actionpack 6.0.3.1 → 6.1.0.rc2

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of actionpack might be problematic. Click here for more details.

Files changed (115) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +260 -219
  3. data/MIT-LICENSE +1 -1
  4. data/lib/abstract_controller.rb +1 -0
  5. data/lib/abstract_controller/base.rb +35 -2
  6. data/lib/abstract_controller/callbacks.rb +2 -2
  7. data/lib/abstract_controller/helpers.rb +105 -90
  8. data/lib/abstract_controller/rendering.rb +9 -9
  9. data/lib/abstract_controller/translation.rb +8 -2
  10. data/lib/action_controller.rb +2 -3
  11. data/lib/action_controller/api.rb +2 -2
  12. data/lib/action_controller/base.rb +4 -2
  13. data/lib/action_controller/caching.rb +0 -1
  14. data/lib/action_controller/log_subscriber.rb +3 -3
  15. data/lib/action_controller/metal.rb +2 -2
  16. data/lib/action_controller/metal/conditional_get.rb +10 -2
  17. data/lib/action_controller/metal/content_security_policy.rb +1 -1
  18. data/lib/action_controller/metal/cookies.rb +3 -1
  19. data/lib/action_controller/metal/data_streaming.rb +1 -1
  20. data/lib/action_controller/metal/etag_with_template_digest.rb +2 -4
  21. data/lib/action_controller/metal/exceptions.rb +33 -0
  22. data/lib/action_controller/metal/head.rb +7 -4
  23. data/lib/action_controller/metal/helpers.rb +11 -1
  24. data/lib/action_controller/metal/http_authentication.rb +4 -2
  25. data/lib/action_controller/metal/implicit_render.rb +1 -1
  26. data/lib/action_controller/metal/instrumentation.rb +11 -9
  27. data/lib/action_controller/metal/live.rb +1 -1
  28. data/lib/action_controller/metal/logging.rb +20 -0
  29. data/lib/action_controller/metal/mime_responds.rb +6 -2
  30. data/lib/action_controller/metal/parameter_encoding.rb +35 -4
  31. data/lib/action_controller/metal/params_wrapper.rb +14 -8
  32. data/lib/action_controller/metal/permissions_policy.rb +46 -0
  33. data/lib/action_controller/metal/redirecting.rb +1 -1
  34. data/lib/action_controller/metal/rendering.rb +6 -0
  35. data/lib/action_controller/metal/request_forgery_protection.rb +48 -24
  36. data/lib/action_controller/metal/rescue.rb +1 -1
  37. data/lib/action_controller/metal/strong_parameters.rb +103 -15
  38. data/lib/action_controller/renderer.rb +24 -13
  39. data/lib/action_controller/test_case.rb +62 -56
  40. data/lib/action_dispatch.rb +3 -2
  41. data/lib/action_dispatch/http/cache.rb +12 -10
  42. data/lib/action_dispatch/http/content_disposition.rb +2 -2
  43. data/lib/action_dispatch/http/content_security_policy.rb +5 -1
  44. data/lib/action_dispatch/http/filter_parameters.rb +1 -1
  45. data/lib/action_dispatch/http/filter_redirect.rb +1 -1
  46. data/lib/action_dispatch/http/headers.rb +3 -2
  47. data/lib/action_dispatch/http/mime_negotiation.rb +20 -8
  48. data/lib/action_dispatch/http/mime_type.rb +28 -15
  49. data/lib/action_dispatch/http/parameters.rb +1 -19
  50. data/lib/action_dispatch/http/permissions_policy.rb +173 -0
  51. data/lib/action_dispatch/http/request.rb +26 -8
  52. data/lib/action_dispatch/http/response.rb +17 -16
  53. data/lib/action_dispatch/http/url.rb +3 -2
  54. data/lib/action_dispatch/journey.rb +0 -2
  55. data/lib/action_dispatch/journey/formatter.rb +53 -28
  56. data/lib/action_dispatch/journey/gtg/builder.rb +22 -36
  57. data/lib/action_dispatch/journey/gtg/simulator.rb +8 -7
  58. data/lib/action_dispatch/journey/gtg/transition_table.rb +6 -4
  59. data/lib/action_dispatch/journey/nfa/dot.rb +0 -11
  60. data/lib/action_dispatch/journey/nodes/node.rb +4 -3
  61. data/lib/action_dispatch/journey/parser.rb +13 -13
  62. data/lib/action_dispatch/journey/parser.y +1 -1
  63. data/lib/action_dispatch/journey/path/pattern.rb +13 -18
  64. data/lib/action_dispatch/journey/route.rb +7 -18
  65. data/lib/action_dispatch/journey/router.rb +26 -30
  66. data/lib/action_dispatch/journey/router/utils.rb +6 -4
  67. data/lib/action_dispatch/middleware/actionable_exceptions.rb +9 -2
  68. data/lib/action_dispatch/middleware/cookies.rb +74 -33
  69. data/lib/action_dispatch/middleware/debug_exceptions.rb +10 -17
  70. data/lib/action_dispatch/middleware/debug_view.rb +1 -1
  71. data/lib/action_dispatch/middleware/exception_wrapper.rb +29 -17
  72. data/lib/action_dispatch/middleware/host_authorization.rb +25 -5
  73. data/lib/action_dispatch/middleware/public_exceptions.rb +1 -1
  74. data/lib/action_dispatch/middleware/remote_ip.rb +5 -4
  75. data/lib/action_dispatch/middleware/request_id.rb +4 -5
  76. data/lib/action_dispatch/middleware/session/abstract_store.rb +2 -2
  77. data/lib/action_dispatch/middleware/session/cookie_store.rb +2 -2
  78. data/lib/action_dispatch/middleware/ssl.rb +9 -6
  79. data/lib/action_dispatch/middleware/stack.rb +18 -0
  80. data/lib/action_dispatch/middleware/static.rb +154 -93
  81. data/lib/action_dispatch/middleware/templates/rescues/_message_and_suggestions.html.erb +22 -0
  82. data/lib/action_dispatch/middleware/templates/rescues/diagnostics.html.erb +2 -5
  83. data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.html.erb +2 -2
  84. data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.text.erb +2 -2
  85. data/lib/action_dispatch/middleware/templates/rescues/layout.erb +100 -8
  86. data/lib/action_dispatch/middleware/templates/rescues/unknown_action.html.erb +1 -1
  87. data/lib/action_dispatch/middleware/templates/routes/_table.html.erb +12 -1
  88. data/lib/action_dispatch/railtie.rb +3 -2
  89. data/lib/action_dispatch/request/session.rb +2 -8
  90. data/lib/action_dispatch/request/utils.rb +26 -2
  91. data/lib/action_dispatch/routing/inspector.rb +8 -7
  92. data/lib/action_dispatch/routing/mapper.rb +102 -71
  93. data/lib/action_dispatch/routing/polymorphic_routes.rb +12 -11
  94. data/lib/action_dispatch/routing/redirection.rb +3 -3
  95. data/lib/action_dispatch/routing/route_set.rb +49 -41
  96. data/lib/action_dispatch/routing/url_for.rb +1 -0
  97. data/lib/action_dispatch/system_test_case.rb +29 -24
  98. data/lib/action_dispatch/system_testing/browser.rb +33 -27
  99. data/lib/action_dispatch/system_testing/driver.rb +6 -7
  100. data/lib/action_dispatch/system_testing/test_helpers/screenshot_helper.rb +47 -6
  101. data/lib/action_dispatch/system_testing/test_helpers/setup_and_teardown.rb +4 -7
  102. data/lib/action_dispatch/testing/assertions.rb +1 -1
  103. data/lib/action_dispatch/testing/assertions/response.rb +2 -4
  104. data/lib/action_dispatch/testing/assertions/routing.rb +5 -5
  105. data/lib/action_dispatch/testing/integration.rb +38 -27
  106. data/lib/action_dispatch/testing/test_process.rb +29 -4
  107. data/lib/action_dispatch/testing/test_request.rb +3 -3
  108. data/lib/action_pack.rb +1 -1
  109. data/lib/action_pack/gem_version.rb +3 -3
  110. metadata +20 -21
  111. data/lib/action_controller/metal/force_ssl.rb +0 -58
  112. data/lib/action_dispatch/http/parameter_filter.rb +0 -12
  113. data/lib/action_dispatch/journey/nfa/builder.rb +0 -78
  114. data/lib/action_dispatch/journey/nfa/simulator.rb +0 -47
  115. data/lib/action_dispatch/journey/nfa/transition_table.rb +0 -119
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: cea1a6e97ad71b6bdb89d088483a226435d5f816fe7ed4c84bc86181f89e9970
4
- data.tar.gz: 35dde1277befcd899fb4c05a9d87b995928bcc212e18ff5e5b7bb213fc5bc480
3
+ metadata.gz: bc84b6b896fe838781d03a845564d7d0d55c125c08891dac5192dd0b4218e148
4
+ data.tar.gz: 2d6978599e5d5f2becc3ced8db15918edbeffe6048cffa5f3b11b68e0fe7fb97
5
5
  SHA512:
6
- metadata.gz: 475424613f5ed1166d535bf17838d2614a12993935823dbe6e325b368425de9826a96c9a23bdf7045b92a3392605cb69809551506a4af66c1ccc91180cf802e8
7
- data.tar.gz: b0fdf9842a0871fd87f8a4f6a46a112a75c27ab9f0f923f5b8a87becc1a33aac1326e75c5f205b61b2419e5a3f617eb3e2deaaf0da4fe861258dd4266ddf25ab
6
+ metadata.gz: cba23b8e3d5344c09f2b3f41d4544c8486dafe103a1c5fd1c4f050f543a35d17346d747ff1e2cd62e7535258ee38953ab2b12eb62119d086c9e9b35c8344c2c4
7
+ data.tar.gz: 7e8b5c27070a8bf909e09e8d1bd98565da44321186bdaae0e5ebc474cbaf85dc242191863b8041696cdf995e75110b94ab3af7e304d99180c78000cbec00e9ec
@@ -1,372 +1,413 @@
1
- ## Rails 6.0.3.1 (May 18, 2020) ##
1
+ ## Rails 6.1.0.rc2 (December 01, 2020) ##
2
2
 
3
- * [CVE-2020-8166] HMAC raw CSRF token before masking it, so it cannot be used to reconstruct a per-form token
3
+ * Support for the HTTP header `Feature-Policy` has been revised to reflect
4
+ its [rename](https://github.com/w3c/webappsec-permissions-policy/pull/379) to [`Permissions-Policy`](https://w3c.github.io/webappsec-permissions-policy/#permissions-policy-http-header-field).
4
5
 
5
- * [CVE-2020-8164] Return self when calling #each, #each_pair, and #each_value instead of the raw @parameters hash
6
+ ```ruby
7
+ Rails.application.config.permissions_policy do |p|
8
+ p.camera :none
9
+ p.gyroscope :none
10
+ p.microphone :none
11
+ p.usb :none
12
+ p.fullscreen :self
13
+ p.payment :self, "https://secure-example.com"
14
+ end
15
+ ```
6
16
 
7
- ## Rails 6.0.3 (May 06, 2020) ##
17
+ *Julien Grillot*
8
18
 
9
- * Include child session assertion count in ActionDispatch::IntegrationTest
19
+ ## Rails 6.1.0.rc1 (November 02, 2020) ##
10
20
 
11
- `IntegrationTest#open_session` uses `dup` to create the new session, which
12
- meant it had its own copy of `@assertions`. This prevented the assertions
13
- from being correctly counted and reported.
21
+ * Allow `ActionDispatch::HostAuthorization` to exclude specific requests.
14
22
 
15
- Child sessions now have their `attr_accessor` overriden to delegate to the
16
- root session.
23
+ Host Authorization checks can be skipped for specific requests. This allows for health check requests to be permitted for requests with missing or non-matching host headers.
17
24
 
18
- Fixes #32142
25
+ *Chris Bisnett*
19
26
 
20
- *Sam Bostock*
27
+ * Add `config.action_dispatch.request_id_header` to allow changing the name of
28
+ the unique X-Request-Id header
21
29
 
30
+ *Arlston Fernandes*
22
31
 
23
- ## Rails 6.0.2.2 (March 19, 2020) ##
32
+ * Deprecate `config.action_dispatch.return_only_media_type_on_content_type`.
24
33
 
25
- * No changes.
34
+ *Rafael Mendonça França*
26
35
 
36
+ * Change `ActionDispatch::Response#content_type` to return the full Content-Type header.
27
37
 
28
- ## Rails 6.0.2.1 (December 18, 2019) ##
38
+ *Rafael Mendonça França*
29
39
 
30
- * Fix possible information leak / session hijacking vulnerability.
40
+ * Remove deprecated `ActionDispatch::Http::ParameterFilter`.
31
41
 
32
- The `ActionDispatch::Session::MemcacheStore` is still vulnerable given it requires the
33
- gem dalli to be updated as well.
42
+ *Rafael Mendonça França*
34
43
 
35
- CVE-2019-16782.
44
+ * Added support for exclusive no-store Cache-Control header.
36
45
 
46
+ If `no-store` is set on Cache-Control header it is exclusive (all other cache directives are dropped).
37
47
 
38
- ## Rails 6.0.2 (December 13, 2019) ##
48
+ *Chris Kruger*
39
49
 
40
- * Allow using mountable engine route helpers in System Tests.
50
+ * Catch invalid UTF-8 parameters for POST requests and respond with BadRequest.
41
51
 
42
- *Chalo Fernandez*
52
+ Additionally, perform `#set_binary_encoding` in `ActionDispatch::Http::Request#GET` and
53
+ `ActionDispatch::Http::Request#POST` prior to validating encoding.
43
54
 
55
+ *Adrianna Chang*
44
56
 
45
- ## Rails 6.0.1 (November 5, 2019) ##
57
+ * Allow `assert_recognizes` routing assertions to work on mounted root routes.
46
58
 
47
- * `ActionDispatch::SystemTestCase` now inherits from `ActiveSupport::TestCase`
48
- rather than `ActionDispatch::IntegrationTest`. This permits running jobs in
49
- system tests.
59
+ *Gannon McGibbon*
50
60
 
51
- *George Claghorn*, *Edouard Chin*
61
+ * Change default redirection status code for non-GET/HEAD requests to 308 Permanent Redirect for `ActionDispatch::SSL`.
52
62
 
53
- * Registered MIME types may contain extra flags:
63
+ *Alan Tan*, *Oz Ben-David*
54
64
 
55
- ```ruby
56
- Mime::Type.register "text/html; fragment", :html_fragment
57
- ```
65
+ * Fix `follow_redirect!` to follow redirection with same HTTP verb when following
66
+ a 308 redirection.
58
67
 
59
- *Aaron Patterson*
68
+ *Alan Tan*
60
69
 
70
+ * When multiple domains are specified for a cookie, a domain will now be
71
+ chosen only if it is equal to or is a superdomain of the request host.
61
72
 
62
- ## Rails 6.0.0 (August 16, 2019) ##
73
+ *Jonathan Hefner*
63
74
 
64
- * No changes.
75
+ * `ActionDispatch::Static` handles precompiled Brotli (.br) files.
65
76
 
77
+ Adds to existing support for precompiled gzip (.gz) files.
78
+ Brotli files are preferred due to much better compression.
66
79
 
67
- ## Rails 6.0.0.rc2 (July 22, 2019) ##
80
+ When the browser requests /some.js with `Accept-Encoding: br`,
81
+ we check for public/some.js.br and serve that file, if present, with
82
+ `Content-Encoding: br` and `Vary: Accept-Encoding` headers.
68
83
 
69
- * Add the ability to set the CSP nonce only to the specified directives.
84
+ *Ryan Edward Hall*, *Jeremy Daer*
70
85
 
71
- Fixes #35137.
86
+ * Add raise_on_missing_translations support for controllers.
72
87
 
73
- *Yuji Yaginuma*
88
+ This configuration determines whether an error should be raised for missing translations.
89
+ It can be enabled through `config.i18n.raise_on_missing_translations`. Note that described
90
+ configuration also affects raising error for missing translations in views.
74
91
 
75
- * Keep part when scope option has value.
92
+ *fatkodima*
76
93
 
77
- When a route was defined within an optional scope, if that route didn't
78
- take parameters the scope was lost when using path helpers. This commit
79
- ensures scope is kept both when the route takes parameters or when it
80
- doesn't.
94
+ * Added `compact` and `compact!` to `ActionController::Parameters`.
81
95
 
82
- Fixes #33219
96
+ *Eugene Kenny*
83
97
 
84
- *Alberto Almagro*
98
+ * Calling `each_pair` or `each_value` on an `ActionController::Parameters`
99
+ without passing a block now returns an enumerator.
85
100
 
86
- * Change `ActionDispatch::Response#content_type` to return Content-Type header as it is.
101
+ *Eugene Kenny*
87
102
 
88
- Previously, `ActionDispatch::Response#content_type` returned value does NOT
89
- contain charset part. This behavior changed to returned Content-Type header
90
- containing charset part as it is.
103
+ * `fixture_file_upload` now uses path relative to `file_fixture_path`
91
104
 
92
- If you want just MIME type, please use `ActionDispatch::Response#media_type`
93
- instead.
105
+ Previously the path had to be relative to `fixture_path`.
106
+ You can change your existing code as follow:
94
107
 
95
- Enable `action_dispatch.return_only_media_type_on_content_type` to use this change.
96
- If not enabled, `ActionDispatch::Response#content_type` returns the same
97
- value as before version, but its behavior is deprecate.
108
+ ```ruby
109
+ # Before
110
+ fixture_file_upload('files/dog.png')
98
111
 
99
- *Yuji Yaginuma*
112
+ # After
113
+ fixture_file_upload('dog.png')
114
+ ```
100
115
 
101
- * Calling `ActionController::Parameters#transform_keys/!` without a block now returns
102
- an enumerator for the parameters instead of the underlying hash.
116
+ *Edouard Chin*
103
117
 
104
- *Eugene Kenny*
118
+ * Remove deprecated `force_ssl` at the controller level.
105
119
 
106
- * Fix a bug where DebugExceptions throws an error when malformed query parameters are provided
120
+ *Rafael Mendonça França*
107
121
 
108
- *Yuki Nishijima*, *Stan Lo*
122
+ * The +helper+ class method for controllers loads helper modules specified as
123
+ strings/symbols with `String#constantize` instead of `require_dependency`.
109
124
 
125
+ Remember that support for strings/symbols is only a convenient API. You can
126
+ always pass a module object:
110
127
 
111
- ## Rails 6.0.0.rc1 (April 24, 2019) ##
128
+ ```ruby
129
+ helper UtilsHelper
130
+ ```
112
131
 
113
- * Make system tests take a failed screenshot in a `before_teardown` hook
114
- rather than an `after_teardown` hook.
132
+ which is recommended because it is simple and direct. When a string/symbol
133
+ is received, `helper` just manipulates and inflects the argument to obtain
134
+ that same module object.
115
135
 
116
- This helps minimize the time gap between when an assertion fails and when
117
- the screenshot is taken (reducing the time in which the page could have
118
- been dynamically updated after the assertion failed).
136
+ *Xavier Noria*, *Jean Boussier*
119
137
 
120
- *Richard Macklin*
138
+ * Correctly identify the entire localhost IPv4 range as trusted proxy.
121
139
 
122
- * Introduce `ActionDispatch::ActionableExceptions`.
140
+ *Nick Soracco*
123
141
 
124
- The `ActionDispatch::ActionableExceptions` middleware dispatches actions
125
- from `ActiveSupport::ActionableError` descendants.
142
+ * `url_for` will now use "https://" as the default protocol when
143
+ `Rails.application.config.force_ssl` is set to true.
126
144
 
127
- Actionable errors let's you dispatch actions from Rails' error pages.
145
+ *Jonathan Hefner*
128
146
 
129
- *Vipul A M*, *Yao Jie*, *Genadi Samokovarov*
147
+ * Accept and default to base64_urlsafe CSRF tokens.
130
148
 
131
- * Raise an `ArgumentError` if a resource custom param contains a colon (`:`).
149
+ Base64 strict-encoded CSRF tokens are not inherently websafe, which makes
150
+ them difficult to deal with. For example, the common practice of sending
151
+ the CSRF token to a browser in a client-readable cookie does not work properly
152
+ out of the box: the value has to be url-encoded and decoded to survive transport.
132
153
 
133
- After this change it's not possible anymore to configure routes like this:
154
+ Now, we generate Base64 urlsafe-encoded CSRF tokens, which are inherently safe
155
+ to transport. Validation accepts both urlsafe tokens, and strict-encoded tokens
156
+ for backwards compatibility.
134
157
 
135
- ```
136
- routes.draw do
137
- resources :users, param: 'name/:sneaky'
138
- end
139
- ```
158
+ *Scott Blum*
140
159
 
141
- Fixes #30467.
160
+ * Support rolling deploys for cookie serialization/encryption changes.
142
161
 
143
- *Josua Schmid*
162
+ In a distributed configuration like rolling update, users may observe
163
+ both old and new instances during deployment. Users may be served by a
164
+ new instance and then by an old instance.
144
165
 
166
+ That means when the server changes `cookies_serializer` from `:marshal`
167
+ to `:hybrid` or the server changes `use_authenticated_cookie_encryption`
168
+ from `false` to `true`, users may lose their sessions if they access the
169
+ server during deployment.
145
170
 
146
- ## Rails 6.0.0.beta3 (March 11, 2019) ##
171
+ We added fallbacks to downgrade the cookie format when necessary during
172
+ deployment, ensuring compatibility on both old and new instances.
147
173
 
148
- * No changes.
174
+ *Masaki Hara*
149
175
 
176
+ * `ActionDispatch::Request.remote_ip` has ip address even when all sites are trusted.
150
177
 
151
- ## Rails 6.0.0.beta2 (February 25, 2019) ##
178
+ Before, if all `X-Forwarded-For` sites were trusted, the `remote_ip` would default to `127.0.0.1`.
179
+ Now, the furthest proxy site is used. e.g.: It now gives an ip address when using curl from the load balancer.
152
180
 
153
- * Make debug exceptions works in an environment where ActiveStorage is not loaded.
181
+ *Keenan Brock*
154
182
 
155
- *Tomoyuki Kurosawa*
183
+ * Fix possible information leak / session hijacking vulnerability.
156
184
 
157
- * `ActionDispatch::SystemTestCase.driven_by` can now be called with a block
158
- to define specific browser capabilities.
185
+ The `ActionDispatch::Session::MemcacheStore` is still vulnerable given it requires the
186
+ gem dalli to be updated as well.
159
187
 
160
- *Edouard Chin*
188
+ CVE-2019-16782.
161
189
 
190
+ * Include child session assertion count in ActionDispatch::IntegrationTest.
162
191
 
163
- ## Rails 6.0.0.beta1 (January 18, 2019) ##
192
+ `IntegrationTest#open_session` uses `dup` to create the new session, which
193
+ meant it had its own copy of `@assertions`. This prevented the assertions
194
+ from being correctly counted and reported.
164
195
 
165
- * Remove deprecated `fragment_cache_key` helper in favor of `combined_fragment_cache_key`.
196
+ Child sessions now have their `attr_accessor` overridden to delegate to the
197
+ root session.
166
198
 
167
- *Rafael Mendonça França*
199
+ Fixes #32142.
168
200
 
169
- * Remove deprecated methods in `ActionDispatch::TestResponse`.
201
+ *Sam Bostock*
170
202
 
171
- `#success?`, `missing?` and `error?` were deprecated in Rails 5.2 in favor of
172
- `#successful?`, `not_found?` and `server_error?`.
203
+ * Add SameSite protection to every written cookie.
173
204
 
174
- *Rafael Mendonça França*
205
+ Enabling `SameSite` cookie protection is an addition to CSRF protection,
206
+ where cookies won't be sent by browsers in cross-site POST requests when set to `:lax`.
175
207
 
176
- * Introduce `ActionDispatch::HostAuthorization`.
208
+ `:strict` disables cookies being sent in cross-site GET or POST requests.
177
209
 
178
- This is a new middleware that guards against DNS rebinding attacks by
179
- explicitly permitting the hosts a request can be made to.
210
+ Passing `:none` disables this protection and is the same as previous versions albeit a `; SameSite=None` is appended to the cookie.
180
211
 
181
- Each host is checked with the case operator (`#===`) to support `Regexp`,
182
- `Proc`, `IPAddr` and custom objects as host allowances.
212
+ See upgrade instructions in config/initializers/new_framework_defaults_6_1.rb.
183
213
 
184
- *Genadi Samokovarov*
214
+ More info [here](https://tools.ietf.org/html/draft-west-first-party-cookies-07)
185
215
 
186
- * Allow using `parsed_body` in `ActionController::TestCase`.
216
+ _NB: Technically already possible as Rack supports SameSite protection, this is to ensure it's applied to all cookies_
187
217
 
188
- In addition to `ActionDispatch::IntegrationTest`, allow using
189
- `parsed_body` in `ActionController::TestCase`:
218
+ *Cédric Fabianski*
190
219
 
191
- ```
192
- class SomeControllerTest < ActionController::TestCase
193
- def test_some_action
194
- post :action, body: { foo: 'bar' }
195
- assert_equal({ "foo" => "bar" }, response.parsed_body)
196
- end
197
- end
198
- ```
220
+ * Bring back the feature that allows loading external route files from the router.
199
221
 
200
- Fixes #34676.
222
+ This feature existed back in 2012 but got reverted with the incentive that
223
+ https://github.com/rails/routing_concerns was a better approach. Turned out
224
+ that this wasn't fully the case and loading external route files from the router
225
+ can be helpful for applications with a really large set of routes.
226
+ Without this feature, application needs to implement routes reloading
227
+ themselves and it's not straightforward.
201
228
 
202
- *Tobias Bühlmann*
229
+ ```ruby
230
+ # config/routes.rb
203
231
 
204
- * Raise an error on root route naming conflicts.
232
+ Rails.application.routes.draw do
233
+ draw(:admin)
234
+ end
205
235
 
206
- Raises an `ArgumentError` when multiple root routes are defined in the
207
- same context instead of assigning nil names to subsequent roots.
236
+ # config/routes/admin.rb
208
237
 
209
- *Gannon McGibbon*
238
+ get :foo, to: 'foo#bar'
239
+ ```
210
240
 
211
- * Allow rescue from parameter parse errors:
241
+ *Yehuda Katz*, *Edouard Chin*
212
242
 
213
- ```
214
- rescue_from ActionDispatch::Http::Parameters::ParseError do
215
- head :unauthorized
216
- end
217
- ```
243
+ * Fix system test driver option initialization for non-headless browsers.
218
244
 
219
- *Gannon McGibbon*, *Josh Cheek*
245
+ *glaszig*
220
246
 
221
- * Reset Capybara sessions if failed system test screenshot raising an exception.
247
+ * `redirect_to.action_controller` notifications now include the `ActionDispatch::Request` in
248
+ their payloads as `:request`.
222
249
 
223
- Reset Capybara sessions if `take_failed_screenshot` raise exception
224
- in system test `after_teardown`.
250
+ *Austin Story*
225
251
 
226
- *Maxim Perepelitsa*
252
+ * `respond_to#any` no longer returns a response's Content-Type based on the
253
+ request format but based on the block given.
227
254
 
228
- * Use request object for context if there's no controller
255
+ Example:
229
256
 
230
- There is no controller instance when using a redirect route or a
231
- mounted rack application so pass the request object as the context
232
- when resolving dynamic CSP sources in this scenario.
257
+ ```ruby
258
+ def my_action
259
+ respond_to do |format|
260
+ format.any { render(json: { foo: 'bar' }) }
261
+ end
262
+ end
233
263
 
234
- Fixes #34200.
264
+ get('my_action.csv')
265
+ ```
235
266
 
236
- *Andrew White*
267
+ The previous behaviour was to respond with a `text/csv` Content-Type which
268
+ is inaccurate since a JSON response is being rendered.
237
269
 
238
- * Apply mapping to symbols returned from dynamic CSP sources
270
+ Now it correctly returns a `application/json` Content-Type.
239
271
 
240
- Previously if a dynamic source returned a symbol such as :self it
241
- would be converted to a string implicitly, e.g:
272
+ *Edouard Chin*
242
273
 
243
- policy.default_src -> { :self }
274
+ * Replaces (back)slashes in failure screenshot image paths with dashes.
244
275
 
245
- would generate the header:
276
+ If a failed test case contained a slash or a backslash, a screenshot would be created in a
277
+ nested directory, causing issues with `tmp:clear`.
246
278
 
247
- Content-Security-Policy: default-src self
279
+ *Damir Zekic*
248
280
 
249
- and now it generates:
281
+ * Add `params.member?` to mimic Hash behavior.
250
282
 
251
- Content-Security-Policy: default-src 'self'
283
+ *Younes Serraj*
252
284
 
253
- *Andrew White*
285
+ * `process_action.action_controller` notifications now include the following in their payloads:
254
286
 
255
- * Add `ActionController::Parameters#each_value`.
287
+ * `:request` - the `ActionDispatch::Request`
288
+ * `:response` - the `ActionDispatch::Response`
256
289
 
257
- *Lukáš Zapletal*
290
+ *George Claghorn*
258
291
 
259
- * Deprecate `ActionDispatch::Http::ParameterFilter` in favor of `ActiveSupport::ParameterFilter`.
292
+ * Updated `ActionDispatch::Request.remote_ip` setter to clear set the instance
293
+ `remote_ip` to `nil` before setting the header that the value is derived
294
+ from.
260
295
 
261
- *Yoshiyuki Kinjo*
296
+ Fixes #37383.
262
297
 
263
- * Encode Content-Disposition filenames on `send_data` and `send_file`.
264
- Previously, `send_data 'data', filename: "\u{3042}.txt"` sends
265
- `"filename=\"\u{3042}.txt\""` as Content-Disposition and it can be
266
- garbled.
267
- Now it follows [RFC 2231](https://tools.ietf.org/html/rfc2231) and
268
- [RFC 5987](https://tools.ietf.org/html/rfc5987) and sends
269
- `"filename=\"%3F.txt\"; filename*=UTF-8''%E3%81%82.txt"`.
270
- Most browsers can find filename correctly and old browsers fallback to ASCII
271
- converted name.
298
+ *Norm Provost*
272
299
 
273
- *Fumiaki Matsushima*
300
+ * `ActionController::Base.log_at` allows setting a different log level per request.
274
301
 
275
- * Expose `ActionController::Parameters#each_key` which allows iterating over
276
- keys without allocating an array.
302
+ ```ruby
303
+ # Use the debug level if a particular cookie is set.
304
+ class ApplicationController < ActionController::Base
305
+ log_at :debug, if: -> { cookies[:debug] }
306
+ end
307
+ ```
277
308
 
278
- *Richard Schneeman*
309
+ *George Claghorn*
279
310
 
280
- * Purpose metadata for signed/encrypted cookies.
311
+ * Allow system test screen shots to be taken more than once in
312
+ a test by prefixing the file name with an incrementing counter.
281
313
 
282
- Rails can now thwart attacks that attempt to copy signed/encrypted value
283
- of a cookie and use it as the value of another cookie.
314
+ Add an environment variable `RAILS_SYSTEM_TESTING_SCREENSHOT_HTML` to
315
+ enable saving of HTML during a screenshot in addition to the image.
316
+ This uses the same image name, with the extension replaced with `.html`
284
317
 
285
- It does so by stashing the cookie-name in the purpose field which is
286
- then signed/encrypted along with the cookie value. Then, on a server-side
287
- read, we verify the cookie-names and discard any attacked cookies.
318
+ *Tom Fakes*
288
319
 
289
- Enable `action_dispatch.use_cookies_with_metadata` to use this feature, which
290
- writes cookies with the new purpose and expiry metadata embedded.
320
+ * Add `Vary: Accept` header when using `Accept` header for response.
291
321
 
292
- *Assain Jaleel*
322
+ For some requests like `/users/1`, Rails uses requests' `Accept`
323
+ header to determine what to return. And if we don't add `Vary`
324
+ in the response header, browsers might accidentally cache different
325
+ types of content, which would cause issues: e.g. javascript got displayed
326
+ instead of html content. This PR fixes these issues by adding `Vary: Accept`
327
+ in these types of requests. For more detailed problem description, please read:
293
328
 
294
- * Raises `ActionController::RespondToMismatchError` with conflicting `respond_to` invocations.
329
+ https://github.com/rails/rails/pull/36213
295
330
 
296
- `respond_to` can match multiple types and lead to undefined behavior when
297
- multiple invocations are made and the types do not match:
331
+ Fixes #25842.
298
332
 
299
- respond_to do |outer_type|
300
- outer_type.js do
301
- respond_to do |inner_type|
302
- inner_type.html { render body: "HTML" }
303
- end
304
- end
305
- end
333
+ *Stan Lo*
306
334
 
307
- *Patrick Toomey*
335
+ * Fix IntegrationTest `follow_redirect!` to follow redirection using the same HTTP verb when following
336
+ a 307 redirection.
308
337
 
309
- * `ActionDispatch::Http::UploadedFile` now delegates `to_path` to its tempfile.
338
+ *Edouard Chin*
310
339
 
311
- This allows uploaded file objects to be passed directly to `File.read`
312
- without raising a `TypeError`:
340
+ * System tests require Capybara 3.26 or newer.
313
341
 
314
- uploaded_file = ActionDispatch::Http::UploadedFile.new(tempfile: tmp_file)
315
- File.read(uploaded_file)
342
+ *George Claghorn*
316
343
 
317
- *Aaron Kromer*
344
+ * Reduced log noise handling ActionController::RoutingErrors.
318
345
 
319
- * Pass along arguments to underlying `get` method in `follow_redirect!`
346
+ *Alberto Fernández-Capel*
320
347
 
321
- Now all arguments passed to `follow_redirect!` are passed to the underlying
322
- `get` method. This for example allows to set custom headers for the
323
- redirection request to the server.
348
+ * Add DSL for configuring HTTP Feature Policy.
324
349
 
325
- follow_redirect!(params: { foo: :bar })
350
+ This new DSL provides a way to configure an HTTP Feature Policy at a
351
+ global or per-controller level. Full details of HTTP Feature Policy
352
+ specification and guidelines can be found at MDN:
326
353
 
327
- *Remo Fritzsche*
354
+ https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy
328
355
 
329
- * Introduce a new error page to when the implicit render page is accessed in the browser.
356
+ Example global policy:
330
357
 
331
- Now instead of showing an error page that with exception and backtraces we now show only
332
- one informative page.
358
+ ```ruby
359
+ Rails.application.config.feature_policy do |f|
360
+ f.camera :none
361
+ f.gyroscope :none
362
+ f.microphone :none
363
+ f.usb :none
364
+ f.fullscreen :self
365
+ f.payment :self, "https://secure.example.com"
366
+ end
367
+ ```
333
368
 
334
- *Vinicius Stock*
369
+ Example controller level policy:
335
370
 
336
- * Introduce `ActionDispatch::DebugExceptions.register_interceptor`.
371
+ ```ruby
372
+ class PagesController < ApplicationController
373
+ feature_policy do |p|
374
+ p.geolocation "https://example.com"
375
+ end
376
+ end
377
+ ```
337
378
 
338
- Exception aware plugin authors can use the newly introduced
339
- `.register_interceptor` method to get the processed exception, instead of
340
- monkey patching DebugExceptions.
379
+ *Jacob Bednarz*
341
380
 
342
- ActionDispatch::DebugExceptions.register_interceptor do |request, exception|
343
- HypoteticalPlugin.capture_exception(request, exception)
344
- end
381
+ * Add the ability to set the CSP nonce only to the specified directives.
345
382
 
346
- *Genadi Samokovarov*
383
+ Fixes #35137.
347
384
 
348
- * Output only one Content-Security-Policy nonce header value per request.
385
+ *Yuji Yaginuma*
349
386
 
350
- Fixes #32597.
387
+ * Keep part when scope option has value.
351
388
 
352
- *Andrey Novikov*, *Andrew White*
389
+ When a route was defined within an optional scope, if that route didn't
390
+ take parameters the scope was lost when using path helpers. This commit
391
+ ensures scope is kept both when the route takes parameters or when it
392
+ doesn't.
353
393
 
354
- * Move default headers configuration into their own module that can be included in controllers.
394
+ Fixes #33219.
355
395
 
356
- *Kevin Deisz*
396
+ *Alberto Almagro*
357
397
 
358
- * Add method `dig` to `session`.
398
+ * Added `deep_transform_keys` and `deep_transform_keys!` methods to ActionController::Parameters.
359
399
 
360
- *claudiob*, *Takumi Shotoku*
400
+ *Gustavo Gutierrez*
361
401
 
362
- * Controller level `force_ssl` has been deprecated in favor of
363
- `config.force_ssl`.
402
+ * Calling `ActionController::Parameters#transform_keys`/`!` without a block now returns
403
+ an enumerator for the parameters instead of the underlying hash.
364
404
 
365
- *Derek Prior*
405
+ *Eugene Kenny*
366
406
 
367
- * Rails 6 requires Ruby 2.5.0 or newer.
407
+ * Fix strong parameters blocks all attributes even when only some keys are invalid (non-numerical).
408
+ It should only block invalid key's values instead.
368
409
 
369
- *Jeremy Daer*, *Kasper Timm Hansen*
410
+ *Stan Lo*
370
411
 
371
412
 
372
- Please check [5-2-stable](https://github.com/rails/rails/blob/5-2-stable/actionpack/CHANGELOG.md) for previous changes.
413
+ Please check [6-0-stable](https://github.com/rails/rails/blob/6-0-stable/actionpack/CHANGELOG.md) for previous changes.