RubyGems - actionpack - Versions diffs - 6.1.7.5 → 7.1.3.1 - Mend

actionpack 6.1.7.5 → 7.1.3.1

Files changed (160) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +355 -435
data/MIT-LICENSE +2 -1
data/README.rdoc +6 -7
data/lib/abstract_controller/asset_paths.rb +1 -1
data/lib/abstract_controller/base.rb +33 -37
data/lib/abstract_controller/caching/fragments.rb +4 -2
data/lib/abstract_controller/caching.rb +1 -1
data/lib/abstract_controller/callbacks.rb +50 -11
data/lib/abstract_controller/collector.rb +2 -2
data/lib/abstract_controller/deprecator.rb +7 -0
data/lib/abstract_controller/error.rb +1 -1
data/lib/abstract_controller/helpers.rb +78 -30
data/lib/abstract_controller/logger.rb +1 -1
data/lib/abstract_controller/railties/routes_helpers.rb +3 -16
data/lib/abstract_controller/rendering.rb +12 -14
data/lib/abstract_controller/translation.rb +26 -7
data/lib/abstract_controller/url_for.rb +6 -6
data/lib/abstract_controller.rb +6 -0
data/lib/action_controller/api.rb +12 -10
data/lib/action_controller/base.rb +8 -21
data/lib/action_controller/caching.rb +2 -0
data/lib/action_controller/deprecator.rb +7 -0
data/lib/action_controller/form_builder.rb +4 -2
data/lib/action_controller/log_subscriber.rb +20 -7
data/lib/action_controller/metal/basic_implicit_render.rb +3 -1
data/lib/action_controller/metal/conditional_get.rb +137 -102
data/lib/action_controller/metal/content_security_policy.rb +37 -3
data/lib/action_controller/metal/cookies.rb +1 -1
data/lib/action_controller/metal/data_streaming.rb +25 -31
data/lib/action_controller/metal/default_headers.rb +2 -0
data/lib/action_controller/metal/etag_with_flash.rb +3 -1
data/lib/action_controller/metal/etag_with_template_digest.rb +2 -0
data/lib/action_controller/metal/exceptions.rb +27 -30
data/lib/action_controller/metal/flash.rb +6 -2
data/lib/action_controller/metal/head.rb +9 -7
data/lib/action_controller/metal/helpers.rb +5 -16
data/lib/action_controller/metal/http_authentication.rb +78 -42
data/lib/action_controller/metal/implicit_render.rb +5 -3
data/lib/action_controller/metal/instrumentation.rb +62 -50
data/lib/action_controller/metal/live.rb +67 -2
data/lib/action_controller/metal/mime_responds.rb +5 -5
data/lib/action_controller/metal/params_wrapper.rb +24 -13
data/lib/action_controller/metal/permissions_policy.rb +20 -29
data/lib/action_controller/metal/redirecting.rb +96 -23
data/lib/action_controller/metal/renderers.rb +14 -15
data/lib/action_controller/metal/rendering.rb +121 -16
data/lib/action_controller/metal/request_forgery_protection.rb +208 -68
data/lib/action_controller/metal/rescue.rb +7 -4
data/lib/action_controller/metal/streaming.rb +74 -36
data/lib/action_controller/metal/strong_parameters.rb +254 -151
data/lib/action_controller/metal/testing.rb +9 -2
data/lib/action_controller/metal/url_for.rb +10 -5
data/lib/action_controller/metal.rb +89 -34
data/lib/action_controller/railtie.rb +66 -9
data/lib/action_controller/renderer.rb +99 -85
data/lib/action_controller/test_case.rb +42 -11
data/lib/action_controller.rb +10 -6
data/lib/action_dispatch/constants.rb +32 -0
data/lib/action_dispatch/deprecator.rb +7 -0
data/lib/action_dispatch/http/cache.rb +21 -16
data/lib/action_dispatch/http/content_security_policy.rb +122 -44
data/lib/action_dispatch/http/filter_parameters.rb +14 -23
data/lib/action_dispatch/http/headers.rb +3 -1
data/lib/action_dispatch/http/mime_negotiation.rb +25 -15
data/lib/action_dispatch/http/mime_type.rb +43 -22
data/lib/action_dispatch/http/mime_types.rb +3 -1
data/lib/action_dispatch/http/parameters.rb +6 -6
data/lib/action_dispatch/http/permissions_policy.rb +57 -19
data/lib/action_dispatch/http/rack_cache.rb +2 -0
data/lib/action_dispatch/http/request.rb +75 -51
data/lib/action_dispatch/http/response.rb +81 -77
data/lib/action_dispatch/http/upload.rb +15 -2
data/lib/action_dispatch/http/url.rb +11 -19
data/lib/action_dispatch/journey/formatter.rb +8 -2
data/lib/action_dispatch/journey/gtg/builder.rb +11 -12
data/lib/action_dispatch/journey/gtg/simulator.rb +10 -4
data/lib/action_dispatch/journey/gtg/transition_table.rb +77 -21
data/lib/action_dispatch/journey/nodes/node.rb +70 -5
data/lib/action_dispatch/journey/path/pattern.rb +36 -27
data/lib/action_dispatch/journey/route.rb +8 -14
data/lib/action_dispatch/journey/router/utils.rb +2 -2
data/lib/action_dispatch/journey/router.rb +10 -9
data/lib/action_dispatch/journey/routes.rb +5 -5
data/lib/action_dispatch/journey/visualizer/fsm.js +49 -24
data/lib/action_dispatch/journey/visualizer/index.html.erb +1 -1
data/lib/action_dispatch/log_subscriber.rb +23 -0
data/lib/action_dispatch/middleware/actionable_exceptions.rb +5 -7
data/lib/action_dispatch/middleware/assume_ssl.rb +24 -0
data/lib/action_dispatch/middleware/callbacks.rb +2 -0
data/lib/action_dispatch/middleware/cookies.rb +97 -107
data/lib/action_dispatch/middleware/debug_exceptions.rb +31 -28
data/lib/action_dispatch/middleware/debug_locks.rb +7 -4
data/lib/action_dispatch/middleware/debug_view.rb +7 -2
data/lib/action_dispatch/middleware/exception_wrapper.rb +190 -27
data/lib/action_dispatch/middleware/executor.rb +3 -0
data/lib/action_dispatch/middleware/flash.rb +24 -18
data/lib/action_dispatch/middleware/host_authorization.rb +19 -20
data/lib/action_dispatch/middleware/public_exceptions.rb +5 -3
data/lib/action_dispatch/middleware/reloader.rb +7 -5
data/lib/action_dispatch/middleware/remote_ip.rb +32 -19
data/lib/action_dispatch/middleware/request_id.rb +5 -3
data/lib/action_dispatch/middleware/server_timing.rb +76 -0
data/lib/action_dispatch/middleware/session/abstract_store.rb +6 -1
data/lib/action_dispatch/middleware/session/cache_store.rb +2 -0
data/lib/action_dispatch/middleware/session/cookie_store.rb +19 -13
data/lib/action_dispatch/middleware/session/mem_cache_store.rb +3 -1
data/lib/action_dispatch/middleware/show_exceptions.rb +30 -25
data/lib/action_dispatch/middleware/ssl.rb +18 -6
data/lib/action_dispatch/middleware/stack.rb +34 -11
data/lib/action_dispatch/middleware/static.rb +16 -16
data/lib/action_dispatch/middleware/templates/rescues/_actions.html.erb +2 -2
data/lib/action_dispatch/middleware/templates/rescues/_message_and_suggestions.html.erb +5 -5
data/lib/action_dispatch/middleware/templates/rescues/_request_and_response.html.erb +4 -11
data/lib/action_dispatch/middleware/templates/rescues/_source.html.erb +8 -1
data/lib/action_dispatch/middleware/templates/rescues/_trace.html.erb +2 -2
data/lib/action_dispatch/middleware/templates/rescues/blocked_host.html.erb +10 -5
data/lib/action_dispatch/middleware/templates/rescues/blocked_host.text.erb +7 -3
data/lib/action_dispatch/middleware/templates/rescues/diagnostics.html.erb +9 -9
data/lib/action_dispatch/middleware/templates/rescues/diagnostics.text.erb +2 -2
data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.html.erb +3 -3
data/lib/action_dispatch/middleware/templates/rescues/layout.erb +45 -18
data/lib/action_dispatch/middleware/templates/rescues/missing_exact_template.html.erb +19 -15
data/lib/action_dispatch/middleware/templates/rescues/missing_template.html.erb +4 -4
data/lib/action_dispatch/middleware/templates/rescues/routing_error.html.erb +6 -6
data/lib/action_dispatch/middleware/templates/rescues/template_error.html.erb +7 -7
data/lib/action_dispatch/middleware/templates/rescues/unknown_action.html.erb +4 -4
data/lib/action_dispatch/middleware/templates/rescues/unknown_action.text.erb +1 -1
data/lib/action_dispatch/middleware/templates/routes/_route.html.erb +3 -0
data/lib/action_dispatch/middleware/templates/routes/_table.html.erb +64 -55
data/lib/action_dispatch/railtie.rb +20 -4
data/lib/action_dispatch/request/session.rb +59 -19
data/lib/action_dispatch/request/utils.rb +8 -3
data/lib/action_dispatch/routing/inspector.rb +55 -7
data/lib/action_dispatch/routing/mapper.rb +117 -107
data/lib/action_dispatch/routing/polymorphic_routes.rb +2 -0
data/lib/action_dispatch/routing/redirection.rb +20 -8
data/lib/action_dispatch/routing/route_set.rb +67 -27
data/lib/action_dispatch/routing/routes_proxy.rb +11 -16
data/lib/action_dispatch/routing/url_for.rb +29 -26
data/lib/action_dispatch/routing.rb +12 -13
data/lib/action_dispatch/system_test_case.rb +8 -8
data/lib/action_dispatch/system_testing/browser.rb +20 -29
data/lib/action_dispatch/system_testing/driver.rb +34 -18
data/lib/action_dispatch/system_testing/test_helpers/screenshot_helper.rb +35 -20
data/lib/action_dispatch/system_testing/test_helpers/setup_and_teardown.rb +0 -8
data/lib/action_dispatch/testing/assertion_response.rb +1 -1
data/lib/action_dispatch/testing/assertions/response.rb +14 -7
data/lib/action_dispatch/testing/assertions/routing.rb +70 -30
data/lib/action_dispatch/testing/assertions.rb +3 -4
data/lib/action_dispatch/testing/integration.rb +33 -25
data/lib/action_dispatch/testing/request_encoder.rb +4 -1
data/lib/action_dispatch/testing/test_process.rb +5 -30
data/lib/action_dispatch/testing/test_request.rb +1 -1
data/lib/action_dispatch/testing/test_response.rb +34 -2
data/lib/action_dispatch.rb +38 -4
data/lib/action_pack/gem_version.rb +4 -4
data/lib/action_pack/version.rb +1 -1
data/lib/action_pack.rb +1 -1
metadata +67 -30

data/lib/action_dispatch/http/mime_negotiation.rb CHANGED Viewed

@@ -16,12 +16,26 @@ module ActionDispatch
       included do
         mattr_accessor :ignore_accept_header, default: false
+        def return_only_media_type_on_content_type=(value)
+          ActionDispatch.deprecator.warn(
+            "`config.action_dispatch.return_only_request_media_type_on_content_type` is deprecated and will" \
+              " be removed in Rails 7.2."
+          )
+        end
+        def return_only_media_type_on_content_type
+          ActionDispatch.deprecator.warn(
+            "`config.action_dispatch.return_only_request_media_type_on_content_type` is deprecated and will" \
+            " be removed in Rails 7.2."
+          )
+        end
       end
       # The MIME type of the HTTP request, such as Mime[:xml].
       def content_mime_type
         fetch_header("action_dispatch.request.content_type") do |k|
-          v = if get_header("CONTENT_TYPE") =~ /^([^,\;]*)/
+          v = if get_header("CONTENT_TYPE") =~ /^([^,;]*)/
             Mime::Type.lookup($1.strip.downcase)
           else
             nil
@@ -32,10 +46,6 @@ module ActionDispatch
         end
       end
-      def content_type
-        content_mime_type && content_mime_type.to_s
-      end
       def has_content_type? # :nodoc:
         get_header "CONTENT_TYPE"
       end
@@ -62,7 +72,7 @@ module ActionDispatch
       #   GET /posts/5.xhtml | request.format => Mime[:html]
       #   GET /posts/5       | request.format => Mime[:html] or Mime[:js], or request.accepts.first
       #
-      def format(view_path = [])
+      def format(_view_path = nil)
         formats.first || Mime::NullType.instance
       end
@@ -71,7 +81,7 @@ module ActionDispatch
           v = if params_readable?
             Array(Mime[parameters[:format]])
           elsif use_accept_header && valid_accept_header
-            accepts
+            accepts.dup
           elsif extension_format = format_from_path_extension
             [extension_format]
           elsif xhr?
@@ -80,7 +90,7 @@ module ActionDispatch
             [Mime[:html]]
           end
-          v = v.select do |format|
+          v.select! do |format|
             format.symbol || format.ref == "*/*"
           end
@@ -92,7 +102,7 @@ module ActionDispatch
       def variant=(variant)
         variant = Array(variant)
-        if variant.all? { |v| v.is_a?(Symbol) }
+        if variant.all?(Symbol)
           @variant = ActiveSupport::ArrayInquirer.new(variant)
         else
           raise ArgumentError, "request.variant must be set to a Symbol or an Array of Symbols."
@@ -122,8 +132,8 @@ module ActionDispatch
       # Sets the \formats by string extensions. This differs from #format= by allowing you
       # to set multiple, ordered formats, which is useful when you want to have a fallback.
       #
-      # In this example, the :iphone format will be used if it's available, otherwise it'll fallback
-      # to the :html format.
+      # In this example, the +:iphone+ format will be used if it's available, otherwise it'll fall back
+      # to the +:html+ format.
       #
       #   class ApplicationController < ActionController::Base
       #     before_action :adjust_format_for_iphone_with_html_fallback
@@ -162,22 +172,22 @@ module ActionDispatch
         # in which case we assume you're a browser and send HTML.
         BROWSER_LIKE_ACCEPTS = /,\s*\*\/\*|\*\/\*\s*,/
-        def params_readable? # :doc:
+        def params_readable?
           parameters[:format]
         rescue *RESCUABLE_MIME_FORMAT_ERRORS
           false
         end
-        def valid_accept_header # :doc:
+        def valid_accept_header
           (xhr? && (accept.present? || content_mime_type)) ||
             (accept.present? && !accept.match?(BROWSER_LIKE_ACCEPTS))
         end
-        def use_accept_header # :doc:
+        def use_accept_header
           !self.class.ignore_accept_header
         end
-        def format_from_path_extension # :doc:
+        def format_from_path_extension
           path = get_header("action_dispatch.original_path") || get_header("PATH_INFO")
           if match = path && path.match(/\.(\w+)\z/)
             Mime[match.captures.first]

data/lib/action_dispatch/http/mime_type.rb CHANGED Viewed

@@ -1,7 +1,6 @@
 # frozen_string_literal: true
 require "singleton"
-require "active_support/core_ext/symbol/starts_ends_with"
 module Mime
   class Mimes
@@ -12,25 +11,34 @@ module Mime
     def initialize
       @mimes = []
       @symbols = []
+      @symbols_set = Set.new
     end
-    def each
-      @mimes.each { |x| yield x }
+    def each(&block)
+      @mimes.each(&block)
     end
     def <<(type)
       @mimes << type
-      @symbols << type.to_sym
+      sym_type = type.to_sym
+      @symbols << sym_type
+      @symbols_set << sym_type
     end
     def delete_if
       @mimes.delete_if do |x|
         if yield x
-          @symbols.delete(x.to_sym)
+          sym_type = x.to_sym
+          @symbols.delete(sym_type)
+          @symbols_set.delete(sym_type)
           true
         end
       end
     end
+    def valid_symbols?(symbols) # :nodoc
+      symbols.all? { |s| @symbols_set.include?(s) }
+    end
   end
   SET              = Mimes.new
@@ -43,9 +51,17 @@ module Mime
       Type.lookup_by_extension(type)
     end
-    def fetch(type)
+    def symbols
+      SET.symbols
+    end
+    def valid_symbols?(symbols) # :nodoc:
+      SET.valid_symbols?(symbols)
+    end
+    def fetch(type, &block)
       return type if type.is_a?(Type)
-      EXTENSION_LOOKUP.fetch(type.to_s) { |k| yield k }
+      EXTENSION_LOOKUP.fetch(type.to_s, &block)
     end
   end
@@ -68,7 +84,7 @@ module Mime
     @register_callbacks = []
     # A simple helper class used in parsing the accept header.
-    class AcceptItem #:nodoc:
+    class AcceptItem # :nodoc:
       attr_accessor :index, :name, :q
       alias :to_s :name
@@ -86,7 +102,7 @@ module Mime
       end
     end
-    class AcceptList #:nodoc:
+    class AcceptList # :nodoc:
       def self.sort!(list)
         list.sort!
@@ -136,14 +152,18 @@ module Mime
     class << self
       TRAILING_STAR_REGEXP = /^(text|application)\/\*/
-      PARAMETER_SEPARATOR_REGEXP = /;\s*\w+="?\w+"?/
+      # all media-type parameters need to be before the q-parameter
+      # https://www.rfc-editor.org/rfc/rfc7231#section-5.3.2
+      PARAMETER_SEPARATOR_REGEXP = /;\s*q="?/
+      ACCEPT_HEADER_REGEXP = /[^,\s"](?:[^,"]|"[^"]*")*/
       def register_callback(&block)
         @register_callbacks << block
       end
       def lookup(string)
-        LOOKUP[string] || Type.new(string)
+        # fallback to the media-type without parameters if it was not found
+        LOOKUP[string] || LOOKUP[string.split(";", 2)[0]&.rstrip] || Type.new(string)
       end
       def lookup_by_extension(extension)
@@ -172,12 +192,14 @@ module Mime
       def parse(accept_header)
         if !accept_header.include?(",")
-          accept_header = accept_header.split(PARAMETER_SEPARATOR_REGEXP).first
-          return [] unless accept_header
-          parse_trailing_star(accept_header) || [Mime::Type.lookup(accept_header)].compact
+          if (index = accept_header.index(PARAMETER_SEPARATOR_REGEXP))
+            accept_header = accept_header[0, index].strip
+          end
+          return [] if accept_header.blank?
+          parse_trailing_star(accept_header) || Array(Mime::Type.lookup(accept_header))
         else
           list, index = [], 0
-          accept_header.split(",").each do |header|
+          accept_header.scan(ACCEPT_HEADER_REGEXP).each do |header|
             params, q = header.split(PARAMETER_SEPARATOR_REGEXP)
             next unless params
@@ -200,10 +222,10 @@ module Mime
       end
       # For an input of <tt>'text'</tt>, returns <tt>[Mime[:json], Mime[:xml], Mime[:ics],
-      # Mime[:html], Mime[:css], Mime[:csv], Mime[:js], Mime[:yaml], Mime[:text]</tt>.
+      # Mime[:html], Mime[:css], Mime[:csv], Mime[:js], Mime[:yaml], Mime[:text]]</tt>.
       #
       # For an input of <tt>'application'</tt>, returns <tt>[Mime[:html], Mime[:js],
-      # Mime[:xml], Mime[:yaml], Mime[:atom], Mime[:json], Mime[:rss], Mime[:url_encoded_form]</tt>.
+      # Mime[:xml], Mime[:yaml], Mime[:atom], Mime[:json], Mime[:rss], Mime[:url_encoded_form]]</tt>.
       def parse_data_with_trailing_star(type)
         Mime::SET.select { |m| m.match?(type) }
       end
@@ -226,10 +248,9 @@ module Mime
     attr_reader :hash
     MIME_NAME = "[a-zA-Z0-9][a-zA-Z0-9#{Regexp.escape('!#$&-^_.+')}]{0,126}"
-    MIME_PARAMETER_KEY = "[a-zA-Z0-9][a-zA-Z0-9#{Regexp.escape('!#$&-^_.+')}]{0,126}"
-    MIME_PARAMETER_VALUE = "#{Regexp.escape('"')}?[a-zA-Z0-9][a-zA-Z0-9#{Regexp.escape('!#$&-^_.+')}]{0,126}#{Regexp.escape('"')}?"
-    MIME_PARAMETER = "\s*\;\s*#{MIME_PARAMETER_KEY}(?:\=#{MIME_PARAMETER_VALUE})?"
-    MIME_REGEXP = /\A(?:\*\/\*|#{MIME_NAME}\/(?:\*|#{MIME_NAME})(?>\s*#{MIME_PARAMETER}\s*)*)\z/
+    MIME_PARAMETER_VALUE = "(?:#{MIME_NAME}|\"[^\"\r\\\\]*\")"
+    MIME_PARAMETER = "\s*;\s*#{MIME_NAME}(?:=#{MIME_PARAMETER_VALUE})?"
+    MIME_REGEXP = /\A(?:\*\/\*|#{MIME_NAME}\/(?:\*|#{MIME_NAME})(?>#{MIME_PARAMETER})*\s*)\z/
     class InvalidMimeType < StandardError; end
@@ -293,7 +314,7 @@ module Mime
     end
     def html?
-      (symbol == :html) || /html/.match?(@string)
+      (symbol == :html) || @string.include?("html")
     end
     def all?; false; end

data/lib/action_dispatch/http/mime_types.rb CHANGED Viewed

@@ -18,6 +18,7 @@ Mime::Type.register "image/gif", :gif, [], %w(gif)
 Mime::Type.register "image/bmp", :bmp, [], %w(bmp)
 Mime::Type.register "image/tiff", :tiff, [], %w(tif tiff)
 Mime::Type.register "image/svg+xml", :svg
+Mime::Type.register "image/webp", :webp, [], %w(webp)
 Mime::Type.register "video/mpeg", :mpeg, [], %w(mpg mpeg mpe)
@@ -43,7 +44,8 @@ Mime::Type.register "application/x-www-form-urlencoded", :url_encoded_form
 # https://www.ietf.org/rfc/rfc4627.txt
 # http://www.json.org/JSONRequest.html
-Mime::Type.register "application/json", :json, %w( text/x-json application/jsonrequest )
+# https://www.ietf.org/rfc/rfc7807.txt
+Mime::Type.register "application/json", :json, %w( text/x-json application/jsonrequest application/problem+json )
 Mime::Type.register "application/pdf", :pdf, [], %w(pdf)
 Mime::Type.register "application/zip", :zip, [], %w(zip)

data/lib/action_dispatch/http/parameters.rb CHANGED Viewed

@@ -17,8 +17,8 @@ module ActionDispatch
       # Raised when raw data from the request cannot be parsed by the parser
       # defined for request's content MIME type.
       class ParseError < StandardError
-        def initialize
-          super($!.message)
+        def initialize(message = $!.message)
+          super(message)
         end
       end
@@ -62,7 +62,7 @@ module ActionDispatch
       end
       alias :params :parameters
-      def path_parameters=(parameters) #:nodoc:
+      def path_parameters=(parameters) # :nodoc:
         delete_header("action_dispatch.request.parameters")
         parameters = Request::Utils.set_binary_encoding(self, parameters, parameters[:controller], parameters[:action])
@@ -76,9 +76,9 @@ module ActionDispatch
       end
       # Returns a hash with the \parameters used to form the \path of the request.
-      # Returned hash keys are strings:
+      # Returned hash keys are symbols:
       #
-      #   {'action' => 'my_action', 'controller' => 'my_controller'}
+      #   { action: "my_action", controller: "my_controller" }
       def path_parameters
         get_header(PARAMETERS_KEY) || set_header(PARAMETERS_KEY, {})
       end
@@ -93,7 +93,7 @@ module ActionDispatch
             strategy.call(raw_post)
           rescue # JSON or Ruby code block errors.
             log_parse_error_once
-            raise ParseError
+            raise ParseError, "Error occurred while parsing request parameters"
           end
         end

data/lib/action_dispatch/http/permissions_policy.rb CHANGED Viewed

@@ -2,34 +2,50 @@
 require "active_support/core_ext/object/deep_dup"
-module ActionDispatch #:nodoc:
+module ActionDispatch # :nodoc:
+  # = Action Dispatch \PermissionsPolicy
+  #
+  # Configures the HTTP
+  # {Feature-Policy}[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy]
+  # response header to specify which browser features the current document and
+  # its iframes can use.
+  #
+  # Example global policy:
+  #
+  #   Rails.application.config.permissions_policy do |policy|
+  #     policy.camera      :none
+  #     policy.gyroscope   :none
+  #     policy.microphone  :none
+  #     policy.usb         :none
+  #     policy.fullscreen  :self
+  #     policy.payment     :self, "https://secure.example.com"
+  #   end
+  #
+  # The Feature-Policy header has been renamed to Permissions-Policy.
+  # The Permissions-Policy requires a different implementation and isn't
+  # yet supported by all browsers. To avoid having to rename this
+  # middleware in the future we use the new name for the middleware but
+  # keep the old header name and implementation for now.
   class PermissionsPolicy
     class Middleware
-      CONTENT_TYPE = "Content-Type"
-      # The Feature-Policy header has been renamed to Permissions-Policy.
-      # The Permissions-Policy requires a different implementation and isn't
-      # yet supported by all browsers. To avoid having to rename this
-      # middleware in the future we use the new name for the middleware but
-      # keep the old header name and implementation for now.
-      POLICY       = "Feature-Policy"
       def initialize(app)
         @app = app
       end
       def call(env)
-        request = ActionDispatch::Request.new(env)
         _, headers, _ = response = @app.call(env)
         return response unless html_response?(headers)
         return response if policy_present?(headers)
+        request = ActionDispatch::Request.new(env)
         if policy = request.permissions_policy
-          headers[POLICY] = policy.build(request.controller_instance)
+          headers[ActionDispatch::Constants::FEATURE_POLICY] = policy.build(request.controller_instance)
         end
         if policy_empty?(policy)
-          headers.delete(POLICY)
+          headers.delete(ActionDispatch::Constants::FEATURE_POLICY)
         end
         response
@@ -37,13 +53,13 @@ module ActionDispatch #:nodoc:
       private
         def html_response?(headers)
-          if content_type = headers[CONTENT_TYPE]
-            /html/.match?(content_type)
+          if content_type = headers[Rack::CONTENT_TYPE]
+            content_type.include?("html")
           end
         end
         def policy_present?(headers)
-          headers[POLICY]
+          headers[ActionDispatch::Constants::FEATURE_POLICY]
         end
         def policy_empty?(policy)
@@ -69,7 +85,7 @@ module ActionDispatch #:nodoc:
     }.freeze
     # List of available permissions can be found at
-    # https://github.com/w3c/webappsec-permissions-policy/blob/master/features.md#policy-controlled-features
+    # https://github.com/w3c/webappsec-permissions-policy/blob/main/features.md#policy-controlled-features
     DIRECTIVES = {
       accelerometer:        "accelerometer",
       ambient_light_sensor: "ambient-light-sensor",
@@ -79,15 +95,18 @@ module ActionDispatch #:nodoc:
       fullscreen:           "fullscreen",
       geolocation:          "geolocation",
       gyroscope:            "gyroscope",
+      hid:                  "hid",
+      idle_detection:       "idle_detection",
       magnetometer:         "magnetometer",
       microphone:           "microphone",
       midi:                 "midi",
       payment:              "payment",
       picture_in_picture:   "picture-in-picture",
-      speaker:              "speaker",
+      screen_wake_lock:     "screen-wake-lock",
+      serial:               "serial",
+      sync_xhr:             "sync-xhr",
       usb:                  "usb",
-      vibrate:              "vibrate",
-      vr:                   "vr",
+      web_share:            "web-share",
     }.freeze
     private_constant :MAPPINGS, :DIRECTIVES
@@ -113,6 +132,25 @@ module ActionDispatch #:nodoc:
       end
     end
+    %w[speaker vibrate vr].each do |directive|
+      define_method(directive) do |*sources|
+        ActionDispatch.deprecator.warn(<<~MSG)
+          The `#{directive}` permissions policy directive is deprecated
+          and will be removed in Rails 7.2.
+          There is no browser support for this directive, and no plan
+          for browser support in the future. You can just remove this
+          directive from your application.
+        MSG
+        if sources.first
+          @directives[directive] = apply_mappings(sources)
+        else
+          @directives.delete(directive)
+        end
+      end
+    end
     def build(context = nil)
       build_directives(context).compact.join("; ")
     end

data/lib/action_dispatch/http/rack_cache.rb CHANGED Viewed

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
+# :enddoc:
 require "rack/cache"
 require "rack/cache/context"
 require "active_support/cache"