actionpack 4.2.11.3 → 5.0.7.2

data/CHANGELOG.md

@@ -1,34 +1,92 @@
-## Rails 4.2.11.3 (May 15, 2020) ##
+## Rails 5.0.7.2 (March 11, 2019) ##
 
 *   No changes.
 
 
-## Rails 4.2.11.2 (May 15, 2020) ##
+## Rails 5.0.7.1 (November 27, 2018) ##
 
 *   No changes.
 
 
-## Rails 4.2.11.1 (March 11, 2019) ##
+## Rails 5.0.7 (March 29, 2018) ##
+
+*   Remove deprecation on `ActionController::Parameters#to_hash` when the instance is
+    permitted.
+
+    *Edouard Chin*
+
+
+## Rails 5.0.6 (September 07, 2017) ##
 
 *   No changes.
 
 
-## Rails 4.2.11 (November 27, 2018) ##
+## Rails 5.0.6.rc1 (August 24, 2017) ##
 
 *   No changes.
 
 
-## Rails 4.2.10 (September 27, 2017) ##
+## Rails 5.0.5 (July 31, 2017) ##
 
-*   Fix regression in behavior of `normalize_path`.
+*   No changes.
 
-    In Rails 5 there was a change to ensure the encoding of the original string
-    in a path was maintained. This was incorrectly backported to Rails 4.2 which
-    caused a regression.
 
-    *Eileen M. Uchitelle*
+## Rails 5.0.5.rc2 (July 25, 2017) ##
+
+*   No changes.
+
+
+## Rails 5.0.5.rc1 (July 19, 2017) ##
+
+*   Fallback `ActionController::Parameters#to_s` to `Hash#to_s`.
+
+    *Kir Shatrov*
 
-## Rails 4.2.9 (June 26, 2017) ##
+
+## Rails 5.0.4 (June 19, 2017) ##
+
+*   No changes.
+
+
+## Rails 5.0.3 (May 12, 2017) ##
+
+*   Raise exception when calling `to_h` in an unfiltered Parameters.
+
+    This method will raise on unfiltered Parameters if
+    `config.action_controller.raise_on_unfiltered_parameters` is true.
+
+    Before we returned either an empty hash or only the always permitted parameters
+    (`:controller` and `:action` by default).
+
+    The previous behavior was dangerous because in order to get the attributes users
+    usually fallback to use `to_unsafe_h` that could potentially introduce security issues.
+
+    *Rafael Mendonça França*
+
+*   Add `ActionController::Parameters#to_hash` to implicit conversion.
+
+    Now methods that implicit convert objects to a hash will be able to work without
+    requiring the users to change their implementation.
+
+    This method will return a `Hash` instead of a `ActiveSupport::HashWithIndefirentAccess`
+    to mimic the same implementation of `ActiveSupport::HashWithIndefirentAccess#to_hash`.
+
+    This method will raise on unfiltered Parameters if
+    `config.action_controller.raise_on_unfiltered_parameters` is true.
+
+    *Rafael Mendonça França*
+
+*   Undeprecate `ActionController::Parameters#to_query` and `#to_param`.
+
+    Previously it was raising a deprecation because it may be unsafe to use those methods
+    in an unfiltered parameter. Now we delegate to `#to_h` that already raise an error when
+    the Parameters instance is not permitted.
+
+    This also fix a bug when using `#to_query` in a hash that contains a
+    `ActionController::Parameters` instance and was returning the name of the class in the
+    string.
+
+    *Rafael Mendonça França*
 
 *   Use more specific check for :format in route path
 
@@ -56,635 +114,1083 @@
 
     *Andrew White*
 
+*   Don't include default headers in `ActionController::Metal` responses
 
-## Rails 4.2.8 (February 21, 2017) ##
+    The commit e16afe6 introduced an unintentional change of behavior where the default
+    headers were included in responses from `ActionController::Metai` based controllers.
+    This is now reverted to the previous behavior of having no default headers.
 
-*   No changes.
+    Fixes #25820.
 
+    *Jon Moss*
 
-## Rails 4.2.7 (July 12, 2016) ##
+*   Fix malformed URLS when using `ApplicationController.renderer`
 
-*   No changes.
+    The Rack environment variable `rack.url_scheme` was not being set so `scheme` was
+    returning `nil`. This caused URLs to be malformed with the default settings.
+    Fix this by setting `rack.url_scheme` when the environment is normalized.
 
+    Fixes #28151.
 
-## Rails 4.2.6 (March 07, 2016) ##
+    *George Vrettos*
 
-*   No changes.
+*   Commit flash changes when using a redirect route.
 
+    Fixes #27992.
 
-## Rails 4.2.5.2 (February 26, 2016) ##
+    *Andrew White*
 
-*   Do not allow render with unpermitted parameter.
 
-    Fixes CVE-2016-2098.
+## Rails 5.0.2 (March 01, 2017) ##
 
-    *Arthur Neves*
+*   Make `with_routing` test helper work when testing controllers inheriting from `ActionController::API`.
 
+    *Julia López*
 
-## Rails 4.2.5.1 (January 25, 2015) ##
 
-*   No changes.
+## Rails 5.0.1 (December 21, 2016) ##
 
+*   Restored correct `charset` behavior on `send_data` and `send_file`: while
+    they should pass along any supplied value, they should not add a default.
 
-## Rails 4.2.5 (November 12, 2015) ##
+    Fixes #27344.
 
-*   `ActionController::TestCase` can teardown gracefully if an error is raised
-    early in the `setup` chain.
+    *Matthew Draper*
 
-    *Yves Senn*
 
-*   Parse RSS/ATOM responses as XML, not HTML.
+## Rails 5.0.1.rc2 (December 10, 2016) ##
 
-    *Alexander Kaupanin*
+*   Move `cookies`, `flash`, and `session` methods back to
+    `ActionDispatch::Integration::Session`.
 
-*   Fix regression in mounted engine named routes generation for app deployed to
-    a subdirectory. `relative_url_root` was prepended to the path twice (e.g.
-    "/subdir/subdir/engine_path" instead of "/subdir/engine_path")
+    *Matthew Draper*
 
-    Fixes #20920. Fixes #21459.
+*   Do not reset in `ActionDispatch::IntegrationTest#open_session`; doing so
+    is incompatible with existing (unintended) API usage.
 
-    *Matthew Erhard*
+    *Sean Griffin*
 
-*   `url_for` does not modify its arguments when generating polymorphic URLs.
 
-    *Bernerd Schaefer*
+## Rails 5.0.1.rc1 (December 01, 2016) ##
 
-*   Update `ActionController::TestSession#fetch` to behave more like
-    `ActionDispatch::Request::Session#fetch` when using non-string keys.
+*   Fixed error caused by `force_ssl_redirect` when `session_store` is
+    enabled.
 
-    *Jeremy Friesen*
+    Fixes #19679.
 
+    *Taishi Kasuga*
 
-## Rails 4.2.4 (August 24, 2015) ##
+*   Use accept header in integration tests with `as: :json`
 
-*   ActionController::TestSession now accepts a default value as well as
-    a block for generating a default value based off the key provided.
+    Instead of appending the `format` to the request path. Rails will figure
+    out the format from the header instead.
 
-    This fixes calls to session#fetch in ApplicationController instances that
-    take more two arguments or a block from raising `ArgumentError: wrong
-    number of arguments (2 for 1)` when performing controller tests.
+    This allows devs to use `:as` on routes that don't have a format.
 
-    *Matthew Gerrior*
+    Fixes #27144.
 
-*   Fix to keep original header instance in `ActionDispatch::SSL`
+    *Kasper Timm Hansen*
 
-    `ActionDispatch::SSL` changes headers to `Hash`.
-    So some headers will be broken if there are some middlewares
-    on `ActionDispatch::SSL` and if it uses `Rack::Utils::HeaderHash`.
+*   Fixed integration test requests appending and changing request paths.
 
-    *Fumiaki Matsushima*
+        #Before
+        post "/anything", params: params, headers: headers, as: :json
 
+    "/anything" would be converted to "/anything.json" based on format.
+    The path is now maintained and the format is respected based on `:as`
+    option.
 
-## Rails 4.2.3 (June 25, 2015) ##
+    Fixes #27144.
 
-*   Fix rake routes not showing the right format when
-    nesting multiple routes.
+*   Fixes incorrect output from rails routes when using singular resources.
 
-    See #18373.
+    Fixes #26606.
 
-    *Ravil Bayramgalin*
+    *Erick Reyna*
 
-*   Fix regression where a gzip file response would have a Content-type,
-    even when it was a 304 status code.
+*   Fixes multiple calls to `logger.fatal` instead of a single call,
+    for every line in an exception backtrace, when printing trace
+    from `DebugExceptions` middleware.
 
-    See #19271.
+    Fixes #26134.
 
-    *Kohei Suzuki*
+    *Vipul A M*
 
-*   Fix handling of empty X_FORWARDED_HOST header in raw_host_with_port
+*   Add `ActionController::Parameters#merge!`, which behaves the same as `Hash#merge!`.
 
-    Previously, an empty X_FORWARDED_HOST header would cause
-    Actiondispatch::Http:URL.raw_host_with_port to return nil, causing
-    Actiondispatch::Http:URL.host to raise a NoMethodError.
+    *Yuji Yaginuma*
 
-    *Adam Forsyth*
+*   Added `ActionController::Parameters#deep_dup` which actually creates
+    a params copy, instead of refereing to old references in params.
 
-*   Fallback to `ENV['RAILS_RELATIVE_URL_ROOT']` in `url_for`.
+    Fixes #26566.
 
-    Fixed an issue where the `RAILS_RELATIVE_URL_ROOT` environment variable is not
-    prepended to the path when `url_for` is called. If `SCRIPT_NAME` (used by Rack)
-    is set, it takes precedence.
+    *Pavel Evstigneev*, *Rafael Mendonça França*
 
-    Fixes #5122.
+*   Make `fixture_file_upload` work in integration tests.
 
-    *Yasyf Mohamedali*
+    *Yuji Yaginuma*
 
-*   Fix regression in functional tests. Responses should have default headers
-    assigned.
+*   Add `to_param` to `ActionController::Parameters` deprecations.
 
-    See #18423.
+    In the future `ActionController::Parameters` are discouraged from being used
+    in URLs without explicit whitelisting. Go through `to_h` to use `to_param`.
 
-    *Jeremy Kemper*, *Yves Senn*
+    *Kir Shatrov*
 
+*   Fix nested multiple roots
 
-## Rails 4.2.2 (June 16, 2015) ##
+    The PR #20940 enabled the use of multiple roots with different constraints
+    at the top level but unfortunately didn't work when those roots were inside
+    a namespace and also broke the use of root inside a namespace after a top
+    level root was defined because the check for the existence of the named route
+    used the global :root name and not the namespaced name.
 
-* No Changes *
+    This is fixed by using the name_for_action method to expand the :root name to
+    the full namespaced name. We can pass nil for the second argument as we're not
+    dealing with resource definitions so don't need to handle the cases for edit
+    and new routes.
 
+    Fixes #26148.
 
-## Rails 4.2.1 (March 19, 2015) ##
+    *Ryo Hashimoto*, *Andrew White*
 
-*   Non-string authenticity tokens do not raise NoMethodError when decoding
-    the masked token.
+*   SSL: Changes redirect behavior for all non-GET and non-HEAD requests
+    (like POST/PUT/PATCH etc) to `http://` resources to redirect to `https://`
+    with a [307 status code](http://tools.ietf.org/html/rfc7231#section-6.4.7) instead of [301 status code](http://tools.ietf.org/html/rfc7231#section-6.4.2).
 
-    *Ville Lautanala*
+    307 status code instructs the HTTP clients to preserve the original
+    request method while redirecting. It has been part of HTTP RFC since
+    1999 and is implemented/recognized by most (if not all) user agents.
 
-*   Explicitly ignored wildcard verbs when searching for HEAD routes before fallback
+        # Before
+        POST http://example.com/articles (i.e. ArticlesContoller#create)
+        redirects to
+        GET https://example.com/articles (i.e. ArticlesContoller#index)
 
-    Fixes an issue where a mounted rack app at root would intercept the HEAD
-    request causing an incorrect behavior during the fall back to GET requests.
+        # After
+        POST http://example.com/articles (i.e. ArticlesContoller#create)
+        redirects to
+        POST https://example.com/articles (i.e. ArticlesContoller#create)
+
+    *Chirag Singhal*
+
+*   Add `:as` option to `ActionController:TestCase#process` and related methods.
+
+    Specifying `as: mime_type` allows the `CONTENT_TYPE` header to be specified
+    in controller tests without manually doing this through `@request.headers['CONTENT_TYPE']`.
+
+    *Everest Stefan Munro-Zeisberger*
+
+*   Prevent autoload from deadlocking while ActionController::Live is streaming.
+
+    *Alex Chinn*
+
+*   Don't override the `Accept` header in integration tests when called with `xhr: true`.
+
+    Fixes #25859.
+
+    *David Chen*
+
+*   Reset a new session directly after its creation in `ActionDispatch::IntegrationTest#open_session`.
+
+    Fixes #22742.
+
+    *Tawan Sierek*
+
+*   Fix 'defaults' option for root route.
+
+    A regression from some refactoring for the 5.0 release, this change
+    fixes the use of 'defaults' (default parameters) in the 'root' routing method.
+
+    *Chris Arcand*
+
+*   Check `request.path_parameters` encoding at the point they're set.
+
+    Check for any non-UTF8 characters in path parameters at the point they're
+    set in `env`. Previously they were checked for when used to get a controller
+    class, but this meant routes that went directly to a Rack app, or skipped
+    controller instantiation for some other reason, had to defend against
+    non-UTF8 characters themselves.
+
+    *Grey Baker*
+
+*   Don't raise ActionController::UnknownHttpMethod from ActionDispatch::Static
+
+    Pass `Rack::Request` objects to `ActionDispatch::FileHandler` to avoid it
+    raising `ActionController::UnknownHttpMethod`. If an unknown method is
+    passed, it should exception higher in the stack instead, once we've had a
+    chance to define exception handling behaviour.
+
+    *Grey Baker*
+
+*   Handle `Rack::QueryParser` errors in `ActionDispatch::ExceptionWrapper`
+
+    Updated `ActionDispatch::ExceptionWrapper` to handle the Rack 2.0 namespace
+    for `ParameterTypeError` and `InvalidParameterError` errors.
+
+    *Grey Baker*
+
+*   Deprecated omitting the route path.
+    Specify the path with a String or a Symbol instead.
+
+        # Before
+        get action: :show, as: :show
+        # After
+        get "", action: :show, as: :show
+
+    *Volmer*
+
+*   Added new `ActionDispatch::DebugLocks` middleware that can be used
+    to diagnose deadlocks in the autoload interlock.
+    To use it, insert it near the top of the middleware stack, using
+    `config/application.rb`:
+
+        config.middleware.insert_before Rack::Sendfile, ActionDispatch::DebugLocks
+
+    After adding, visiting `/rails/locks` will show a summary of all
+    threads currently known to the interlock.
+
+    *Matthew Draper*
+
+*   Fix request encoding in Integration tests when string literals are
+    frozen using `--enable-frozen-string-literal` or `# frozen_string_literal: true`.
+
+    *Volmer*
+
+*   Since long keys are truncated when passed to ciphers, Ruby 2.4
+    doesn't accept keys greater than their max length.
+    Fixed default key length on cipher for `ActiveSupport::MessageEncryptor`,
+    which was causing errors on Ruby 2.4.
+
+    *Vipul A M*
+
+*   Fixed adding implicitly rendered template digests to ETags.
+    Properly ignore implicit template cache option to ETag, if `template: false`
+    is passed when rendering.
+
+    *Javan Makhmali*
+
+
+## Rails 5.0.0 (June 30, 2016) ##
+
+*   Add `ActionController#helpers` to get access to the view context at the controller
+    level.
+
+    *Rafael Mendonça França*
+
+*   Routing: Refactor `:action` default handling to ensure that path
+    parameters are not mutated during route generation.
+
+    *Andrew White*
+
+*   Add extension synonyms `yml` and `yaml` for MIME type `application/x-yaml`.
+
+    *bogdanvlviv*
+
+*   Adds support for including ActionController::Cookies in API controllers.
+    Previously, including the module would raise when trying to define
+    a `cookies` helper method. Skip calling #helper_method if it is not
+    defined -- if we don't have helpers, we needn't define one.
+
+    Fixes #24304
+
+    *Ryan T. Hosford*
+
+*   ETags: Introduce `Response#strong_etag=` and `#weak_etag=` and analogous
+    options for `fresh_when` and `stale?`. `Response#etag=` sets a weak ETag.
+
+    Strong ETags are desirable when you're serving byte-for-byte identical
+    responses that support Range requests, like PDFs or videos (typically
+    done by reproxying the response from a backend storage service).
+    Also desirable when fronted by some CDNs that support strong ETags
+    only, like Akamai.
+
+    *Jeremy Daer*
+
+*   ETags: No longer strips quotes (") from ETag values before comparing them.
+    Quotes are significant, part of the ETag. A quoted ETag and an unquoted
+    one are not the same entity.
+
+    *Jeremy Daer*
+
+*   ETags: Support `If-None-Match: *`. Rarely useful for GET requests; meant
+    to provide some optimistic concurrency control for PUT requests.
+
+    *Jeremy Daer*
+
+*   `ActionDispatch::ParamsParser` is deprecated and was removed from the middleware
+    stack. To configure the parameter parsers use `ActionDispatch::Request.parameter_parsers=`.
+
+    *tenderlove*
+
+*   When a `respond_to` collector with a block doesn't have a response, then
+    a `:no_content` response should be rendered.  This brings the default
+    rendering behavior introduced by https://github.com/rails/rails/issues/19036
+    to controller methods employing `respond_to`.
+
+    *Justin Coyne*
+
+*   Add `ActionController::Parameters#dig` on Ruby 2.3 and greater, which
+    behaves the same as `Hash#dig`.
+
+    *Sean Griffin*
+
+*   Add request headers in the payload of the `start_processing.action_controller`
+    and `process_action.action_controller` notifications.
+
+    *Gareth du Plooy*
+
+*   Add `action_dispatch_integration_test` load hook. The hook can be used to
+    extend `ActionDispatch::IntegrationTest` once it has been loaded.
+
+    *Yuichiro Kaneko*
+
+*   Update default rendering policies when the controller action did
+    not explicitly indicate a response.
+
+    For API controllers, the implicit render always renders "204 No Content"
+    and does not account for any templates.
+
+    For other controllers, the following conditions are checked:
+
+    First, if a template exists for the controller action, it is rendered.
+    This template lookup takes into account the action name, locales, format,
+    variant, template handlers, etc. (see `render` for details).
+
+    Second, if other templates exist for the controller action but is not in
+    the right format (or variant, etc.), an `ActionController::UnknownFormat`
+    is raised. The list of available templates is assumed to be a complete
+    enumeration of all the possible formats (or variants, etc.); that is,
+    having only HTML and JSON templates indicate that the controller action is
+    not meant to handle XML requests.
+
+    Third, if the current request is an "interactive" browser request (the user
+    navigated here by entering the URL in the address bar, submitting a form,
+    clicking on a link, etc. as opposed to an XHR or non-browser API request),
+    `ActionView::UnknownFormat` is raised to display a helpful error
+    message.
+
+    Finally, it falls back to the same "204 No Content" behavior as API controllers.
+
+    *Godfrey Chan*, *Jon Moss*, *Kasper Timm Hansen*, *Mike Clark*, *Matthew Draper*
+
+*   Add "application/gzip" as a default mime type.
+
+    *Mehmet Emin İNAÇ*
+
+*   Add request encoding and response parsing to integration tests.
+
+    What previously was:
 
-    Example:
     ```ruby
-    draw do
-        get '/home' => 'test#index'
-        mount rack_app, at: '/'
+    require 'test_helper'
+
+    class ApiTest < ActionDispatch::IntegrationTest
+      test 'creates articles' do
+        assert_difference -> { Article.count } do
+          post articles_path(format: :json),
+            params: { article: { title: 'Ahoy!' } }.to_json,
+            headers: { 'Content-Type' => 'application/json' }
+        end
+
+        assert_equal({ 'id' => Article.last.id, 'title' => 'Ahoy!' }, JSON.parse(response.body))
+      end
     end
-    head '/home'
-    assert_response :success
     ```
-    In this case, a HEAD request runs through the routes the first time and fails
-    to match anything. Then, it runs through the list with the fallback and matches
-    `get '/home'`. The original behavior would match the rack app in the first pass.
 
-    *Terence Sun*
+    Can now be written as:
 
-*   Preserve default format when generating URLs
+    ```ruby
+    require 'test_helper'
 
-    Fixes an issue that would cause the format set in default_url_options to be
-    lost when generating URLs with fewer positional arguments than parameters in
-    the route definition.
+    class ApiTest < ActionDispatch::IntegrationTest
+      test 'creates articles' do
+        assert_difference -> { Article.count } do
+          post articles_path, params: { article: { title: 'Ahoy!' } }, as: :json
+        end
 
-    Backport of #18627
+        assert_equal({ 'id' => Article.last.id, 'title' => 'Ahoy!' }, response.parsed_body)
+      end
+    end
+    ```
 
-    *Tekin Suleyman*, *Dominic Baggott*
+    Passing `as: :json` to integration test request helpers will set the format,
+    content type and encode the parameters as JSON.
 
-*   Default headers, removed in controller actions, are no longer reapplied on
-    the test response.
+    Then on the response side, `parsed_body` will parse the body according to the
+    content type the response has.
 
-    *Jonas Baumann*
+    Currently JSON is the only supported MIME type. Add your own with
+    `ActionDispatch::IntegrationTest.register_encoder`.
 
-*   Ensure `append_info_to_payload` is called even if an exception is raised.
+    *Kasper Timm Hansen*
 
-    Fixes an issue where when an exception is raised in the request the additonal
-    payload data is not available.
+*   Add "image/svg+xml" as a default mime type.
 
-    See:
-    * #14903
-    * https://github.com/roidrage/lograge/issues/37
+    *DHH*
 
-    *Dieter Komendera*, *Margus Pärt*
+*   Add `-g` and `-c` options to `bin/rails routes`. These options return the url `name`, `verb` and
+    `path` field that match the pattern or match a specific controller.
 
-*   Correctly rely on the response's status code to handle calls to `head`.
+    Deprecate `CONTROLLER` env variable in `bin/rails routes`.
 
-    *Robin Dupret*
+    See #18902.
 
-*   Using `head` method returns empty response_body instead
-    of returning a single space " ".
+    *Anton Davydov*, *Vipul A M*
 
-    The old behavior was added as a workaround for a bug in an early
-    version of Safari, where the HTTP headers are not returned correctly
-    if the response body has a 0-length. This is been fixed since and
-    the workaround is no longer necessary.
+*   Response etags to always be weak: Prefixes 'W/' to value returned by
+   `ActionDispatch::Http::Cache::Response#etag=`, such that etags set in
+   `fresh_when` and `stale?` are weak.
 
-    Fixes #18253.
+    Fixes #17556.
 
-    *Prathamesh Sonpatki*
+    *Abhishek Yadav*
 
-*   Fix how polymorphic routes works with objects that implement `to_model`.
+*   Provide the name of HTTP Status code in assertions.
 
-    *Travis Grathwell*
+    *Sean Collins*
 
-*   Fixed handling of positional url helper arguments when `format: false`.
+*   More explicit error message when running `rake routes`. `CONTROLLER` argument
+    can now be supplied in different ways:
+    `Rails::WelcomeController`, `Rails::Welcome`, `rails/welcome`.
 
-    Fixes #17819.
+    Fixes #22918.
 
-    *Andrew White*, *Tatiana Soukiassian*
+    *Edouard Chin*
 
-*   Fixed usage of optional scopes in URL helpers.
+*   Allow `ActionController::Parameters` instances as an argument to URL
+    helper methods. An `ArgumentError` will be raised if the passed parameters
+    are not secure.
 
-    *Alex Robbin*
+    Fixes #22832.
 
+    *Prathamesh Sonpatki*
 
-## Rails 4.2.0 (December 20, 2014) ##
+*   Add option for per-form CSRF tokens.
 
-*   Add `ActionController::Parameters#to_unsafe_h` to return an unfiltered
-    `Hash` representation of Parameters object. This is now a preferred way to
-    retrieve unfiltered parameters as we will stop inheriting `AC::Parameters`
-    object in Rails 5.0.
+    *Greg Ose*, *Ben Toews*
 
-    *Prem Sichanugrist*
+*   Fix `ActionController::Parameters#convert_parameters_to_hashes` to return filtered
+    or unfiltered values based on from where it is called, `to_h` or `to_unsafe_h`
+    respectively.
 
-*   Restore handling of a bare `Authorization` header, without `token=`
-    prefix.
+    Fixes #22841.
 
-    Fixes #17108.
+    *Prathamesh Sonpatki*
 
-    *Guo Xiang Tan*
+*   Add `ActionController::Parameters#include?`
 
-*   Deprecate use of string keys in URL helpers.
+    *Justin Coyne*
 
-    Use symbols instead.
-    Fixes #16958.
+*   Deprecate `redirect_to :back` in favor of `redirect_back`, which accepts a
+    required `fallback_location` argument, thus eliminating the possibility of a
+    `RedirectBackError`.
 
-    *Byron Bischoff*, *Melanie Gilman*
+    *Derek Prior*
 
-*   Deprecate the `only_path` option on `*_path` helpers.
+*   Add `redirect_back` method to `ActionController::Redirecting` to provide a
+    way to safely redirect to the `HTTP_REFERER` if it is present, falling back
+    to a provided redirect otherwise.
 
-    In cases where this option is set to `true`, the option is redundant and can
-    be safely removed; otherwise, the corresponding `*_url` helper should be
-    used instead.
+    *Derek Prior*
 
-    Fixes #17294.
+*   `ActionController::TestCase` will be moved to its own gem in Rails 5.1.
 
-    *Dan Olson*, *Godfrey Chan*
+    With the speed improvements made to `ActionDispatch::IntegrationTest` we no
+    longer need to keep two separate code bases for testing controllers. In
+    Rails 5.1 `ActionController::TestCase` will be deprecated and moved into a
+    gem outside of Rails source.
 
-*   Improve Journey compliance to RFC 3986.
+    This is a documentation deprecation so that going forward new tests will use
+    `ActionDispatch::IntegrationTest` instead of `ActionController::TestCase`.
 
-    The scanner in Journey failed to recognize routes that use literals
-    from the sub-delims section of RFC 3986. It's now able to parse those
-    authorized delimiters and route as expected.
+    *Eileen M. Uchitelle*
 
-    Fixes #17212.
+*   Add a `response_format` option to `ActionDispatch::DebugExceptions`
+    to configure the format of the response when errors occur in
+    development mode.
 
-    *Nicolas Cavigneaux*
+    If `response_format` is `:default` the debug info will be rendered
+    in an HTML page. In the other hand, if the provided value is `:api`
+    the debug info will be rendered in the original response format.
 
-*   Deprecate implicit Array conversion for Response objects. It was added
-    (using `#to_ary`) so we could conveniently use implicit splatting:
+    *Jorge Bejar*
 
-        status, headers, body = response
+*   Change the `protect_from_forgery` prepend default to `false`.
 
-    But it also means `response + response` works and `[response].flatten`
-    cascades down to the Rack body. Nonsense behavior. Instead, rely on
-    explicit conversion and splatting with `#to_a`:
+    Per this comment
+    https://github.com/rails/rails/pull/18334#issuecomment-69234050 we want
+    `protect_from_forgery` to default to `prepend: false`.
 
-        status, header, body = *response
+    `protect_from_forgery` will now be inserted into the callback chain at the
+    point it is called in your application. This is useful for cases where you
+    want to `protect_from_forgery` after you perform required authentication
+    callbacks or other callbacks that are required to run after forgery protection.
 
-    *Jeremy Kemper*
+    If you want `protect_from_forgery` callbacks to always run first, regardless of
+    position they are called in your application then you can add `prepend: true`
+    to your `protect_from_forgery` call.
 
-*   Don't rescue `IPAddr::InvalidAddressError`.
+    Example:
 
-    `IPAddr::InvalidAddressError` does not exist in Ruby 1.9.3
-    and fails for JRuby in 1.9 mode.
+    ```ruby
+    protect_from_forgery prepend: true
+    ```
+
+    *Eileen M. Uchitelle*
 
-    *Peter Suschlik*
+*   In url_for, never append a question mark to the URL when the query string
+    is empty anyway.  (It used to do that when called like `url_for(controller:
+    'x', action: 'y', q: {})`.)
 
-*   Fix bug where the router would ignore any constraints added to redirect
-    routes.
+    *Paul Grayson*
 
-    Fixes #16605.
+*   Catch invalid UTF-8 querystring values and respond with BadRequest
+
+    Check querystring params for invalid UTF-8 characters, and raise an
+    ActionController::BadRequest error if present. Previously these strings
+    would typically trigger errors further down the stack.
+
+    *Grey Baker*
+
+*   Parse RSS/ATOM responses as XML, not HTML.
+
+    *Alexander Kaupanin*
+
+*   Show helpful message in `BadRequest` exceptions due to invalid path
+    parameter encodings.
+
+    Fixes #21923.
 
     *Agis Anastasopoulos*
 
-*   Allow `config.action_dispatch.trusted_proxies` to accept an IPAddr object.
+*   Add the ability of returning arbitrary headers to `ActionDispatch::Static`.
+
+    Now ActionDispatch::Static can accept HTTP headers so that developers
+    will have control of returning arbitrary headers like
+    'Access-Control-Allow-Origin' when a response is delivered. They can be
+    configured with `#config`:
 
     Example:
 
-        # config/environments/production.rb
-        config.action_dispatch.trusted_proxies = IPAddr.new('4.8.15.0/16')
+        config.public_file_server.headers = {
+          "Cache-Control"               => "public, max-age=60",
+          "Access-Control-Allow-Origin" => "http://rubyonrails.org"
+        }
+
+    *Yuki Nishijima*
 
-    *Sam Aarons*
+*   Allow multiple `root` routes in same scope level. Example:
 
-*   Avoid duplicating routes for HEAD requests.
+    Example:
 
-    Instead of duplicating the routes, we will first match the HEAD request to
-    HEAD routes. If no match is found, we will then map the HEAD request to
-    GET routes.
+        root 'blog#show', constraints: ->(req) { Hostname.blog_site?(req.host) }
+        root 'landing#show'
 
-    *Guo Xiang Tan*, *Andrew White*
+    *Rafael Sales*
 
-*   Requests that hit `ActionDispatch::Static` can now take advantage
-    of gzipped assets on disk. By default a gzip asset will be served if
-    the client supports gzip and a compressed file is on disk.
+*   Fix regression in mounted engine named routes generation for app deployed to
+    a subdirectory. `relative_url_root` was prepended to the path twice (e.g.
+    "/subdir/subdir/engine_path" instead of "/subdir/engine_path")
 
-    *Richard Schneeman*
+    Fixes #20920. Fixes #21459.
 
-*   `ActionController::Parameters` will stop inheriting from `Hash` and
-    `HashWithIndifferentAccess` in the next major release. If you use any method
-    that is not available on `ActionController::Parameters` you should consider
-    calling `#to_h` to convert it to a `Hash` first before calling that method.
+    *Matthew Erhard*
 
-    *Prem Sichanugrist*
+*   `ActionDispatch::Response#new` no longer applies default headers. If you want
+    default headers applied to the response object, then call
+    `ActionDispatch::Response.create`. This change only impacts people who are
+    directly constructing an `ActionDispatch::Response` object.
 
-*   `ActionController::Parameters#to_h` now returns a `Hash` with unpermitted
-    keys removed. This change is to reflect on a security concern where some
-    method performed on an `ActionController::Parameters` may yield a `Hash`
-    object which does not maintain `permitted?` status. If you would like to
-    get a `Hash` with all the keys intact, duplicate and mark it as permitted
-    before calling `#to_h`.
+*   Accessing mime types via constants like `Mime::HTML` is deprecated. Please
+    change code like this:
 
-        params = ActionController::Parameters.new({
-          name: 'Senjougahara Hitagi',
-          oddity: 'Heavy stone crab'
-        })
-        params.to_h
-        # => {}
+        Mime::HTML
 
-        unsafe_params = params.dup.permit!
-        unsafe_params.to_h
-        # => {"name"=>"Senjougahara Hitagi", "oddity"=>"Heavy stone crab"}
+    To this:
 
-        safe_params = params.permit(:name)
-        safe_params.to_h
-        # => {"name"=>"Senjougahara Hitagi"}
+        Mime[:html]
 
-    This change is consider a stopgap as we cannot change the code to stop
-    `ActionController::Parameters` to inherit from `HashWithIndifferentAccess`
-    in the next minor release.
+    This change is so that Rails will not manage a list of constants, and fixes
+    an issue where if a type isn't registered you could possibly get the wrong
+    object.
 
-    *Prem Sichanugrist*
+    `Mime[:html]` is available in older versions of Rails, too, so you can
+    safely change libraries and plugins and maintain compatibility with
+    multiple versions of Rails.
 
-*   Deprecated `TagAssertions`.
+*   `url_for` does not modify its arguments when generating polymorphic URLs.
 
-    *Kasper Timm Hansen*
+    *Bernerd Schaefer*
 
-*   Use the Active Support JSON encoder for cookie jars using the `:json` or
-    `:hybrid` serializer. This allows you to serialize custom Ruby objects into
-    cookies by defining the `#as_json` hook on such objects.
+*   Make it easier to opt in to `config.force_ssl` and `config.ssl_options` by
+    making them less dangerous to try and easier to disable.
+
+    SSL redirect:
+      * Move `:host` and `:port` options within `redirect: { … }`. Deprecate.
+      * Introduce `:status` and `:body` to customize the redirect response.
+        The 301 permanent default makes it difficult to test the redirect and
+        back out of it since browsers remember the 301. Test with a 302 or 307
+        instead, then switch to 301 once you're confident that all is well.
+
+    HTTP Strict Transport Security (HSTS):
+      * Shorter max-age. Shorten the default max-age from 1 year to 180 days,
+        the low end for https://www.ssllabs.com/ssltest/ grading and greater
+        than the 18-week minimum to qualify for browser preload lists.
+      * Disabling HSTS. Setting `hsts: false` now sets `hsts { expires: 0 }`
+        instead of omitting the header. Omitting does nothing to disable HSTS
+        since browsers hang on to your previous settings until they expire.
+        Sending `{ hsts: { expires: 0 }}` flushes out old browser settings and
+        actually disables HSTS:
+          http://tools.ietf.org/html/rfc6797#section-6.1.1
+      * HSTS Preload. Introduce `preload: true` to set the `preload` flag,
+        indicating that your site may be included in browser preload lists,
+        including Chrome, Firefox, Safari, IE11, and Edge. Submit your site:
+          https://hstspreload.appspot.com
+
+    *Jeremy Daer*
 
-    Fixes #16520.
+*   Update `ActionController::TestSession#fetch` to behave more like
+    `ActionDispatch::Request::Session#fetch` when using non-string keys.
+
+    *Jeremy Friesen*
 
-    *Godfrey Chan*
+*   Using strings or symbols for middleware class names is deprecated. Convert
+    things like this:
 
-*   Add `config.action_dispatch.cookies_digest` option for setting custom
-    digest. The default remains the same - 'SHA1'.
+      middleware.use "Foo::Bar"
 
-    *Łukasz Strzałkowski*
+    to this:
 
-*   Move `respond_with` (and the class-level `respond_to`) to
-    the `responders` gem.
+      middleware.use Foo::Bar
 
-    *José Valim*
+*   `ActionController::TestSession` now accepts a default value as well as
+    a block for generating a default value based off the key provided.
 
-*   When your templates change, browser caches bust automatically.
+    This fixes calls to `session#fetch` in `ApplicationController` instances that
+    take more two arguments or a block from raising `ArgumentError: wrong
+    number of arguments (2 for 1)` when performing controller tests.
 
-    New default: the template digest is automatically included in your ETags.
-    When you call `fresh_when @post`, the digest for `posts/show.html.erb`
-    is mixed in so future changes to the HTML will blow HTTP caches for you.
-    This makes it easy to HTTP-cache many more of your actions.
+    *Matthew Gerrior*
 
-    If you render a different template, you can now pass the `:template`
-    option to include its digest instead:
+*   Fix `ActionController::Parameters#fetch` overwriting `KeyError` returned by
+    default block.
 
-        fresh_when @post, template: 'widgets/show'
+    *Jonas Schuber Erlandsson*, *Roque Pinel*
 
-    Pass `template: false` to skip the lookup. To turn this off entirely, set:
+*   `ActionController::Parameters` no longer inherits from
+    `HashWithIndifferentAccess`
 
-        config.action_controller.etag_with_template_digest = false
+    Inheriting from `HashWithIndifferentAccess` allowed users to call any
+    enumerable methods on `Parameters` object, resulting in a risk of losing the
+    `permitted?` status or even getting back a pure `Hash` object instead of
+    a `Parameters` object with proper sanitization.
 
-    *Jeremy Kemper*
+    By not inheriting from `HashWithIndifferentAccess`, we are able to make
+    sure that all methods that are defined in `Parameters` object will return
+    a proper `Parameters` object with a correct `permitted?` flag.
 
-*   Remove deprecated `AbstractController::Helpers::ClassMethods::MissingHelperError`
-    in favor of `AbstractController::Helpers::MissingHelperError`.
+    *Prem Sichanugrist*
 
-    *Yves Senn*
+*   Replaced `ActiveSupport::Concurrency::Latch` with `Concurrent::CountDownLatch`
+    from the concurrent-ruby gem.
 
-*   Fix `assert_template` not being able to assert that no files were rendered.
+    *Jerry D'Antonio*
 
-    *Guo Xiang Tan*
+*   Add ability to filter parameters based on parent keys.
 
-*   Extract source code for the entire exception stack trace for
-    better debugging and diagnosis.
+        # matches {credit_card: {code: "xxxx"}}
+        # doesn't match {file: { code: "xxxx"}}
+        config.filter_parameters += [ "credit_card.code" ]
 
-    *Ryan Dao*
+    See #13897.
 
-*   Allows ActionDispatch::Request::LOCALHOST to match any IPv4 127.0.0.0/8
-    loopback address.
+    *Guillaume Malette*
 
-    *Earl St Sauver*, *Sven Riedel*
+*   Deprecate passing first parameter as `Hash` and default status code for `head` method.
 
-*   Preserve original path in `ShowExceptions` middleware by stashing it as
-    `env["action_dispatch.original_path"]`
+    *Mehmet Emin İNAÇ*
 
-    `ActionDispatch::ShowExceptions` overwrites `PATH_INFO` with the status code
-    for the exception defined in `ExceptionWrapper`, so the path
-    the user was visiting when an exception occurred was not previously
-    available to any custom exceptions_app. The original `PATH_INFO` is now
-    stashed in `env["action_dispatch.original_path"]`.
+*   Adds`Rack::Utils::ParameterTypeError` and `Rack::Utils::InvalidParameterError`
+    to the rescue_responses hash in `ExceptionWrapper` (Rack recommends
+    integrators serve 400s for both of these).
 
     *Grey Baker*
 
-*   Use `String#bytesize` instead of `String#size` when checking for cookie
-    overflow.
+*   Add support for API only apps.
+    `ActionController::API` is added as a replacement of
+    `ActionController::Base` for this kind of applications.
 
-    *Agis Anastasopoulos*
+    *Santiago Pastorino*, *Jorge Bejar*
 
-*   `render nothing: true` or rendering a `nil` body no longer add a single
-    space to the response body.
+*   Remove `assigns` and `assert_template`. Both methods have been extracted
+    into a gem at https://github.com/rails/rails-controller-testing.
 
-    The old behavior was added as a workaround for a bug in an early version of
-    Safari, where the HTTP headers are not returned correctly if the response
-    body has a 0-length. This is been fixed since and the workaround is no
-    longer necessary.
+    See #18950.
 
-    Use `render body: ' '` if the old behavior is desired.
+    *Alan Guo Xiang Tan*
 
-    See #14883 for details.
+*   `FileHandler` and `Static` middleware initializers accept `index` argument
+    to configure the directory index file name. Defaults to `index` (as in
+    `index.html`).
 
-    *Godfrey Chan*
+    See #20017.
 
-*   Prepend a JS comment to JSONP callbacks. Addresses CVE-2014-4671
-    ("Rosetta Flash").
+    *Eliot Sykes*
 
-    *Greg Campbell*
+*   Deprecate `:nothing` option for `render` method.
 
-*   Because URI paths may contain non US-ASCII characters we need to force
-    the encoding of any unescaped URIs to UTF-8 if they are US-ASCII.
-    This essentially replicates the functionality of the monkey patch to
-    URI.parser.unescape in active_support/core_ext/uri.rb.
+    *Mehmet Emin İNAÇ*
 
-    Fixes #16104.
+*   Fix `rake routes` not showing the right format when
+    nesting multiple routes.
 
-    *Karl Entwistle*
+    See #18373.
 
-*   Generate shallow paths for all children of shallow resources.
+    *Ravil Bayramgalin*
 
-    Fixes #15783.
+*   Add ability to override default form builder for a controller.
 
-    *Seb Jacobs*
+        class AdminController < ApplicationController
+          default_form_builder AdminFormBuilder
+        end
 
-*   JSONP responses are now rendered with the `text/javascript` content type
-    when rendering through a `respond_to` block.
+    *Kevin McPhillips*
 
-    Fixes #15081.
+*   For actions with no corresponding templates, render `head :no_content`
+    instead of raising an error. This allows for slimmer API controller
+    methods that simply work, without needing further instructions.
 
-    *Lucas Mazza*
+    See #19036.
 
-*   Add `config.action_controller.always_permitted_parameters` to configure which
-    parameters are permitted globally. The default value of this configuration is
-    `['controller', 'action']`.
+    *Stephen Bussey*
 
-    *Gary S. Weaver*, *Rafael Chacon*
+*   Provide friendlier access to request variants.
 
-*   Fix env['PATH_INFO'] missing leading slash when a rack app mounted at '/'.
+        request.variant = :phone
+        request.variant.phone?  # true
+        request.variant.tablet? # false
 
-    Fixes #15511.
+        request.variant = [:phone, :tablet]
+        request.variant.phone?                  # true
+        request.variant.desktop?                # false
+        request.variant.any?(:phone, :desktop)  # true
+        request.variant.any?(:desktop, :watch)  # false
 
-    *Larry Lv*
+    *George Claghorn*
 
-*   ActionController::Parameters#require now accepts `false` values.
+*   Fix regression where a gzip file response would have a Content-type,
+    even when it was a 304 status code.
 
-    Fixes #15685.
+    See #19271.
 
-    *Sergio Romano*
+    *Kohei Suzuki*
 
-*   With authorization header `Authorization: Token token=`, `authenticate` now
-    recognize token as nil, instead of "token".
+*   Fix handling of empty `X_FORWARDED_HOST` header in `raw_host_with_port`.
 
-    Fixes #14846.
+    Previously, an empty `X_FORWARDED_HOST` header would cause
+    `Actiondispatch::Http:URL.raw_host_with_port` to return `nil`, causing
+    `Actiondispatch::Http:URL.host` to raise a `NoMethodError`.
 
-    *Larry Lv*
+    *Adam Forsyth*
+
+*   Allow `Bearer` as token-keyword in `Authorization-Header`.
 
-*   Ensure the controller is always notified as soon as the client disconnects
-    during live streaming, even when the controller is blocked on a write.
+    Additionally to `Token`, the keyword `Bearer` is acceptable as a keyword
+    for the auth-token. The `Bearer` keyword is described in the original
+    OAuth RFC and used in libraries like Angular-JWT.
 
-    *Nicholas Jakobsen*, *Matthew Draper*
+    See #19094.
 
-*   Routes specifying 'to:' must be a string that contains a "#" or a rack
-    application.  Use of a symbol should be replaced with `action: symbol`.
-    Use of a string without a "#" should be replaced with `controller: string`.
+    *Peter Schröder*
 
-    *Aaron Patterson*
+*   Drop request class from `RouteSet` constructor.
 
-*   Fix URL generation with `:trailing_slash` such that it does not add
-    a trailing slash after `.:format`
+    If you would like to use a custom request class, please subclass and implement
+    the `request_class` method.
 
-    *Dan Langevin*
+    *tenderlove@ruby-lang.org*
 
-*   Build full URI as string when processing path in integration tests for
-    performance reasons. One consequence of this is that the leading slash
-    is now required in integration test `process` helpers, whereas previously
-    it could be omitted. The fact that this worked was a unintended consequence
-    of the implementation and was never an intentional feature.
+*   Fallback to `ENV['RAILS_RELATIVE_URL_ROOT']` in `url_for`.
+
+    Fixed an issue where the `RAILS_RELATIVE_URL_ROOT` environment variable is not
+    prepended to the path when `url_for` is called. If `SCRIPT_NAME` (used by Rack)
+    is set, it takes precedence.
+
+    Fixes #5122.
+
+    *Yasyf Mohamedali*
+
+*   Partitioning of routes is now done when the routes are being drawn. This
+    helps to decrease the time spent filtering the routes during the first request.
 
     *Guo Xiang Tan*
 
-*   Fix `'Stack level too deep'` when rendering `head :ok` in an action method
-    called 'status' in a controller.
+*   Fix regression in functional tests. Responses should have default headers
+    assigned.
+
+    See #18423.
+
+    *Jeremy Kemper*, *Yves Senn*
+
+*   Deprecate `AbstractController#skip_action_callback` in favor of individual skip_callback methods
+    (which can be made to raise an error if no callback was removed).
+
+    *Iain Beeston*
+
+*   Alias the `ActionDispatch::Request#uuid` method to `ActionDispatch::Request#request_id`.
+    Due to implementation, `config.log_tags = [:request_id]` also works in substitute
+    for `config.log_tags = [:uuid]`.
+
+    *David Ilizarov*
+
+*   Change filter on /rails/info/routes to use an actual path regexp from rails
+    and not approximate javascript version. Oniguruma supports much more
+    extensive list of features than javascript regexp engine.
+
+    Fixes #18402.
+
+    *Ravil Bayramgalin*
+
+*   Non-string authenticity tokens do not raise NoMethodError when decoding
+    the masked token.
 
-    Fixes #13905.
+    *Ville Lautanala*
 
-    *Christiaan Van den Poel*
+*   Add `http_cache_forever` to Action Controller, so we can cache a response
+    that never gets expired.
 
-*   Add MKCALENDAR HTTP method (RFC 4791).
+    *arthurnn*
 
-    *Sergey Karpesh*
+*   `ActionController#translate` supports symbols as shortcuts.
+    When a shortcut is given it also performs the lookup without the action
+    name.
 
-*   Instrument fragment cache metrics.
+    *Max Melentiev*
 
-    Adds `:controller`: and `:action` keys to the instrumentation payload
-    for the `*_fragment.action_controller` notifications. This allows tracking
-    e.g. the fragment cache hit rates for each controller action.
+*   Expand `ActionController::ConditionalGet#fresh_when` and `stale?` to also
+    accept a collection of records as the first argument, so that the
+    following code can be written in a shorter form.
 
-    *Daniel Schierbeck*
+        # Before
+        def index
+          @articles = Article.all
+          fresh_when(etag: @articles, last_modified: @articles.maximum(:updated_at))
+        end
 
-*   Always use the provided port if the protocol is relative.
+        # After
+        def index
+          @articles = Article.all
+          fresh_when(@articles)
+        end
 
-    Fixes #15043.
+    *claudiob*
 
-    *Guilherme Cavalcanti*, *Andrew White*
+*   Explicitly ignored wildcard verbs when searching for HEAD routes before fallback
 
-*   Moved `params[request_forgery_protection_token]` into its own method
-    and improved tests.
+    Fixes an issue where a mounted rack app at root would intercept the HEAD
+    request causing an incorrect behavior during the fall back to GET requests.
 
-    Fixes #11316.
+    Example:
 
-    *Tom Kadwill*
+        draw do
+            get '/home' => 'test#index'
+            mount rack_app, at: '/'
+        end
+        head '/home'
+        assert_response :success
 
-*   Added verification of route constraints given as a Proc or an object responding
-    to `:matches?`. Previously, when given an non-complying object, it would just
-    silently fail to enforce the constraint. It will now raise an `ArgumentError`
-    when setting up the routes.
+    In this case, a HEAD request runs through the routes the first time and fails
+    to match anything. Then, it runs through the list with the fallback and matches
+    `get '/home'`. The original behavior would match the rack app in the first pass.
 
-    *Xavier Defrang*
+    *Terence Sun*
 
-*   Properly treat the entire IPv6 User Local Address space as private for
-    purposes of remote IP detection. Also handle uppercase private IPv6
-    addresses.
+*   Discarded flash messages get removed before storing into session.
 
-    Fixes #12638.
+    *Samuel Cochran*
 
-    *Caleb Spare*
+*   Migrating xhr methods to keyword arguments syntax
+    in `ActionController::TestCase` and `ActionDispatch::Integration`
 
-*   Fixed an issue with migrating legacy json cookies.
+    Old syntax:
 
-    Previously, the `VerifyAndUpgradeLegacySignedMessage` assumes all incoming
-    cookies are marshal-encoded. This is not the case when `secret_token` is
-    used in conjunction with the `:json` or `:hybrid` serializer.
+        xhr :get, :create, params: { id: 1 }
 
-    In those case, when upgrading to use `secret_key_base`, this would cause a
-    `TypeError: incompatible marshal file format` and a 500 error for the user.
+    New syntax example:
 
-    Fixes #14774.
+        get :create, params: { id: 1 }, xhr: true
 
-    *Godfrey Chan*
+    *Kir Shatrov*
 
-*   Make URL escaping more consistent:
+*   Migrating to keyword arguments syntax in `ActionController::TestCase` and
+    `ActionDispatch::Integration` HTTP request methods.
 
-    1. Escape '%' characters in URLs - only unescaped data should be passed to URL helpers
-    2. Add an `escape_segment` helper to `Router::Utils` that escapes '/' characters
-    3. Use `escape_segment` rather than `escape_fragment` in optimized URL generation
-    4. Use `escape_segment` rather than `escape_path` in URL generation
+    Example:
 
-    For point 4 there are two exceptions. Firstly, when a route uses wildcard segments
-    (e.g. `*foo`) then we use `escape_path` as the value may contain '/' characters. This
-    means that wildcard routes can't be optimized. Secondly, if a `:controller` segment
-    is used in the path then this uses `escape_path` as the controller may be namespaced.
+        post :create, params: { y: x }, session: { a: 'b' }
+        get :view, params: { id: 1 }
+        get :view, params: { id: 1 }, format: :json
 
-    Fixes #14629, #14636 and #14070.
+    *Kir Shatrov*
 
-    *Andrew White*, *Edho Arief*
+*   Preserve default url options when generating URLs.
 
-*   Add alias `ActionDispatch::Http::UploadedFile#to_io` to
-    `ActionDispatch::Http::UploadedFile#tempfile`.
+    Fixes an issue that would cause `default_url_options` to be lost when
+    generating URLs with fewer positional arguments than parameters in the
+    route definition.
 
-    *Tim Linquist*
+    *Tekin Suleyman*
 
-*   Returns null type format when format is not know and controller is using `any`
-    format block.
+*   Deprecate `*_via_redirect` integration test methods.
 
-    Fixes #14462.
+    Use `follow_redirect!` manually after the request call for the same behavior.
+
+    *Aditya Kapoor*
+
+*   Add `ActionController::Renderer` to render arbitrary templates
+    outside controller actions.
+
+    Its functionality is accessible through class methods `render` and
+    `renderer` of `ActionController::Base`.
+
+    *Ravil Bayramgalin*
+
+*   Support `:assigns` option when rendering with controllers/mailers.
+
+    *Ravil Bayramgalin*
+
+*   Default headers, removed in controller actions, are no longer reapplied on
+    the test response.
+
+    *Jonas Baumann*
+
+*   Deprecate all `*_filter` callbacks in favor of `*_action` callbacks.
 
     *Rafael Mendonça França*
 
-*   Improve routing error page with fuzzy matching search.
+*   Allow you to pass `prepend: false` to `protect_from_forgery` to have the
+    verification callback appended instead of prepended to the chain.
+    This allows you to let the verification step depend on prior callbacks.
 
-    *Winston*
+    Example:
 
-*   Only make deeply nested routes shallow when parent is shallow.
+        class ApplicationController < ActionController::Base
+          before_action :authenticate
+          protect_from_forgery prepend: false, unless: -> { @authenticated_by.oauth? }
 
-    Fixes #14684.
+          private
+            def authenticate
+              if oauth_request?
+                # authenticate with oauth
+                @authenticated_by = 'oauth'.inquiry
+              else
+                # authenticate with cookies
+                @authenticated_by = 'cookie'.inquiry
+              end
+            end
+        end
 
-    *Andrew White*, *James Coglan*
+    *Josef Šimánek*
 
-*   Append link to bad code to backtrace when exception is `SyntaxError`.
+*   Remove `ActionController::HideActions`.
 
-    *Boris Kuznetsov*
+    *Ravil Bayramgalin*
 
-*   Swapped the parameters of assert_equal in `assert_select` so that the
-    proper values were printed correctly.
+*   Remove `respond_to`/`respond_with` placeholder methods, this functionality
+    has been extracted to the `responders` gem.
 
-    Fixes #14422.
+    *Carlos Antonio da Silva*
 
-    *Vishal Lal*
+*   Remove deprecated assertion files.
 
-*   The method `shallow?` returns false if the parent resource is a singleton so
-    we need to check if we're not inside a nested scope before copying the :path
-    and :as options to their shallow equivalents.
+    *Rafael Mendonça França*
 
-    Fixes #14388.
+*   Remove deprecated usage of string keys in URL helpers.
 
-    *Andrew White*
+    *Rafael Mendonça França*
+
+*   Remove deprecated `only_path` option on `*_path` helpers.
+
+    *Rafael Mendonça França*
+
+*   Remove deprecated `NamedRouteCollection#helpers`.
+
+    *Rafael Mendonça França*
+
+*   Remove deprecated support to define routes with `:to` option that doesn't contain `#`.
+
+    *Rafael Mendonça França*
+
+*   Remove deprecated `ActionDispatch::Response#to_ary`.
+
+    *Rafael Mendonça França*
+
+*   Remove deprecated `ActionDispatch::Request#deep_munge`.
+
+    *Rafael Mendonça França*
+
+*   Remove deprecated `ActionDispatch::Http::Parameters#symbolized_path_parameters`.
+
+    *Rafael Mendonça França*
+
+*   Remove deprecated option `use_route` in controller tests.
+
+    *Rafael Mendonça França*
+
+*   Ensure `append_info_to_payload` is called even if an exception is raised.
 
-*   Make logging of CSRF failures optional (but on by default) with the
-    `log_warning_on_csrf_failure` configuration setting in
-    `ActionController::RequestForgeryProtection`.
+    Fixes an issue where when an exception is raised in the request the additional
+    payload data is not available.
+
+    See #14903.
 
-    *John Barton*
+    *Dieter Komendera*, *Margus Pärt*
 
-*   Fix URL generation in controller tests with request-dependent
-    `default_url_options` methods.
+*   Correctly rely on the response's status code to handle calls to `head`.
+
+    *Robin Dupret*
+
+*   Using `head` method returns empty response_body instead
+    of returning a single space " ".
+
+    The old behavior was added as a workaround for a bug in an early
+    version of Safari, where the HTTP headers are not returned correctly
+    if the response body has a 0-length. This is been fixed since and
+    the workaround is no longer necessary.
 
-    *Tony Wooster*
+    Fixes #18253.
+
+    *Prathamesh Sonpatki*
+
+*   Fix how polymorphic routes works with objects that implement `to_model`.
+
+    *Travis Grathwell*
+
+*   Stop converting empty arrays in `params` to `nil`.
+
+    This behavior was introduced in response to CVE-2012-2660, CVE-2012-2694
+    and CVE-2013-0155
+
+    ActiveRecord now issues a safe query when passing an empty array into
+    a where clause, so there is no longer a need to defend against this type
+    of input (any nils are still stripped from the array).
+
+    *Chris Sinjakli*
+
+*   Remove `ActionController::ModelNaming` module.
+
+    *claudiob*
+
+*   Fixed usage of optional scopes in url helpers.
+
+    *Alex Robbin*
+
+*   Fixed handling of positional url helper arguments when `format: false`.
+
+    Fixes #17819.
+
+    *Andrew White*, *Tatiana Soukiassian*
 
-Please check [4-1-stable](https://github.com/rails/rails/blob/4-1-stable/actionpack/CHANGELOG.md) for previous changes.
+Please check [4-2-stable](https://github.com/rails/rails/blob/4-2-stable/actionpack/CHANGELOG.md) for previous changes.