actionpack 6.1.0.rc1 → 6.1.0.rc2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9a4a41e1ca0c25578fbd6a0ea8a05295194ae1bd4583adec81c901d36df926af
-  data.tar.gz: 8582c26944953ae947cf95b4582f3b000af462b0786476d4dc84a268963bbdd8
+  metadata.gz: bc84b6b896fe838781d03a845564d7d0d55c125c08891dac5192dd0b4218e148
+  data.tar.gz: 2d6978599e5d5f2becc3ced8db15918edbeffe6048cffa5f3b11b68e0fe7fb97
 SHA512:
-  metadata.gz: c6ae9cf119acfd74a41566d30f6d499ed3590355134a7a00ebc77b25a8516f1037448bc202c543b0c92cedc842d38e1b787df12f4260bebf5f1595c42c192d2a
-  data.tar.gz: 69965930679b64e98df6a5b4edaefa9f15a7c38480fd179507b3a27c663b07478411a6ae04355dd5a30f97f18be8b4441e083b5c97d0015f95963d5adf29dcda
+  metadata.gz: cba23b8e3d5344c09f2b3f41d4544c8486dafe103a1c5fd1c4f050f543a35d17346d747ff1e2cd62e7535258ee38953ab2b12eb62119d086c9e9b35c8344c2c4
+  data.tar.gz: 7e8b5c27070a8bf909e09e8d1bd98565da44321186bdaae0e5ebc474cbaf85dc242191863b8041696cdf995e75110b94ab3af7e304d99180c78000cbec00e9ec

data/CHANGELOG.md

@@ -1,3 +1,21 @@
+## Rails 6.1.0.rc2 (December 01, 2020) ##
+
+*   Support for the HTTP header `Feature-Policy` has been revised to reflect
+    its [rename](https://github.com/w3c/webappsec-permissions-policy/pull/379) to [`Permissions-Policy`](https://w3c.github.io/webappsec-permissions-policy/#permissions-policy-http-header-field).
+
+    ```ruby
+    Rails.application.config.permissions_policy do |p|
+      p.camera     :none
+      p.gyroscope  :none
+      p.microphone :none
+      p.usb        :none
+      p.fullscreen :self
+      p.payment    :self, "https://secure-example.com"
+    end
+    ```
+
+    *Julien Grillot*
+
 ## Rails 6.1.0.rc1 (November 02, 2020) ##
 
 *   Allow `ActionDispatch::HostAuthorization` to exclude specific requests.

data/lib/action_controller.rb

@@ -29,7 +29,7 @@ module ActionController
     autoload :DefaultHeaders
     autoload :EtagWithTemplateDigest
     autoload :EtagWithFlash
-    autoload :FeaturePolicy
+    autoload :PermissionsPolicy
     autoload :Flash
     autoload :Head
     autoload :Helpers

data/lib/action_controller/base.rb

@@ -226,7 +226,7 @@ module ActionController
       FormBuilder,
       RequestForgeryProtection,
       ContentSecurityPolicy,
-      FeaturePolicy,
+      PermissionsPolicy,
       Streaming,
       DataStreaming,
       HttpAuthentication::Basic::ControllerMethods,

data/lib/action_controller/metal/cookies.rb

@@ -9,7 +9,9 @@ module ActionController #:nodoc:
     end
 
     private
-      def cookies
+      # The cookies for the current request. See ActionDispatch::Cookies for
+      # more information.
+      def cookies # :doc:
         request.cookie_jar
       end
   end

data/lib/action_controller/metal/{feature_policy.rb → permissions_policy.rb}

@@ -1,11 +1,11 @@
 # frozen_string_literal: true
 
 module ActionController #:nodoc:
-  # HTTP Feature Policy is a web standard for defining a mechanism to
-  # allow and deny the use of browser features in its own context, and
+  # HTTP Permissions Policy is a web standard for defining a mechanism to
+  # allow and deny the use of browser permissions in its own context, and
   # in content within any <iframe> elements in the document.
   #
-  # Full details of HTTP Feature Policy specification and guidelines can
+  # Full details of HTTP Permissions Policy specification and guidelines can
   # be found at MDN:
   #
   # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy
@@ -13,7 +13,7 @@ module ActionController #:nodoc:
   # Examples of usage:
   #
   #   # Global policy
-  #   Rails.application.config.feature_policy do |f|
+  #   Rails.application.config.permissions_policy do |f|
   #     f.camera      :none
   #     f.gyroscope   :none
   #     f.microphone  :none
@@ -24,20 +24,20 @@ module ActionController #:nodoc:
   #
   #   # Controller level policy
   #   class PagesController < ApplicationController
-  #     feature_policy do |p|
+  #     permissions_policy do |p|
   #       p.geolocation "https://example.com"
   #     end
   #   end
-  module FeaturePolicy
+  module PermissionsPolicy
     extend ActiveSupport::Concern
 
     module ClassMethods
-      def feature_policy(**options, &block)
+      def permissions_policy(**options, &block)
         before_action(options) do
           if block_given?
-            policy = request.feature_policy.clone
+            policy = request.permissions_policy.clone
             yield policy
-            request.feature_policy = policy
+            request.permissions_policy = policy
           end
         end
       end

data/lib/action_dispatch.rb

@@ -46,7 +46,7 @@ module ActionDispatch
   eager_autoload do
     autoload_under "http" do
       autoload :ContentSecurityPolicy
-      autoload :FeaturePolicy
+      autoload :PermissionsPolicy
       autoload :Request
       autoload :Response
     end

data/lib/action_dispatch/http/{feature_policy.rb → permissions_policy.rb}

@@ -3,9 +3,14 @@
 require "active_support/core_ext/object/deep_dup"
 
 module ActionDispatch #:nodoc:
-  class FeaturePolicy
+  class PermissionsPolicy
     class Middleware
       CONTENT_TYPE = "Content-Type"
+      # The Feature-Policy header has been renamed to Permissions-Policy.
+      # The Permissions-Policy requires a different implementation and isn't
+      # yet supported by all browsers. To avoid having to rename this
+      # middleware in the future we use the new name for the middleware but
+      # keep the old header name and implementation for now.
       POLICY       = "Feature-Policy"
 
       def initialize(app)
@@ -19,7 +24,7 @@ module ActionDispatch #:nodoc:
         return response unless html_response?(headers)
         return response if policy_present?(headers)
 
-        if policy = request.feature_policy
+        if policy = request.permissions_policy
           headers[POLICY] = policy.build(request.controller_instance)
         end
 
@@ -47,13 +52,13 @@ module ActionDispatch #:nodoc:
     end
 
     module Request
-      POLICY = "action_dispatch.feature_policy"
+      POLICY = "action_dispatch.permissions_policy"
 
-      def feature_policy
+      def permissions_policy
         get_header(POLICY)
       end
 
-      def feature_policy=(policy)
+      def permissions_policy=(policy)
         set_header(POLICY, policy)
       end
     end
@@ -63,8 +68,8 @@ module ActionDispatch #:nodoc:
       none: "'none'",
     }.freeze
 
-    # List of available features can be found at
-    # https://github.com/WICG/feature-policy/blob/master/features.md#policy-controlled-features
+    # List of available permissions can be found at
+    # https://github.com/w3c/webappsec-permissions-policy/blob/master/features.md#policy-controlled-features
     DIRECTIVES = {
       accelerometer:        "accelerometer",
       ambient_light_sensor: "ambient-light-sensor",
@@ -121,14 +126,14 @@ module ActionDispatch #:nodoc:
           when String, Proc
             source
           else
-            raise ArgumentError, "Invalid HTTP feature policy source: #{source.inspect}"
+            raise ArgumentError, "Invalid HTTP permissions policy source: #{source.inspect}"
           end
         end
       end
 
       def apply_mapping(source)
         MAPPINGS.fetch(source) do
-          raise ArgumentError, "Unknown HTTP feature policy source mapping: #{source.inspect}"
+          raise ArgumentError, "Unknown HTTP permissions policy source mapping: #{source.inspect}"
         end
       end
 
@@ -156,12 +161,12 @@ module ActionDispatch #:nodoc:
           source.to_s
         when Proc
           if context.nil?
-            raise RuntimeError, "Missing context for the dynamic feature policy source: #{source.inspect}"
+            raise RuntimeError, "Missing context for the dynamic permissions policy source: #{source.inspect}"
           else
             context.instance_exec(&source)
           end
         else
-          raise RuntimeError, "Unexpected feature policy source: #{source.inspect}"
+          raise RuntimeError, "Unexpected permissions policy source: #{source.inspect}"
         end
       end
   end

data/lib/action_dispatch/http/request.rb

@@ -23,7 +23,7 @@ module ActionDispatch
     include ActionDispatch::Http::FilterParameters
     include ActionDispatch::Http::URL
     include ActionDispatch::ContentSecurityPolicy::Request
-    include ActionDispatch::FeaturePolicy::Request
+    include ActionDispatch::PermissionsPolicy::Request
     include Rack::Request::Env
 
     autoload :Session, "action_dispatch/request/session"

data/lib/action_dispatch/middleware/host_authorization.rb

@@ -51,9 +51,9 @@ module ActionDispatch
 
         def sanitize_string(host)
           if host.start_with?(".")
-            /\A(.+\.)?#{Regexp.escape(host[1..-1])}\z/
+            /\A(.+\.)?#{Regexp.escape(host[1..-1])}\z/i
           else
-            host
+            /\A#{host}\z/i
           end
         end
     end

data/lib/action_dispatch/middleware/templates/rescues/_message_and_suggestions.html.erb

@@ -1,5 +1,7 @@
 <% if exception.respond_to?(:original_message) && exception.respond_to?(:corrections) %>
-  <h2><%= h exception.original_message %></h2>
+  <div class="exception-message">
+    <%= simple_format h(exception.original_message), { class: "message" }, wrapper_tag: "div" %>
+  </div>
   <%
     # The 'did_you_mean' gem can raise exceptions when calling #corrections on
     # the exception. If it does there are no corrections to show.
@@ -14,5 +16,7 @@
     </ul>
   <% end %>
 <% else %>
-  <h2><%= h exception.message %></h2>
+  <div class="exception-message">
+    <%= simple_format h(exception.message), { class: "message" }, wrapper_tag: "div" %>
+  </div>
 <% end %>

data/lib/action_dispatch/middleware/templates/rescues/layout.erb

@@ -49,6 +49,18 @@
       line-height: 25px;
     }
 
+    .exception-message {
+      padding: 8px 0;
+    }
+
+    .exception-message .message{
+      margin-bottom: 8px;
+      line-height: 25px;
+      font-size: 1.5em;
+      font-weight: bold;
+      color: #C00;
+    }
+
     .details {
       border: 1px solid #D0D0D0;
       border-radius: 4px;

data/lib/action_pack/gem_version.rb

@@ -10,7 +10,7 @@ module ActionPack
     MAJOR = 6
     MINOR = 1
     TINY  = 0
-    PRE   = "rc1"
+    PRE   = "rc2"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: actionpack
 version: !ruby/object:Gem::Version
-  version: 6.1.0.rc1
+  version: 6.1.0.rc2
 platform: ruby
 authors:
 - David Heinemeier Hansson
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-11-02 00:00:00.000000000 Z
+date: 2020-12-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.1.0.rc1
+        version: 6.1.0.rc2
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.1.0.rc1
+        version: 6.1.0.rc2
 - !ruby/object:Gem::Dependency
   name: rack
   requirement: !ruby/object:Gem::Requirement
@@ -98,28 +98,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.1.0.rc1
+        version: 6.1.0.rc2
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.1.0.rc1
+        version: 6.1.0.rc2
 - !ruby/object:Gem::Dependency
   name: activemodel
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.1.0.rc1
+        version: 6.1.0.rc2
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.1.0.rc1
+        version: 6.1.0.rc2
 description: Web apps on Rails. Simple, battle-tested conventions for building and
   testing MVC web applications. Works with any Rack-compatible server.
 email: david@loudthinking.com
@@ -161,7 +161,6 @@ files:
 - lib/action_controller/metal/etag_with_flash.rb
 - lib/action_controller/metal/etag_with_template_digest.rb
 - lib/action_controller/metal/exceptions.rb
-- lib/action_controller/metal/feature_policy.rb
 - lib/action_controller/metal/flash.rb
 - lib/action_controller/metal/head.rb
 - lib/action_controller/metal/helpers.rb
@@ -173,6 +172,7 @@ files:
 - lib/action_controller/metal/mime_responds.rb
 - lib/action_controller/metal/parameter_encoding.rb
 - lib/action_controller/metal/params_wrapper.rb
+- lib/action_controller/metal/permissions_policy.rb
 - lib/action_controller/metal/redirecting.rb
 - lib/action_controller/metal/renderers.rb
 - lib/action_controller/metal/rendering.rb
@@ -191,7 +191,6 @@ files:
 - lib/action_dispatch/http/cache.rb
 - lib/action_dispatch/http/content_disposition.rb
 - lib/action_dispatch/http/content_security_policy.rb
-- lib/action_dispatch/http/feature_policy.rb
 - lib/action_dispatch/http/filter_parameters.rb
 - lib/action_dispatch/http/filter_redirect.rb
 - lib/action_dispatch/http/headers.rb
@@ -199,6 +198,7 @@ files:
 - lib/action_dispatch/http/mime_type.rb
 - lib/action_dispatch/http/mime_types.rb
 - lib/action_dispatch/http/parameters.rb
+- lib/action_dispatch/http/permissions_policy.rb
 - lib/action_dispatch/http/rack_cache.rb
 - lib/action_dispatch/http/request.rb
 - lib/action_dispatch/http/response.rb
@@ -309,10 +309,10 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/rails/rails/issues
-  changelog_uri: https://github.com/rails/rails/blob/v6.1.0.rc1/actionpack/CHANGELOG.md
-  documentation_uri: https://api.rubyonrails.org/v6.1.0.rc1/
+  changelog_uri: https://github.com/rails/rails/blob/v6.1.0.rc2/actionpack/CHANGELOG.md
+  documentation_uri: https://api.rubyonrails.org/v6.1.0.rc2/
   mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
-  source_code_uri: https://github.com/rails/rails/tree/v6.1.0.rc1/actionpack
+  source_code_uri: https://github.com/rails/rails/tree/v6.1.0.rc2/actionpack
 post_install_message: 
 rdoc_options: []
 require_paths: