RubyGems - actionpack - Versions diffs - 5.2.4.4 → 6.1.1 - Mend

actionpack 5.2.4.4 → 6.1.1

Potentially problematic release.

This version of actionpack might be problematic. Click here for more details.

Files changed (155) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +264 -322
data/MIT-LICENSE +1 -1
data/README.rdoc +4 -3
data/lib/abstract_controller.rb +1 -0
data/lib/abstract_controller/base.rb +38 -4
data/lib/abstract_controller/caching.rb +1 -1
data/lib/abstract_controller/caching/fragments.rb +6 -22
data/lib/abstract_controller/callbacks.rb +14 -2
data/lib/abstract_controller/collector.rb +1 -2
data/lib/abstract_controller/helpers.rb +106 -90
data/lib/abstract_controller/railties/routes_helpers.rb +1 -1
data/lib/abstract_controller/rendering.rb +9 -9
data/lib/abstract_controller/translation.rb +11 -5
data/lib/action_controller.rb +7 -4
data/lib/action_controller/api.rb +4 -3
data/lib/action_controller/base.rb +6 -9
data/lib/action_controller/caching.rb +1 -3
data/lib/action_controller/log_subscriber.rb +10 -7
data/lib/action_controller/metal.rb +10 -8
data/lib/action_controller/metal/basic_implicit_render.rb +1 -1
data/lib/action_controller/metal/conditional_get.rb +19 -5
data/lib/action_controller/metal/content_security_policy.rb +1 -2
data/lib/action_controller/metal/cookies.rb +3 -1
data/lib/action_controller/metal/data_streaming.rb +6 -7
data/lib/action_controller/metal/default_headers.rb +17 -0
data/lib/action_controller/metal/etag_with_template_digest.rb +3 -5
data/lib/action_controller/metal/exceptions.rb +56 -2
data/lib/action_controller/metal/flash.rb +5 -5
data/lib/action_controller/metal/head.rb +7 -4
data/lib/action_controller/metal/helpers.rb +14 -5
data/lib/action_controller/metal/http_authentication.rb +24 -23
data/lib/action_controller/metal/implicit_render.rb +5 -15
data/lib/action_controller/metal/instrumentation.rb +13 -14
data/lib/action_controller/metal/live.rb +30 -32
data/lib/action_controller/metal/logging.rb +20 -0
data/lib/action_controller/metal/mime_responds.rb +19 -4
data/lib/action_controller/metal/parameter_encoding.rb +35 -4
data/lib/action_controller/metal/params_wrapper.rb +31 -22
data/lib/action_controller/metal/permissions_policy.rb +46 -0
data/lib/action_controller/metal/redirecting.rb +6 -6
data/lib/action_controller/metal/renderers.rb +4 -4
data/lib/action_controller/metal/rendering.rb +8 -3
data/lib/action_controller/metal/request_forgery_protection.rb +62 -34
data/lib/action_controller/metal/rescue.rb +1 -1
data/lib/action_controller/metal/streaming.rb +0 -1
data/lib/action_controller/metal/strong_parameters.rb +167 -58
data/lib/action_controller/metal/url_for.rb +1 -1
data/lib/action_controller/railties/helpers.rb +1 -1
data/lib/action_controller/renderer.rb +37 -13
data/lib/action_controller/template_assertions.rb +1 -1
data/lib/action_controller/test_case.rb +70 -65
data/lib/action_dispatch.rb +9 -3
data/lib/action_dispatch/http/cache.rb +26 -21
data/lib/action_dispatch/http/content_disposition.rb +45 -0
data/lib/action_dispatch/http/content_security_policy.rb +33 -19
data/lib/action_dispatch/http/filter_parameters.rb +9 -8
data/lib/action_dispatch/http/filter_redirect.rb +2 -3
data/lib/action_dispatch/http/headers.rb +4 -4
data/lib/action_dispatch/http/mime_negotiation.rb +26 -13
data/lib/action_dispatch/http/mime_type.rb +42 -23
data/lib/action_dispatch/http/parameters.rb +14 -23
data/lib/action_dispatch/http/permissions_policy.rb +173 -0
data/lib/action_dispatch/http/request.rb +45 -22
data/lib/action_dispatch/http/response.rb +45 -25
data/lib/action_dispatch/http/upload.rb +9 -1
data/lib/action_dispatch/http/url.rb +82 -82
data/lib/action_dispatch/journey.rb +0 -2
data/lib/action_dispatch/journey/formatter.rb +54 -30
data/lib/action_dispatch/journey/gtg/builder.rb +22 -37
data/lib/action_dispatch/journey/gtg/simulator.rb +8 -7
data/lib/action_dispatch/journey/gtg/transition_table.rb +6 -5
data/lib/action_dispatch/journey/nfa/dot.rb +0 -11
data/lib/action_dispatch/journey/nodes/node.rb +13 -11
data/lib/action_dispatch/journey/parser.rb +13 -13
data/lib/action_dispatch/journey/parser.y +1 -1
data/lib/action_dispatch/journey/path/pattern.rb +19 -21
data/lib/action_dispatch/journey/route.rb +10 -20
data/lib/action_dispatch/journey/router.rb +26 -34
data/lib/action_dispatch/journey/router/utils.rb +14 -12
data/lib/action_dispatch/journey/routes.rb +0 -2
data/lib/action_dispatch/journey/scanner.rb +10 -4
data/lib/action_dispatch/journey/visitors.rb +1 -4
data/lib/action_dispatch/middleware/actionable_exceptions.rb +46 -0
data/lib/action_dispatch/middleware/callbacks.rb +2 -4
data/lib/action_dispatch/middleware/cookies.rb +128 -109
data/lib/action_dispatch/middleware/debug_exceptions.rb +43 -66
data/lib/action_dispatch/middleware/debug_locks.rb +5 -5
data/lib/action_dispatch/middleware/debug_view.rb +66 -0
data/lib/action_dispatch/middleware/exception_wrapper.rb +75 -30
data/lib/action_dispatch/middleware/flash.rb +1 -1
data/lib/action_dispatch/middleware/host_authorization.rb +121 -0
data/lib/action_dispatch/middleware/public_exceptions.rb +6 -3
data/lib/action_dispatch/middleware/remote_ip.rb +14 -16
data/lib/action_dispatch/middleware/request_id.rb +5 -6
data/lib/action_dispatch/middleware/session/abstract_store.rb +2 -3
data/lib/action_dispatch/middleware/session/cookie_store.rb +3 -9
data/lib/action_dispatch/middleware/show_exceptions.rb +3 -2
data/lib/action_dispatch/middleware/ssl.rb +20 -15
data/lib/action_dispatch/middleware/stack.rb +56 -2
data/lib/action_dispatch/middleware/static.rb +153 -93
data/lib/action_dispatch/middleware/templates/rescues/_actions.html.erb +13 -0
data/lib/action_dispatch/middleware/templates/rescues/_actions.text.erb +0 -0
data/lib/action_dispatch/middleware/templates/rescues/_message_and_suggestions.html.erb +22 -0
data/lib/action_dispatch/middleware/templates/rescues/_request_and_response.html.erb +3 -1
data/lib/action_dispatch/middleware/templates/rescues/_request_and_response.text.erb +1 -1
data/lib/action_dispatch/middleware/templates/rescues/_source.html.erb +4 -2
data/lib/action_dispatch/middleware/templates/rescues/_trace.html.erb +45 -35
data/lib/action_dispatch/middleware/templates/rescues/blocked_host.html.erb +7 -0
data/lib/action_dispatch/middleware/templates/rescues/blocked_host.text.erb +5 -0
data/lib/action_dispatch/middleware/templates/rescues/diagnostics.html.erb +23 -4
data/lib/action_dispatch/middleware/templates/rescues/diagnostics.text.erb +1 -1
data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.html.erb +6 -3
data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.text.erb +3 -1
data/lib/action_dispatch/middleware/templates/rescues/layout.erb +104 -8
data/lib/action_dispatch/middleware/templates/rescues/missing_exact_template.html.erb +19 -0
data/lib/action_dispatch/middleware/templates/rescues/missing_exact_template.text.erb +3 -0
data/lib/action_dispatch/middleware/templates/rescues/missing_template.html.erb +2 -2
data/lib/action_dispatch/middleware/templates/rescues/routing_error.html.erb +1 -1
data/lib/action_dispatch/middleware/templates/rescues/template_error.html.erb +2 -2
data/lib/action_dispatch/middleware/templates/rescues/unknown_action.html.erb +1 -1
data/lib/action_dispatch/middleware/templates/routes/_table.html.erb +24 -1
data/lib/action_dispatch/railtie.rb +8 -2
data/lib/action_dispatch/request/session.rb +10 -9
data/lib/action_dispatch/request/utils.rb +26 -2
data/lib/action_dispatch/routing.rb +21 -20
data/lib/action_dispatch/routing/inspector.rb +100 -52
data/lib/action_dispatch/routing/mapper.rb +155 -103
data/lib/action_dispatch/routing/polymorphic_routes.rb +13 -15
data/lib/action_dispatch/routing/redirection.rb +3 -3
data/lib/action_dispatch/routing/route_set.rb +71 -69
data/lib/action_dispatch/routing/url_for.rb +2 -2
data/lib/action_dispatch/system_test_case.rb +54 -11
data/lib/action_dispatch/system_testing/browser.rb +53 -16
data/lib/action_dispatch/system_testing/driver.rb +11 -3
data/lib/action_dispatch/system_testing/test_helpers/screenshot_helper.rb +49 -7
data/lib/action_dispatch/system_testing/test_helpers/setup_and_teardown.rb +8 -10
data/lib/action_dispatch/testing/assertion_response.rb +0 -1
data/lib/action_dispatch/testing/assertions.rb +1 -1
data/lib/action_dispatch/testing/assertions/response.rb +4 -7
data/lib/action_dispatch/testing/assertions/routing.rb +20 -8
data/lib/action_dispatch/testing/integration.rb +61 -28
data/lib/action_dispatch/testing/request_encoder.rb +2 -2
data/lib/action_dispatch/testing/test_process.rb +29 -4
data/lib/action_dispatch/testing/test_request.rb +3 -3
data/lib/action_dispatch/testing/test_response.rb +4 -32
data/lib/action_pack.rb +1 -1
data/lib/action_pack/gem_version.rb +4 -4
metadata +38 -26
data/lib/action_controller/metal/force_ssl.rb +0 -99
data/lib/action_dispatch/http/parameter_filter.rb +0 -86
data/lib/action_dispatch/journey/nfa/builder.rb +0 -78
data/lib/action_dispatch/journey/nfa/simulator.rb +0 -49
data/lib/action_dispatch/journey/nfa/transition_table.rb +0 -120
data/lib/action_dispatch/system_testing/test_helpers/undef_methods.rb +0 -26

data/lib/action_controller/renderer.rb CHANGED Viewed

@@ -1,7 +1,5 @@
 # frozen_string_literal: true
-require "active_support/core_ext/hash/keys"
 module ActionController
   # ActionController::Renderer allows you to render arbitrary templates
   # without requirement of being in controller actions.
@@ -67,10 +65,29 @@ module ActionController
     def initialize(controller, env, defaults)
       @controller = controller
       @defaults = defaults
-      @env = normalize_keys defaults.merge(env)
+      @env = normalize_keys defaults, env
     end
     # Render templates with any options from ActionController::Base#render_to_string.
+    #
+    # The primary options are:
+    # * <tt>:partial</tt> - See <tt>ActionView::PartialRenderer</tt> for details.
+    # * <tt>:file</tt> - Renders an explicit template file. Add <tt>:locals</tt> to pass in, if so desired.
+    #   It shouldn’t be used directly with unsanitized user input due to lack of validation.
+    # * <tt>:inline</tt> - Renders an ERB template string.
+    # * <tt>:plain</tt> - Renders provided text and sets the content type as <tt>text/plain</tt>.
+    # * <tt>:html</tt> - Renders the provided HTML safe string, otherwise
+    #   performs HTML escape on the string first. Sets the content type as <tt>text/html</tt>.
+    # * <tt>:json</tt> - Renders the provided hash or object in JSON. You don't
+    #   need to call <tt>.to_json</tt> on the object you want to render.
+    # * <tt>:body</tt> - Renders provided text and sets content type of <tt>text/plain</tt>.
+    #
+    # If no <tt>options</tt> hash is passed or if <tt>:update</tt> is specified, then:
+    #
+    # If an object responding to `render_in` is passed, `render_in` is called on the object,
+    # passing in the current view context.
+    #
+    # Otherwise, a partial is rendered using the second parameter as the locals hash.
     def render(*args)
       raise "missing controller" unless controller
@@ -82,11 +99,18 @@ module ActionController
       instance.set_response! controller.make_response!(request)
       instance.render_to_string(*args)
     end
+    alias_method :render_to_string, :render # :nodoc:
     private
-      def normalize_keys(env)
+      def normalize_keys(defaults, env)
         new_env = {}
         env.each_pair { |k, v| new_env[rack_key_for(k)] = rack_value_for(k, v) }
+        defaults.each_pair do |k, v|
+          key = rack_key_for(k)
+          new_env[key] = rack_value_for(k, v) unless new_env.key?(key)
+        end
         new_env["rack.url_scheme"] = new_env["HTTPS"] == "on" ? "https" : "http"
         new_env
       end
@@ -99,19 +123,19 @@ module ActionController
         input:       "rack.input"
       }
-      IDENTITY = ->(_) { _ }
-      RACK_VALUE_TRANSLATION = {
-        https: ->(v) { v ? "on" : "off" },
-        method: ->(v) { v.upcase },
-      }
       def rack_key_for(key)
-        RACK_KEY_TRANSLATION.fetch(key, key.to_s)
+        RACK_KEY_TRANSLATION[key] || key.to_s
       end
       def rack_value_for(key, value)
-        RACK_VALUE_TRANSLATION.fetch(key, IDENTITY).call value
+        case key
+        when :https
+          value ? "on" : "off"
+        when :method
+          -value.upcase
+        else
+          value
+        end
       end
   end
 end

data/lib/action_controller/template_assertions.rb CHANGED Viewed

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 module ActionController
-  module TemplateAssertions
+  module TemplateAssertions # :nodoc:
     def assert_template(options = {}, message = nil)
       raise NoMethodError,
         "assert_template has been extracted to a gem. To continue using it,

data/lib/action_controller/test_case.rb CHANGED Viewed

@@ -26,7 +26,7 @@ module ActionController
     end
   end
-  # ActionController::TestCase will be deprecated and moved to a gem in Rails 5.1.
+  # ActionController::TestCase will be deprecated and moved to a gem in the future.
   # Please use ActionDispatch::IntegrationTest going forward.
   class TestRequest < ActionDispatch::TestRequest #:nodoc:
     DEFAULT_ENV = ActionDispatch::TestRequest::DEFAULT_ENV.dup
@@ -84,7 +84,7 @@ module ActionController
             value = value.to_param
           end
-          path_parameters[key] = value
+          path_parameters[key.to_sym] = value
         end
       end
@@ -158,7 +158,6 @@ module ActionController
     end.new
     private
       def params_parsers
         super.merge @custom_param_parsers
       end
@@ -177,12 +176,12 @@ module ActionController
   # Methods #destroy and #load! are overridden to avoid calling methods on the
   # @store object, which does not exist for the TestSession class.
-  class TestSession < Rack::Session::Abstract::SessionHash #:nodoc:
+  class TestSession < Rack::Session::Abstract::PersistedSecure::SecureSessionHash #:nodoc:
     DEFAULT_OPTIONS = Rack::Session::Abstract::Persisted::DEFAULT_OPTIONS
     def initialize(session = {})
       super(nil, nil)
-      @id = SecureRandom.hex(16)
+      @id = Rack::Session::SessionId.new(SecureRandom.hex(16))
       @data = stringify_keys(session)
       @loaded = true
     end
@@ -203,12 +202,16 @@ module ActionController
       clear
     end
+    def dig(*keys)
+      keys = keys.map.with_index { |key, i| i.zero? ? key.to_s : key }
+      @data.dig(*keys)
+    end
     def fetch(key, *args, &block)
       @data.fetch(key.to_s, *args, &block)
     end
     private
       def load!
         @id
       end
@@ -276,9 +279,6 @@ module ActionController
   #      after calling +post+. If the various assert methods are not sufficient, then you
   #      may use this object to inspect the HTTP response in detail.
   #
-  # (Earlier versions of \Rails required each functional test to subclass
-  # Test::Unit::TestCase and define @controller, @request, @response in +setup+.)
-  #
   # == Controller is automatically inferred
   #
   # ActionController::TestCase will automatically infer the controller under test
@@ -460,7 +460,7 @@ module ActionController
       def process(action, method: "GET", params: nil, session: nil, body: nil, flash: {}, format: nil, xhr: false, as: nil)
         check_required_ivars
-        action = action.to_s.dup
+        action = +action.to_s
         http_method = method.to_s.upcase
         @html_document = nil
@@ -492,57 +492,8 @@ module ActionController
           parameters[:format] = format
         end
-        generated_extras = @routes.generate_extras(parameters.merge(controller: controller_class_name, action: action))
-        generated_path = generated_path(generated_extras)
-        query_string_keys = query_parameter_names(generated_extras)
-        @request.assign_parameters(@routes, controller_class_name, action, parameters, generated_path, query_string_keys)
-        @request.session.update(session) if session
-        @request.flash.update(flash || {})
-        if xhr
-          @request.set_header "HTTP_X_REQUESTED_WITH", "XMLHttpRequest"
-          @request.fetch_header("HTTP_ACCEPT") do |k|
-            @request.set_header k, [Mime[:js], Mime[:html], Mime[:xml], "text/xml", "*/*"].join(", ")
-          end
-        end
-        @request.fetch_header("SCRIPT_NAME") do |k|
-          @request.set_header k, @controller.config.relative_url_root
-        end
-        begin
-          @controller.recycle!
-          @controller.dispatch(action, @request, @response)
-        ensure
-          @request = @controller.request
-          @response = @controller.response
-          if @request.have_cookie_jar?
-            unless @request.cookie_jar.committed?
-              @request.cookie_jar.write(@response)
-              cookies.update(@request.cookie_jar.instance_variable_get(:@cookies))
-            end
-          end
-          @response.prepare!
-          if flash_value = @request.flash.to_session_value
-            @request.session["flash"] = flash_value
-          else
-            @request.session.delete("flash")
-          end
-          if xhr
-            @request.delete_header "HTTP_X_REQUESTED_WITH"
-            @request.delete_header "HTTP_ACCEPT"
-          end
-          @request.query_string = ""
-          @response.sent!
-        end
-        @response
+        setup_request(controller_class_name, action, parameters, session, flash, xhr)
+        process_controller_response(action, cookies, xhr)
       end
       def controller_class_name
@@ -598,12 +549,66 @@ module ActionController
       end
       private
+        def setup_request(controller_class_name, action, parameters, session, flash, xhr)
+          generated_extras = @routes.generate_extras(parameters.merge(controller: controller_class_name, action: action))
+          generated_path = generated_path(generated_extras)
+          query_string_keys = query_parameter_names(generated_extras)
+          @request.assign_parameters(@routes, controller_class_name, action, parameters, generated_path, query_string_keys)
+          @request.session.update(session) if session
+          @request.flash.update(flash || {})
+          if xhr
+            @request.set_header "HTTP_X_REQUESTED_WITH", "XMLHttpRequest"
+            @request.fetch_header("HTTP_ACCEPT") do |k|
+              @request.set_header k, [Mime[:js], Mime[:html], Mime[:xml], "text/xml", "*/*"].join(", ")
+            end
+          end
+          @request.fetch_header("SCRIPT_NAME") do |k|
+            @request.set_header k, @controller.config.relative_url_root
+          end
+        end
+        def process_controller_response(action, cookies, xhr)
+          begin
+            @controller.recycle!
+            @controller.dispatch(action, @request, @response)
+          ensure
+            @request = @controller.request
+            @response = @controller.response
+            if @request.have_cookie_jar?
+              unless @request.cookie_jar.committed?
+                @request.cookie_jar.write(@response)
+                cookies.update(@request.cookie_jar.instance_variable_get(:@cookies))
+              end
+            end
+            @response.prepare!
+            if flash_value = @request.flash.to_session_value
+              @request.session["flash"] = flash_value
+            else
+              @request.session.delete("flash")
+            end
+            if xhr
+              @request.delete_header "HTTP_X_REQUESTED_WITH"
+              @request.delete_header "HTTP_ACCEPT"
+            end
+            @request.query_string = ""
+            @response.sent!
+          end
+          @response
+        end
         def scrub_env!(env)
-          env.delete_if { |k, v| k =~ /^(action_dispatch|rack)\.request/ }
-          env.delete_if { |k, v| k =~ /^action_dispatch\.rescue/ }
-          env.delete "action_dispatch.request.query_parameters"
-          env.delete "action_dispatch.request.request_parameters"
+          env.delete_if do |k, _|
+            k.start_with?("rack.request", "action_dispatch.request", "action_dispatch.rescue")
+          end
           env["rack.input"] = StringIO.new
           env.delete "CONTENT_LENGTH"
           env.delete "RAW_POST_DATA"

data/lib/action_dispatch.rb CHANGED Viewed

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 #--
-# Copyright (c) 2004-2018 David Heinemeier Hansson
+# Copyright (c) 2004-2020 David Heinemeier Hansson
 #
 # Permission is hereby granted, free of charge, to any person obtaining
 # a copy of this software and associated documentation files (the
@@ -40,20 +40,27 @@ module ActionDispatch
   class IllegalStateError < StandardError
   end
+  class MissingController < NameError
+  end
   eager_autoload do
     autoload_under "http" do
       autoload :ContentSecurityPolicy
+      autoload :PermissionsPolicy
       autoload :Request
       autoload :Response
     end
   end
   autoload_under "middleware" do
+    autoload :HostAuthorization
     autoload :RequestId
     autoload :Callbacks
     autoload :Cookies
+    autoload :ActionableExceptions
     autoload :DebugExceptions
     autoload :DebugLocks
+    autoload :DebugView
     autoload :ExceptionWrapper
     autoload :Executor
     autoload :Flash
@@ -76,8 +83,6 @@ module ActionDispatch
     autoload :Headers
     autoload :MimeNegotiation
     autoload :Parameters
-    autoload :ParameterFilter
-    autoload :Upload
     autoload :UploadedFile, "action_dispatch/http/upload"
     autoload :URL
   end
@@ -110,4 +115,5 @@ autoload :Mime, "action_dispatch/http/mime_type"
 ActiveSupport.on_load(:action_view) do
   ActionView::Base.default_formats ||= Mime::SET.symbols
   ActionView::Template::Types.delegate_to Mime
+  ActionView::LookupContext::DetailsKey.clear
 end

data/lib/action_dispatch/http/cache.rb CHANGED Viewed

@@ -4,8 +4,8 @@ module ActionDispatch
   module Http
     module Cache
       module Request
-        HTTP_IF_MODIFIED_SINCE = "HTTP_IF_MODIFIED_SINCE".freeze
-        HTTP_IF_NONE_MATCH     = "HTTP_IF_NONE_MATCH".freeze
+        HTTP_IF_MODIFIED_SINCE = "HTTP_IF_MODIFIED_SINCE"
+        HTTP_IF_NONE_MATCH     = "HTTP_IF_NONE_MATCH"
         def if_modified_since
           if since = get_header(HTTP_IF_MODIFIED_SINCE)
@@ -114,7 +114,7 @@ module ActionDispatch
         # True if an ETag is set and it's a weak validator (preceded with W/)
         def weak_etag?
-          etag? && etag.starts_with?('W/"')
+          etag? && etag.start_with?('W/"')
         end
         # True if an ETag is set and it isn't a weak validator (not preceded with W/)
@@ -123,10 +123,9 @@ module ActionDispatch
         end
       private
-        DATE          = "Date".freeze
-        LAST_MODIFIED = "Last-Modified".freeze
-        SPECIAL_KEYS  = Set.new(%w[extras no-cache max-age public private must-revalidate])
+        DATE          = "Date"
+        LAST_MODIFIED = "Last-Modified"
+        SPECIAL_KEYS  = Set.new(%w[extras no-store no-cache max-age public private must-revalidate])
         def generate_weak_etag(validators)
           "W/#{generate_strong_etag(validators)}"
@@ -151,8 +150,8 @@ module ActionDispatch
             directive, argument = segment.split("=", 2)
             if SPECIAL_KEYS.include? directive
-              key = directive.tr("-", "_")
-              cache_control[key.to_sym] = argument || true
+              directive.tr!("-", "_")
+              cache_control[directive.to_sym] = argument || true
             else
               cache_control[:extras] ||= []
               cache_control[:extras] << segment
@@ -166,11 +165,12 @@ module ActionDispatch
           @cache_control = cache_control_headers
         end
-        DEFAULT_CACHE_CONTROL = "max-age=0, private, must-revalidate".freeze
-        NO_CACHE              = "no-cache".freeze
-        PUBLIC                = "public".freeze
-        PRIVATE               = "private".freeze
-        MUST_REVALIDATE       = "must-revalidate".freeze
+        DEFAULT_CACHE_CONTROL = "max-age=0, private, must-revalidate"
+        NO_STORE              = "no-store"
+        NO_CACHE              = "no-cache"
+        PUBLIC                = "public"
+        PRIVATE               = "private"
+        MUST_REVALIDATE       = "must-revalidate"
         def handle_conditional_get!
           # Normally default cache control setting is handled by ETag
@@ -183,19 +183,20 @@ module ActionDispatch
         end
         def merge_and_normalize_cache_control!(cache_control)
-          control = {}
-          cc_headers = cache_control_headers
-          if extras = cc_headers.delete(:extras)
+          control = cache_control_headers
+          return if control.empty? && cache_control.empty?  # Let middleware handle default behavior
+          if extras = control.delete(:extras)
             cache_control[:extras] ||= []
             cache_control[:extras] += extras
             cache_control[:extras].uniq!
           end
-          control.merge! cc_headers
           control.merge! cache_control
-          if control.empty?
-            # Let middleware handle default behavior
+          if control[:no_store]
+            self._cache_control = NO_STORE
           elsif control[:no_cache]
             options = []
             options << PUBLIC if control[:public]
@@ -204,13 +205,17 @@ module ActionDispatch
             self._cache_control = options.join(", ")
           else
-            extras  = control[:extras]
+            extras = control[:extras]
             max_age = control[:max_age]
+            stale_while_revalidate = control[:stale_while_revalidate]
+            stale_if_error = control[:stale_if_error]
             options = []
             options << "max-age=#{max_age.to_i}" if max_age
             options << (control[:public] ? PUBLIC : PRIVATE)
             options << MUST_REVALIDATE if control[:must_revalidate]
+            options << "stale-while-revalidate=#{stale_while_revalidate.to_i}" if stale_while_revalidate
+            options << "stale-if-error=#{stale_if_error.to_i}" if stale_if_error
             options.concat(extras) if extras
             self._cache_control = options.join(", ")