actionpack 6.0.6.1 → 6.1.7.6

data/CHANGELOG.md

@@ -1,40 +1,131 @@
-## Rails 6.0.6.1 (January 17, 2023) ##
+## Rails 6.1.7.6 (August 22, 2023) ##
 
 *   No changes.
 
 
-## Rails 6.0.6 (September 09, 2022) ##
+## Rails 6.1.7.5 (August 22, 2023) ##
 
 *   No changes.
 
 
-## Rails 6.0.5.1 (July 12, 2022) ##
+## Rails 6.1.7.4 (June 26, 2023) ##
+
+*   Raise an exception if illegal characters are provide to redirect_to
+    [CVE-2023-28362]
+
+    *Zack Deveau*
+
+## Rails 6.1.7.3 (March 13, 2023) ##
+
+*   No changes.
+
+
+## Rails 6.1.7.2 (January 24, 2023) ##
+
+*   Fix `domain: :all` for two letter TLD
+
+    This fixes a compatibility issue introduced in our previous security
+    release when using `domain: :all` with a two letter but single level top
+    level domain domain (like `.ca`, rather than `.co.uk`).
+
+
+## Rails 6.1.7.1 (January 17, 2023) ##
+
+*   Avoid regex backtracking on If-None-Match header
+
+    [CVE-2023-22795]
+
+*   Use string#split instead of regex for domain parts
+
+    [CVE-2023-22792]
+
+
+## Rails 6.1.7 (September 09, 2022) ##
 
 *   No changes.
 
 
-## Rails 6.0.5 (May 09, 2022) ##
+## Rails 6.1.6.1 (July 12, 2022) ##
 
 *   No changes.
 
 
-## Rails 6.0.4.8 (April 26, 2022) ##
+## Rails 6.1.6 (May 09, 2022) ##
+
+*   No changes.
+
+
+## Rails 6.1.5.1 (April 26, 2022) ##
 
 *   Allow Content Security Policy DSL to generate for API responses.
 
     *Tim Wade*
 
-## Rails 6.0.4.7 (March 08, 2022) ##
+## Rails 6.1.5 (March 09, 2022) ##
+
+*   Fix `content_security_policy` returning invalid directives.
+
+    Directives such as `self`, `unsafe-eval` and few others were not
+    single quoted when the directive was the result of calling a lambda
+    returning an array.
+
+    ```ruby
+    content_security_policy do |policy|
+      policy.frame_ancestors lambda { [:self, "https://example.com"] }
+    end
+    ```
+
+    With this fix the policy generated from above will now be valid.
+
+    *Edouard Chin*
+
+*   Update `HostAuthorization` middleware to render debug info only
+    when `config.consider_all_requests_local` is set to true.
+
+    Also, blocked host info is always logged with level `error`.
+
+    Fixes #42813.
+
+    *Nikita Vyrko*
+
+*   Dup arrays that get "converted".
+
+    Fixes #43681.
+
+    *Aaron Patterson*
+
+*   Don't show deprecation warning for equal paths.
+
+    *Anton Rieder*
+
+*   Fix crash in `ActionController::Instrumentation` with invalid HTTP formats.
+
+    Fixes #43094.
+
+    *Alex Ghiculescu*
+
+*   Add fallback host for SystemTestCase driven by RackTest.
+
+    Fixes #42780.
+
+    *Petrik de Heus*
+
+*   Add more detail about what hosts are allowed.
+
+    *Alex Ghiculescu*
+
+
+## Rails 6.1.4.7 (March 08, 2022) ##
 
 *   No changes.
 
 
-## Rails 6.0.4.6 (February 11, 2022) ##
+## Rails 6.1.4.6 (February 11, 2022) ##
 
 *   No changes.
 
 
-## Rails 6.0.4.5 (February 11, 2022) ##
+## Rails 6.1.4.5 (February 11, 2022) ##
 
 *   Under certain circumstances, the middleware isn't informed that the
     response body has been fully closed which result in request state not
@@ -43,17 +134,17 @@
     [CVE-2022-23633]
 
 
-## Rails 6.0.4.4 (December 15, 2021) ##
+## Rails 6.1.4.4 (December 15, 2021) ##
 
 *   Fix issue with host protection not allowing host with port in development.
 
 
-## Rails 6.0.4.3 (December 14, 2021) ##
+## Rails 6.1.4.3 (December 14, 2021) ##
 
-*   Fix issue with host protection not allowing localhost in development.
+*    Fix issue with host protection not allowing localhost in development.
 
 
-## Rails 6.0.4.2 (December 14, 2021) ##
+## Rails 6.1.4.2 (December 14, 2021) ##
 
 *   Fix X_FORWARDED_HOST protection.  [CVE-2021-44528]
 
@@ -65,35 +156,48 @@
     "allowed host" formats can cause the Host Authorization middleware in Action
     Pack to redirect users to a malicious website.
 
-## Rails 6.0.4 (June 15, 2021) ##
+## Rails 6.1.4 (June 24, 2021) ##
 
-*   Accept base64_urlsafe CSRF tokens to make forward compatible.
+*   Ignore file fixtures on `db:fixtures:load`
 
-    Base64 strict-encoded CSRF tokens are not inherently websafe, which makes
-    them difficult to deal with. For example, the common practice of sending
-    the CSRF token to a browser in a client-readable cookie does not work properly
-    out of the box: the value has to be url-encoded and decoded to survive transport.
+    *Kevin Sjöberg*
 
-    In Rails 6.1, we generate Base64 urlsafe-encoded CSRF tokens, which are inherently
-    safe to transport. Validation accepts both urlsafe tokens, and strict-encoded
-    tokens for backwards compatibility.
+*   Fix ActionController::Live controller test deadlocks by removing the body buffer size limit for tests.
 
-    In Rails 5.2.5, the CSRF token format is accidentally changed to urlsafe-encoded.
-    If you upgrade apps from 5.2.5, set the config `urlsafe_csrf_tokens = true`.
+    *Dylan Thacker-Smith*
+
+*   Correctly place optional path parameter booleans.
+
+    Previously, if you specify a url parameter that is part of the path as false it would include that part
+    of the path as parameter for example:
 
-    ```ruby
-    Rails.application.config.action_controller.urlsafe_csrf_tokens = true
     ```
+    get "(/optional/:optional_id)/things" => "foo#foo", as: :things
+    things_path(optional_id: false) # => /things?optional_id=false
+    ```
+
+    After this change, true and false will be treated the same when used as optional path parameters. Meaning now:
+
+    ```
+    get '(this/:my_bool)/that' as: :that
+
+    that_path(my_bool: true) # => `/this/true/that`
+    that_path(my_bool: false) # => `/this/false/that`
+    ```
+
+    *Adam Hess*
+
+*   Add support for 'private, no-store' Cache-Control headers.
 
-    *Scott Blum*, *Étienne Barrié*
+    Previously, 'no-store' was exclusive; no other directives could be specified.
 
-*   Signed and encrypted cookies can now store `false` as their value when
-    `action_dispatch.use_cookies_with_metadata` is enabled.
+    *Alex Smith*
 
-    *Rolandas Barysas*
 
+## Rails 6.1.3.2 (May 05, 2021) ##
 
-## Rails 6.0.3.7 (May 05, 2021) ##
+*   Prevent open redirects by correctly escaping the host allow list
+    CVE-2021-22903
 
 *   Prevent catastrophic backtracking during mime parsing
     CVE-2021-22902
@@ -111,12 +215,19 @@
 
     *Gannon McGibbon*
 
-## Rails 6.0.3.6 (March 26, 2021) ##
+## Rails 6.1.3.1 (March 26, 2021) ##
 
 *   No changes.
 
 
-## Rails 6.0.3.5 (February 10, 2021) ##
+## Rails 6.1.3 (February 17, 2021) ##
+
+*   Re-define routes when not set correctly via inheritance.
+
+    *John Hawthorn*
+
+
+## Rails 6.1.2.1 (February 10, 2021) ##
 
 *   Prevent open redirect when allowed host starts with a dot
 
@@ -128,390 +239,440 @@
     *Aaron Patterson*
 
 
-## Rails 6.0.3.4 (October 07, 2020) ##
+## Rails 6.1.2 (February 09, 2021) ##
 
-*   [CVE-2020-8264] Prevent XSS in Actionable Exceptions
+*   Fix error in `ActionController::LogSubscriber` that would happen when throwing inside a controller action.
 
+    *Janko Marohnić*
 
-## Rails 6.0.3.3 (September 09, 2020) ##
+*   Fix `fixture_file_upload` deprecation when `file_fixture_path` is a relative path.
 
-*   No changes.
+    *Eugene Kenny*
 
 
-## Rails 6.0.3.2 (June 17, 2020) ##
+## Rails 6.1.1 (January 07, 2021) ##
 
-*   [CVE-2020-8185] Only allow ActionableErrors if show_detailed_exceptions is enabled
+*   Fix nil translation key lookup in controllers/
 
-## Rails 6.0.3.1 (May 18, 2020) ##
+    *Jan Klimo*
 
-*   [CVE-2020-8166] HMAC raw CSRF token before masking it, so it cannot be used to reconstruct a per-form token
+*   Quietly handle unknown HTTP methods in Action Dispatch SSL middleware.
 
-*   [CVE-2020-8164] Return self when calling #each, #each_pair, and #each_value instead of the raw @parameters hash
+    *Alex Robbin*
 
+*   Change the request method to a `GET` when passing failed requests down to `config.exceptions_app`.
 
-## Rails 6.0.3 (May 06, 2020) ##
+    *Alex Robbin*
 
-*   Include child session assertion count in ActionDispatch::IntegrationTest
 
-    `IntegrationTest#open_session` uses `dup` to create the new session, which
-    meant it had its own copy of `@assertions`. This prevented the assertions
-    from being correctly counted and reported.
+## Rails 6.1.0 (December 09, 2020) ##
 
-    Child sessions now have their `attr_accessor` overriden to delegate to the
-    root session.
+*   Support for the HTTP header `Feature-Policy` has been revised to reflect
+    its [rename](https://github.com/w3c/webappsec-permissions-policy/pull/379) to [`Permissions-Policy`](https://w3c.github.io/webappsec-permissions-policy/#permissions-policy-http-header-field).
 
-    Fixes #32142
+    ```ruby
+    Rails.application.config.permissions_policy do |p|
+      p.camera     :none
+      p.gyroscope  :none
+      p.microphone :none
+      p.usb        :none
+      p.fullscreen :self
+      p.payment    :self, "https://secure-example.com"
+    end
+    ```
 
-    *Sam Bostock*
+    *Julien Grillot*
 
+*   Allow `ActionDispatch::HostAuthorization` to exclude specific requests.
 
-## Rails 6.0.2.2 (March 19, 2020) ##
+    Host Authorization checks can be skipped for specific requests. This allows for health check requests to be permitted for requests with missing or non-matching host headers.
 
-*   No changes.
+    *Chris Bisnett*
 
+*   Add `config.action_dispatch.request_id_header` to allow changing the name of
+    the unique X-Request-Id header
 
-## Rails 6.0.2.1 (December 18, 2019) ##
+    *Arlston Fernandes*
 
-*   Fix possible information leak / session hijacking vulnerability.
+*   Deprecate `config.action_dispatch.return_only_media_type_on_content_type`.
 
-    The `ActionDispatch::Session::MemcacheStore` is still vulnerable given it requires the
-    gem dalli to be updated as well.
+    *Rafael Mendonça França*
 
-    CVE-2019-16782.
+*   Change `ActionDispatch::Response#content_type` to return the full Content-Type header.
 
+    *Rafael Mendonça França*
 
-## Rails 6.0.2 (December 13, 2019) ##
+*   Remove deprecated `ActionDispatch::Http::ParameterFilter`.
 
-*   Allow using mountable engine route helpers in System Tests.
+    *Rafael Mendonça França*
 
-    *Chalo Fernandez*
+*   Added support for exclusive no-store Cache-Control header.
 
+    If `no-store` is set on Cache-Control header it is exclusive (all other cache directives are dropped).
 
-## Rails 6.0.1 (November 5, 2019) ##
+    *Chris Kruger*
 
-*   `ActionDispatch::SystemTestCase` now inherits from `ActiveSupport::TestCase`
-    rather than `ActionDispatch::IntegrationTest`. This permits running jobs in
-    system tests.
+*   Catch invalid UTF-8 parameters for POST requests and respond with BadRequest.
 
-    *George Claghorn*, *Edouard Chin*
+    Additionally, perform `#set_binary_encoding` in `ActionDispatch::Http::Request#GET` and
+    `ActionDispatch::Http::Request#POST` prior to validating encoding.
 
-*   Registered MIME types may contain extra flags:
+    *Adrianna Chang*
 
-    ```ruby
-    Mime::Type.register "text/html; fragment", :html_fragment
-    ```
+*   Allow `assert_recognizes` routing assertions to work on mounted root routes.
 
-    *Aaron Patterson*
+    *Gannon McGibbon*
 
+*   Change default redirection status code for non-GET/HEAD requests to 308 Permanent Redirect for `ActionDispatch::SSL`.
 
-## Rails 6.0.0 (August 16, 2019) ##
+    *Alan Tan*, *Oz Ben-David*
 
-*   No changes.
+*   Fix `follow_redirect!` to follow redirection with same HTTP verb when following
+    a 308 redirection.
 
+    *Alan Tan*
 
-## Rails 6.0.0.rc2 (July 22, 2019) ##
+*   When multiple domains are specified for a cookie, a domain will now be
+    chosen only if it is equal to or is a superdomain of the request host.
 
-*   Add the ability to set the CSP nonce only to the specified directives.
+    *Jonathan Hefner*
 
-    Fixes #35137.
+*   `ActionDispatch::Static` handles precompiled Brotli (.br) files.
 
-    *Yuji Yaginuma*
+    Adds to existing support for precompiled gzip (.gz) files.
+    Brotli files are preferred due to much better compression.
 
-*   Keep part when scope option has value.
+    When the browser requests /some.js with `Accept-Encoding: br`,
+    we check for public/some.js.br and serve that file, if present, with
+    `Content-Encoding: br` and `Vary: Accept-Encoding` headers.
 
-    When a route was defined within an optional scope, if that route didn't
-    take parameters the scope was lost when using path helpers. This commit
-    ensures scope is kept both when the route takes parameters or when it
-    doesn't.
+    *Ryan Edward Hall*, *Jeremy Daer*
 
-    Fixes #33219
+*   Add raise_on_missing_translations support for controllers.
 
-    *Alberto Almagro*
+    This configuration determines whether an error should be raised for missing translations.
+    It can be enabled through `config.i18n.raise_on_missing_translations`. Note that described
+    configuration also affects raising error for missing translations in views.
 
-*   Change `ActionDispatch::Response#content_type` to return Content-Type header as it is.
+    *fatkodima*
 
-    Previously, `ActionDispatch::Response#content_type` returned value does NOT
-    contain charset part. This behavior changed to returned Content-Type header
-    containing charset part as it is.
+*   Added `compact` and `compact!` to `ActionController::Parameters`.
 
-    If you want just MIME type, please use `ActionDispatch::Response#media_type`
-    instead.
+    *Eugene Kenny*
 
-    Enable `action_dispatch.return_only_media_type_on_content_type` to use this change.
-    If not enabled, `ActionDispatch::Response#content_type` returns the same
-    value as before version, but its behavior is deprecate.
+*   Calling `each_pair` or `each_value` on an `ActionController::Parameters`
+    without passing a block now returns an enumerator.
 
-    *Yuji Yaginuma*
+    *Eugene Kenny*
 
-*   Calling `ActionController::Parameters#transform_keys/!` without a block now returns
-    an enumerator for the parameters instead of the underlying hash.
+*   `fixture_file_upload` now uses path relative to `file_fixture_path`
 
-    *Eugene Kenny*
+    Previously the path had to be relative to `fixture_path`.
+    You can change your existing code as follow:
 
-*   Fix a bug where DebugExceptions throws an error when malformed query parameters are provided
+    ```ruby
+    # Before
+    fixture_file_upload('files/dog.png')
 
-    *Yuki Nishijima*, *Stan Lo*
+    # After
+    fixture_file_upload('dog.png')
+    ```
 
+    *Edouard Chin*
 
-## Rails 6.0.0.rc1 (April 24, 2019) ##
+*   Remove deprecated `force_ssl` at the controller level.
 
-*   Make system tests take a failed screenshot in a `before_teardown` hook
-    rather than an `after_teardown` hook.
+    *Rafael Mendonça França*
 
-    This helps minimize the time gap between when an assertion fails and when
-    the screenshot is taken (reducing the time in which the page could have
-    been dynamically updated after the assertion failed).
+*   The +helper+ class method for controllers loads helper modules specified as
+    strings/symbols with `String#constantize` instead of `require_dependency`.
 
-    *Richard Macklin*
+    Remember that support for strings/symbols is only a convenient API. You can
+    always pass a module object:
 
-*   Introduce `ActionDispatch::ActionableExceptions`.
+    ```ruby
+    helper UtilsHelper
+    ```
 
-    The `ActionDispatch::ActionableExceptions` middleware dispatches actions
-    from `ActiveSupport::ActionableError` descendants.
+    which is recommended because it is simple and direct. When a string/symbol
+    is received, `helper` just manipulates and inflects the argument to obtain
+    that same module object.
 
-    Actionable errors let's you dispatch actions from Rails' error pages.
+    *Xavier Noria*, *Jean Boussier*
 
-    *Vipul A M*, *Yao Jie*, *Genadi Samokovarov*
+*   Correctly identify the entire localhost IPv4 range as trusted proxy.
 
-*   Raise an `ArgumentError` if a resource custom param contains a colon (`:`).
+    *Nick Soracco*
 
-    After this change it's not possible anymore to configure routes like this:
+*   `url_for` will now use "https://" as the default protocol when
+    `Rails.application.config.force_ssl` is set to true.
 
-    ```
-    routes.draw do
-      resources :users, param: 'name/:sneaky'
-    end
-    ```
+    *Jonathan Hefner*
 
-    Fixes #30467.
+*   Accept and default to base64_urlsafe CSRF tokens.
 
-    *Josua Schmid*
+    Base64 strict-encoded CSRF tokens are not inherently websafe, which makes
+    them difficult to deal with. For example, the common practice of sending
+    the CSRF token to a browser in a client-readable cookie does not work properly
+    out of the box: the value has to be url-encoded and decoded to survive transport.
 
+    Now, we generate Base64 urlsafe-encoded CSRF tokens, which are inherently safe
+    to transport. Validation accepts both urlsafe tokens, and strict-encoded tokens
+    for backwards compatibility.
 
-## Rails 6.0.0.beta3 (March 11, 2019) ##
+    *Scott Blum*
 
-*   No changes.
+*   Support rolling deploys for cookie serialization/encryption changes.
 
+    In a distributed configuration like rolling update, users may observe
+    both old and new instances during deployment. Users may be served by a
+    new instance and then by an old instance.
 
-## Rails 6.0.0.beta2 (February 25, 2019) ##
+    That means when the server changes `cookies_serializer` from `:marshal`
+    to `:hybrid` or the server changes `use_authenticated_cookie_encryption`
+    from `false` to `true`, users may lose their sessions if they access the
+    server during deployment.
 
-*   Make debug exceptions works in an environment where ActiveStorage is not loaded.
+    We added fallbacks to downgrade the cookie format when necessary during
+    deployment, ensuring compatibility on both old and new instances.
 
-    *Tomoyuki Kurosawa*
+    *Masaki Hara*
 
-*   `ActionDispatch::SystemTestCase.driven_by` can now be called with a block
-    to define specific browser capabilities.
+*   `ActionDispatch::Request.remote_ip` has ip address even when all sites are trusted.
 
-    *Edouard Chin*
+    Before, if all `X-Forwarded-For` sites were trusted, the `remote_ip` would default to `127.0.0.1`.
+    Now, the furthest proxy site is used. e.g.: It now gives an ip address when using curl from the load balancer.
 
+    *Keenan Brock*
 
-## Rails 6.0.0.beta1 (January 18, 2019) ##
+*   Fix possible information leak / session hijacking vulnerability.
 
-*   Remove deprecated `fragment_cache_key` helper in favor of `combined_fragment_cache_key`.
+    The `ActionDispatch::Session::MemcacheStore` is still vulnerable given it requires the
+    gem dalli to be updated as well.
 
-    *Rafael Mendonça França*
+    CVE-2019-16782.
 
-*   Remove deprecated methods in `ActionDispatch::TestResponse`.
+*   Include child session assertion count in ActionDispatch::IntegrationTest.
 
-    `#success?`, `missing?` and `error?` were deprecated in Rails 5.2 in favor of
-    `#successful?`, `not_found?` and `server_error?`.
+    `IntegrationTest#open_session` uses `dup` to create the new session, which
+    meant it had its own copy of `@assertions`. This prevented the assertions
+    from being correctly counted and reported.
 
-    *Rafael Mendonça França*
+    Child sessions now have their `attr_accessor` overridden to delegate to the
+    root session.
 
-*   Introduce `ActionDispatch::HostAuthorization`.
+    Fixes #32142.
 
-    This is a new middleware that guards against DNS rebinding attacks by
-    explicitly permitting the hosts a request can be made to.
+    *Sam Bostock*
 
-    Each host is checked with the case operator (`#===`) to support `Regexp`,
-    `Proc`, `IPAddr` and custom objects as host allowances.
+*   Add SameSite protection to every written cookie.
 
-    *Genadi Samokovarov*
+    Enabling `SameSite` cookie protection is an addition to CSRF protection,
+    where cookies won't be sent by browsers in cross-site POST requests when set to `:lax`.
 
-*   Allow using `parsed_body` in `ActionController::TestCase`.
+    `:strict` disables cookies being sent in cross-site GET or POST requests.
 
-    In addition to `ActionDispatch::IntegrationTest`, allow using
-    `parsed_body` in `ActionController::TestCase`:
+    Passing `:none` disables this protection and is the same as previous versions albeit a `; SameSite=None` is appended to the cookie.
 
-    ```
-    class SomeControllerTest < ActionController::TestCase
-      def test_some_action
-        post :action, body: { foo: 'bar' }
-        assert_equal({ "foo" => "bar" }, response.parsed_body)
-      end
-    end
-    ```
+    See upgrade instructions in config/initializers/new_framework_defaults_6_1.rb.
 
-    Fixes #34676.
+    More info [here](https://tools.ietf.org/html/draft-west-first-party-cookies-07)
 
-    *Tobias Bühlmann*
+    _NB: Technically already possible as Rack supports SameSite protection, this is to ensure it's applied to all cookies_
 
-*   Raise an error on root route naming conflicts.
+    *Cédric Fabianski*
 
-    Raises an `ArgumentError` when multiple root routes are defined in the
-    same context instead of assigning nil names to subsequent roots.
+*   Bring back the feature that allows loading external route files from the router.
 
-    *Gannon McGibbon*
+    This feature existed back in 2012 but got reverted with the incentive that
+    https://github.com/rails/routing_concerns was a better approach. Turned out
+    that this wasn't fully the case and loading external route files from the router
+    can be helpful for applications with a really large set of routes.
+    Without this feature, application needs to implement routes reloading
+    themselves and it's not straightforward.
 
-*   Allow rescue from parameter parse errors:
+    ```ruby
+    # config/routes.rb
 
-    ```
-    rescue_from ActionDispatch::Http::Parameters::ParseError do
-      head :unauthorized
+    Rails.application.routes.draw do
+      draw(:admin)
     end
+
+    # config/routes/admin.rb
+
+    get :foo, to: 'foo#bar'
     ```
 
-    *Gannon McGibbon*, *Josh Cheek*
+    *Yehuda Katz*, *Edouard Chin*
 
-*   Reset Capybara sessions if failed system test screenshot raising an exception.
+*   Fix system test driver option initialization for non-headless browsers.
 
-    Reset Capybara sessions if `take_failed_screenshot` raise exception
-    in system test `after_teardown`.
+    *glaszig*
 
-    *Maxim Perepelitsa*
+*   `redirect_to.action_controller` notifications now include the `ActionDispatch::Request` in
+    their payloads as `:request`.
 
-*   Use request object for context if there's no controller
+    *Austin Story*
 
-    There is no controller instance when using a redirect route or a
-    mounted rack application so pass the request object as the context
-    when resolving dynamic CSP sources in this scenario.
+*   `respond_to#any` no longer returns a response's Content-Type based on the
+    request format but based on the block given.
 
-    Fixes #34200.
+    Example:
 
-    *Andrew White*
+    ```ruby
+      def my_action
+        respond_to do |format|
+          format.any { render(json: { foo: 'bar' }) }
+        end
+      end
 
-*   Apply mapping to symbols returned from dynamic CSP sources
+      get('my_action.csv')
+    ```
 
-    Previously if a dynamic source returned a symbol such as :self it
-    would be converted to a string implicitly, e.g:
+    The previous behaviour was to respond with a `text/csv` Content-Type which
+    is inaccurate since a JSON response is being rendered.
 
-        policy.default_src -> { :self }
+    Now it correctly returns a `application/json` Content-Type.
 
-    would generate the header:
+    *Edouard Chin*
 
-        Content-Security-Policy: default-src self
+*   Replaces (back)slashes in failure screenshot image paths with dashes.
 
-    and now it generates:
+    If a failed test case contained a slash or a backslash, a screenshot would be created in a
+    nested directory, causing issues with `tmp:clear`.
 
-        Content-Security-Policy: default-src 'self'
+    *Damir Zekic*
 
-    *Andrew White*
+*   Add `params.member?` to mimic Hash behavior.
 
-*   Add `ActionController::Parameters#each_value`.
+    *Younes Serraj*
 
-    *Lukáš Zapletal*
+*   `process_action.action_controller` notifications now include the following in their payloads:
 
-*   Deprecate `ActionDispatch::Http::ParameterFilter` in favor of `ActiveSupport::ParameterFilter`.
+    * `:request` - the `ActionDispatch::Request`
+    * `:response` - the `ActionDispatch::Response`
 
-    *Yoshiyuki Kinjo*
+    *George Claghorn*
 
-*   Encode Content-Disposition filenames on `send_data` and `send_file`.
-    Previously, `send_data 'data', filename: "\u{3042}.txt"` sends
-    `"filename=\"\u{3042}.txt\""` as Content-Disposition and it can be
-    garbled.
-    Now it follows [RFC 2231](https://tools.ietf.org/html/rfc2231) and
-    [RFC 5987](https://tools.ietf.org/html/rfc5987) and sends
-    `"filename=\"%3F.txt\"; filename*=UTF-8''%E3%81%82.txt"`.
-    Most browsers can find filename correctly and old browsers fallback to ASCII
-    converted name.
+*   Updated `ActionDispatch::Request.remote_ip` setter to clear set the instance
+    `remote_ip` to `nil` before setting the header that the value is derived
+    from.
 
-    *Fumiaki Matsushima*
+    Fixes #37383.
 
-*   Expose `ActionController::Parameters#each_key` which allows iterating over
-    keys without allocating an array.
+    *Norm Provost*
 
-    *Richard Schneeman*
+*   `ActionController::Base.log_at` allows setting a different log level per request.
 
-*   Purpose metadata for signed/encrypted cookies.
+    ```ruby
+    # Use the debug level if a particular cookie is set.
+    class ApplicationController < ActionController::Base
+      log_at :debug, if: -> { cookies[:debug] }
+    end
+    ```
 
-    Rails can now thwart attacks that attempt to copy signed/encrypted value
-    of a cookie and use it as the value of another cookie.
+    *George Claghorn*
 
-    It does so by stashing the cookie-name in the purpose field which is
-    then signed/encrypted along with the cookie value. Then, on a server-side
-    read, we verify the cookie-names and discard any attacked cookies.
+*   Allow system test screen shots to be taken more than once in
+    a test by prefixing the file name with an incrementing counter.
 
-    Enable `action_dispatch.use_cookies_with_metadata` to use this feature, which
-    writes cookies with the new purpose and expiry metadata embedded.
+    Add an environment variable `RAILS_SYSTEM_TESTING_SCREENSHOT_HTML` to
+    enable saving of HTML during a screenshot in addition to the image.
+    This uses the same image name, with the extension replaced with `.html`
 
-    *Assain Jaleel*
+    *Tom Fakes*
 
-*   Raises `ActionController::RespondToMismatchError` with conflicting `respond_to` invocations.
+*   Add `Vary: Accept` header when using `Accept` header for response.
 
-    `respond_to` can match multiple types and lead to undefined behavior when
-    multiple invocations are made and the types do not match:
+    For some requests like `/users/1`, Rails uses requests' `Accept`
+    header to determine what to return. And if we don't add `Vary`
+    in the response header, browsers might accidentally cache different
+    types of content, which would cause issues: e.g. javascript got displayed
+    instead of html content. This PR fixes these issues by adding `Vary: Accept`
+    in these types of requests. For more detailed problem description, please read:
 
-        respond_to do |outer_type|
-          outer_type.js do
-            respond_to do |inner_type|
-              inner_type.html { render body: "HTML" }
-            end
-          end
-        end
+    https://github.com/rails/rails/pull/36213
 
-    *Patrick Toomey*
+    Fixes #25842.
 
-*   `ActionDispatch::Http::UploadedFile` now delegates `to_path` to its tempfile.
+    *Stan Lo*
 
-    This allows uploaded file objects to be passed directly to `File.read`
-    without raising a `TypeError`:
+*   Fix IntegrationTest `follow_redirect!` to follow redirection using the same HTTP verb when following
+    a 307 redirection.
 
-        uploaded_file = ActionDispatch::Http::UploadedFile.new(tempfile: tmp_file)
-        File.read(uploaded_file)
+    *Edouard Chin*
 
-    *Aaron Kromer*
+*   System tests require Capybara 3.26 or newer.
 
-*   Pass along arguments to underlying `get` method in `follow_redirect!`
+    *George Claghorn*
 
-    Now all arguments passed to `follow_redirect!` are passed to the underlying
-    `get` method. This for example allows to set custom headers for the
-    redirection request to the server.
+*   Reduced log noise handling ActionController::RoutingErrors.
 
-        follow_redirect!(params: { foo: :bar })
+    *Alberto Fernández-Capel*
 
-    *Remo Fritzsche*
+*   Add DSL for configuring HTTP Feature Policy.
 
-*   Introduce a new error page to when the implicit render page is accessed in the browser.
+    This new DSL provides a way to configure an HTTP Feature Policy at a
+    global or per-controller level. Full details of HTTP Feature Policy
+    specification and guidelines can be found at MDN:
 
-    Now instead of showing an error page that with exception and backtraces we now show only
-    one informative page.
+    https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy
 
-    *Vinicius Stock*
+    Example global policy:
 
-*   Introduce `ActionDispatch::DebugExceptions.register_interceptor`.
+    ```ruby
+    Rails.application.config.feature_policy do |f|
+      f.camera      :none
+      f.gyroscope   :none
+      f.microphone  :none
+      f.usb         :none
+      f.fullscreen  :self
+      f.payment     :self, "https://secure.example.com"
+    end
+    ```
 
-    Exception aware plugin authors can use the newly introduced
-    `.register_interceptor` method to get the processed exception, instead of
-    monkey patching DebugExceptions.
+    Example controller level policy:
 
-        ActionDispatch::DebugExceptions.register_interceptor do |request, exception|
-          HypoteticalPlugin.capture_exception(request, exception)
-        end
+    ```ruby
+    class PagesController < ApplicationController
+      feature_policy do |p|
+        p.geolocation "https://example.com"
+      end
+    end
+    ```
 
-    *Genadi Samokovarov*
+    *Jacob Bednarz*
 
-*   Output only one Content-Security-Policy nonce header value per request.
+*   Add the ability to set the CSP nonce only to the specified directives.
 
-    Fixes #32597.
+    Fixes #35137.
 
-    *Andrey Novikov*, *Andrew White*
+    *Yuji Yaginuma*
 
-*   Move default headers configuration into their own module that can be included in controllers.
+*   Keep part when scope option has value.
+
+    When a route was defined within an optional scope, if that route didn't
+    take parameters the scope was lost when using path helpers. This commit
+    ensures scope is kept both when the route takes parameters or when it
+    doesn't.
 
-    *Kevin Deisz*
+    Fixes #33219.
 
-*   Add method `dig` to `session`.
+    *Alberto Almagro*
 
-    *claudiob*, *Takumi Shotoku*
+*   Added `deep_transform_keys` and `deep_transform_keys!` methods to ActionController::Parameters.
 
-*   Controller level `force_ssl` has been deprecated in favor of
-    `config.force_ssl`.
+    *Gustavo Gutierrez*
 
-    *Derek Prior*
+*   Calling `ActionController::Parameters#transform_keys`/`!` without a block now returns
+    an enumerator for the parameters instead of the underlying hash.
+
+    *Eugene Kenny*
 
-*   Rails 6 requires Ruby 2.5.0 or newer.
+*   Fix strong parameters blocks all attributes even when only some keys are invalid (non-numerical).
+    It should only block invalid key's values instead.
 
-    *Jeremy Daer*, *Kasper Timm Hansen*
+    *Stan Lo*
 
 
-Please check [5-2-stable](https://github.com/rails/rails/blob/5-2-stable/actionpack/CHANGELOG.md) for previous changes.
+Please check [6-0-stable](https://github.com/rails/rails/blob/6-0-stable/actionpack/CHANGELOG.md) for previous changes.