
+            p.base_uri "https://www.example.com"
+          end
+        end
 
-    *Sergio Romano*
+        # Using mixed static and dynamic values
+        class PostsController < ApplicationController
+          content_security_policy do |p|
+            p.base_uri :self, -> { "https://#{current_user.domain}.example.com" }
+          end
+        end
 
-*   With authorization header `Authorization: Token token=`, `authenticate` now
-    recognize token as nil, instead of "token".
+    Allows you to also only report content violations for migrating
+    legacy content using the `content_security_policy_report_only`
+    configuration attribute, e.g;
 
-    Fixes #14846.
+        # config/initializers/content_security_policy.rb
+        Rails.application.config.content_security_policy_report_only = true
 
-    *Larry Lv*
+        # controller override
+        class PostsController < ApplicationController
+          content_security_policy_report_only only: :index
+        end
 
-*   Ensure the controller is always notified as soon as the client disconnects
-    during live streaming, even when the controller is blocked on a write.
+    Note that this feature does not validate the header for performance
+    reasons since the header is calculated at runtime.
 
-    *Nicholas Jakobsen*, *Matthew Draper*
+    *Andrew White*
 
-*   Routes specifying 'to:' must be a string that contains a "#" or a rack
-    application.  Use of a symbol should be replaced with `action: symbol`.
-    Use of a string without a "#" should be replaced with `controller: string`.
+*   Make `assert_recognizes` to traverse mounted engines.
 
-    *Aaron Patterson*
+    *Yuichiro Kaneko*
 
-*   Fix URL generation with `:trailing_slash` such that it does not add
-    a trailing slash after `.:format`
+*   Remove deprecated `ActionController::ParamsParser::ParseError`.
 
-    *Dan Langevin*
+    *Rafael Mendonça França*
 
-*   Build full URI as string when processing path in integration tests for
-    performance reasons. One consequence of this is that the leading slash
-    is now required in integration test `process` helpers, whereas previously
-    it could be omitted. The fact that this worked was a unintended consequence
-    of the implementation and was never an intentional feature.
+*   Add `:allow_other_host` option to `redirect_back` method.
 
-    *Guo Xiang Tan*
+    When `allow_other_host` is set to `false`, the `redirect_back` will not allow redirecting from a
+    different host. `allow_other_host` is `true` by default.
 
-*   Fix `'Stack level too deep'` when rendering `head :ok` in an action method
-    called 'status' in a controller.
+    *Tim Masliuchenko*
 
-    Fixes #13905.
+*   Add headless chrome support to System Tests.
 
-    *Christiaan Van den Poel*
+    *Yuji Yaginuma*
 
-*   Add MKCALENDAR HTTP method (RFC 4791).
+*   Add ability to enable Early Hints for HTTP/2
 
-    *Sergey Karpesh*
+    If supported by the server, and enabled in Puma this allows H2 Early Hints to be used.
 
-*   Instrument fragment cache metrics.
+    The `javascript_include_tag` and the `stylesheet_link_tag` automatically add Early Hints if requested.
 
-    Adds `:controller`: and `:action` keys to the instrumentation payload
-    for the `*_fragment.action_controller` notifications. This allows tracking
-    e.g. the fragment cache hit rates for each controller action.
+    *Eileen M. Uchitelle*, *Aaron Patterson*
 
-    *Daniel Schierbeck*
+*   Simplify cookies middleware with key rotation support
 
-*   Always use the provided port if the protocol is relative.
+    Use the `rotate` method for both `MessageEncryptor` and
+    `MessageVerifier` to add key rotation support for encrypted and
+    signed cookies. This also helps simplify support for legacy cookie
+    security.
 
-    Fixes #15043.
+    *Michael J Coyne*
 
-    *Guilherme Cavalcanti*, *Andrew White*
+*   Use Capybara registered `:puma` server config.
 
-*   Moved `params[request_forgery_protection_token]` into its own method
-    and improved tests.
+    The Capybara registered `:puma` server ensures the puma server is run in process so
+    connection sharing and open request detection work correctly by default.
 
-    Fixes #11316.
+    *Thomas Walpole*
 
-    *Tom Kadwill*
+*   Cookies `:expires` option supports `ActiveSupport::Duration` object.
 
-*   Added verification of route constraints given as a Proc or an object responding
-    to `:matches?`. Previously, when given an non-complying object, it would just
-    silently fail to enforce the constraint. It will now raise an `ArgumentError`
-    when setting up the routes.
+        cookies[:user_name] = { value: "assain", expires: 1.hour }
+        cookies[:key] = { value: "a yummy cookie", expires: 6.months }
 
-    *Xavier Defrang*
+    Pull Request: #30121
 
-*   Properly treat the entire IPv6 User Local Address space as private for
-    purposes of remote IP detection. Also handle uppercase private IPv6
-    addresses.
+    *Assain Jaleel*
 
-    Fixes #12638.
+*   Enforce signed/encrypted cookie expiry server side.
 
-    *Caleb Spare*
+    Rails can thwart attacks by malicious clients that don't honor a cookie's expiry.
 
-*   Fixed an issue with migrating legacy json cookies.
+    It does so by stashing the expiry within the written cookie and relying on the
+    signing/encrypting to vouch that it hasn't been tampered with. Then on a
+    server-side read, the expiry is verified and any expired cookie is discarded.
 
-    Previously, the `VerifyAndUpgradeLegacySignedMessage` assumes all incoming
-    cookies are marshal-encoded. This is not the case when `secret_token` is
-    used in conjunction with the `:json` or `:hybrid` serializer.
+    Pull Request: #30121
 
-    In those case, when upgrading to use `secret_key_base`, this would cause a
-    `TypeError: incompatible marshal file format` and a 500 error for the user.
+    *Assain Jaleel*
 
-    Fixes #14774.
+*   Make `take_failed_screenshot` work within engine.
 
-    *Godfrey Chan*
+    Fixes #30405.
 
-*   Make URL escaping more consistent:
+    *Yuji Yaginuma*
 
-    1. Escape '%' characters in URLs - only unescaped data should be passed to URL helpers
-    2. Add an `escape_segment` helper to `Router::Utils` that escapes '/' characters
-    3. Use `escape_segment` rather than `escape_fragment` in optimized URL generation
-    4. Use `escape_segment` rather than `escape_path` in URL generation
+*   Deprecate `ActionDispatch::TestResponse` response aliases.
 
-    For point 4 there are two exceptions. Firstly, when a route uses wildcard segments
-    (e.g. `*foo`) then we use `escape_path` as the value may contain '/' characters. This
-    means that wildcard routes can't be optimized. Secondly, if a `:controller` segment
-    is used in the path then this uses `escape_path` as the controller may be namespaced.
+    `#success?`, `#missing?` & `#error?` are not supported by the actual
+    `ActionDispatch::Response` object and can produce false-positives. Instead,
+    use the response helpers provided by `Rack::Response`.
 
-    Fixes #14629, #14636 and #14070.
+    *Trevor Wistaff*
 
-    *Andrew White*, *Edho Arief*
+*   Protect from forgery by default
 
-*   Add alias `ActionDispatch::Http::UploadedFile#to_io` to
-    `ActionDispatch::Http::UploadedFile#tempfile`.
+    Rather than protecting from forgery in the generated `ApplicationController`,
+    add it to `ActionController::Base` depending on
+    `config.action_controller.default_protect_from_forgery`. This configuration
+    defaults to false to support older versions which have removed it from their
+    `ApplicationController`, but is set to true for Rails 5.2.
 
-    *Tim Linquist*
+    *Lisa Ugray*
 
-*   Returns null type format when format is not know and controller is using `any`
-    format block.
+*   Fallback `ActionController::Parameters#to_s` to `Hash#to_s`.
 
-    Fixes #14462.
+    *Kir Shatrov*
 
-    *Rafael Mendonça França*
+*   `driven_by` now registers poltergeist and capybara-webkit.
 
-*   Improve routing error page with fuzzy matching search.
+    If poltergeist or capybara-webkit are set as drivers is set for System Tests,
+    `driven_by` will register the driver and set additional options passed via
+    the `:options` parameter.
 
-    *Winston*
+    Refer to the respective driver's documentation to see what options can be passed.
 
-*   Only make deeply nested routes shallow when parent is shallow.
+    *Mario Chavez*
 
-    Fixes #14684.
+*   AEAD encrypted cookies and sessions with GCM.
 
-    *Andrew White*, *James Coglan*
+    Encrypted cookies now use AES-GCM which couples authentication and
+    encryption in one faster step and produces shorter ciphertexts. Cookies
+    encrypted using AES in CBC HMAC mode will be seamlessly upgraded when
+    this new mode is enabled via the
+    `action_dispatch.use_authenticated_cookie_encryption` configuration value.
 
-*   Append link to bad code to backtrace when exception is `SyntaxError`.
+    *Michael J Coyne*
 
-    *Boris Kuznetsov*
+*   Change the cache key format for fragments to make it easier to debug key churn. The new format is:
 
-*   Swapped the parameters of assert_equal in `assert_select` so that the
-    proper values were printed correctly.
+        views/template/action.html.erb:7a1156131a6928cb0026877f8b749ac9/projects/123
+              ^template path           ^template tree digest            ^class   ^id
 
-    Fixes #14422.
+    *DHH*
 
-    *Vishal Lal*
+*   Add support for recyclable cache keys with fragment caching. This uses the new versioned entries in the
+    `ActiveSupport::Cache` stores and relies on the fact that Active Record has split `#cache_key` and `#cache_version`
+    to support it.
 
-*   The method `shallow?` returns false if the parent resource is a singleton so
-    we need to check if we're not inside a nested scope before copying the :path
-    and :as options to their shallow equivalents.
+    *DHH*
 
-    Fixes #14388.
+*   Add `action_controller_api` and `action_controller_base` load hooks to be called in `ActiveSupport.on_load`
 
-    *Andrew White*
+    `ActionController::Base` and `ActionController::API` have differing implementations. This means that
+    the one umbrella hook `action_controller` is not able to address certain situations where a method
+    may not exist in a certain implementation.
 
-*   Make logging of CSRF failures optional (but on by default) with the
-    `log_warning_on_csrf_failure` configuration setting in
-    `ActionController::RequestForgeryProtection`.
+    This is fixed by adding two new hooks so you can target `ActionController::Base` vs `ActionController::API`
 
-    *John Barton*
+    Fixes #27013.
 
-*   Fix URL generation in controller tests with request-dependent
-    `default_url_options` methods.
+    *Julian Nadeau*
 
-    *Tony Wooster*
 
-Please check [4-1-stable](https://github.com/rails/rails/blob/4-1-stable/actionpack/CHANGELOG.md) for previous changes.
+Please check [5-1-stable](https://github.com/rails/rails/blob/5-1-stable/actionpack/CHANGELOG.md) for previous changes.