RubyGems - actionpack - Versions diffs - 6.1.7.5 → 7.1.3.1 - Mend

actionpack 6.1.7.5 → 7.1.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of actionpack might be problematic. Click here for more details.

Files changed (160) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +355 -435
data/MIT-LICENSE +2 -1
data/README.rdoc +6 -7
data/lib/abstract_controller/asset_paths.rb +1 -1
data/lib/abstract_controller/base.rb +33 -37
data/lib/abstract_controller/caching/fragments.rb +4 -2
data/lib/abstract_controller/caching.rb +1 -1
data/lib/abstract_controller/callbacks.rb +50 -11
data/lib/abstract_controller/collector.rb +2 -2
data/lib/abstract_controller/deprecator.rb +7 -0
data/lib/abstract_controller/error.rb +1 -1
data/lib/abstract_controller/helpers.rb +78 -30
data/lib/abstract_controller/logger.rb +1 -1
data/lib/abstract_controller/railties/routes_helpers.rb +3 -16
data/lib/abstract_controller/rendering.rb +12 -14
data/lib/abstract_controller/translation.rb +26 -7
data/lib/abstract_controller/url_for.rb +6 -6
data/lib/abstract_controller.rb +6 -0
data/lib/action_controller/api.rb +12 -10
data/lib/action_controller/base.rb +8 -21
data/lib/action_controller/caching.rb +2 -0
data/lib/action_controller/deprecator.rb +7 -0
data/lib/action_controller/form_builder.rb +4 -2
data/lib/action_controller/log_subscriber.rb +20 -7
data/lib/action_controller/metal/basic_implicit_render.rb +3 -1
data/lib/action_controller/metal/conditional_get.rb +137 -102
data/lib/action_controller/metal/content_security_policy.rb +37 -3
data/lib/action_controller/metal/cookies.rb +1 -1
data/lib/action_controller/metal/data_streaming.rb +25 -31
data/lib/action_controller/metal/default_headers.rb +2 -0
data/lib/action_controller/metal/etag_with_flash.rb +3 -1
data/lib/action_controller/metal/etag_with_template_digest.rb +2 -0
data/lib/action_controller/metal/exceptions.rb +27 -30
data/lib/action_controller/metal/flash.rb +6 -2
data/lib/action_controller/metal/head.rb +9 -7
data/lib/action_controller/metal/helpers.rb +5 -16
data/lib/action_controller/metal/http_authentication.rb +78 -42
data/lib/action_controller/metal/implicit_render.rb +5 -3
data/lib/action_controller/metal/instrumentation.rb +62 -50
data/lib/action_controller/metal/live.rb +67 -2
data/lib/action_controller/metal/mime_responds.rb +5 -5
data/lib/action_controller/metal/params_wrapper.rb +24 -13
data/lib/action_controller/metal/permissions_policy.rb +20 -29
data/lib/action_controller/metal/redirecting.rb +96 -23
data/lib/action_controller/metal/renderers.rb +14 -15
data/lib/action_controller/metal/rendering.rb +121 -16
data/lib/action_controller/metal/request_forgery_protection.rb +208 -68
data/lib/action_controller/metal/rescue.rb +7 -4
data/lib/action_controller/metal/streaming.rb +74 -36
data/lib/action_controller/metal/strong_parameters.rb +254 -151
data/lib/action_controller/metal/testing.rb +9 -2
data/lib/action_controller/metal/url_for.rb +10 -5
data/lib/action_controller/metal.rb +89 -34
data/lib/action_controller/railtie.rb +66 -9
data/lib/action_controller/renderer.rb +99 -85
data/lib/action_controller/test_case.rb +42 -11
data/lib/action_controller.rb +10 -6
data/lib/action_dispatch/constants.rb +32 -0
data/lib/action_dispatch/deprecator.rb +7 -0
data/lib/action_dispatch/http/cache.rb +21 -16
data/lib/action_dispatch/http/content_security_policy.rb +122 -44
data/lib/action_dispatch/http/filter_parameters.rb +14 -23
data/lib/action_dispatch/http/headers.rb +3 -1
data/lib/action_dispatch/http/mime_negotiation.rb +25 -15
data/lib/action_dispatch/http/mime_type.rb +43 -22
data/lib/action_dispatch/http/mime_types.rb +3 -1
data/lib/action_dispatch/http/parameters.rb +6 -6
data/lib/action_dispatch/http/permissions_policy.rb +57 -19
data/lib/action_dispatch/http/rack_cache.rb +2 -0
data/lib/action_dispatch/http/request.rb +75 -51
data/lib/action_dispatch/http/response.rb +81 -77
data/lib/action_dispatch/http/upload.rb +15 -2
data/lib/action_dispatch/http/url.rb +11 -19
data/lib/action_dispatch/journey/formatter.rb +8 -2
data/lib/action_dispatch/journey/gtg/builder.rb +11 -12
data/lib/action_dispatch/journey/gtg/simulator.rb +10 -4
data/lib/action_dispatch/journey/gtg/transition_table.rb +77 -21
data/lib/action_dispatch/journey/nodes/node.rb +70 -5
data/lib/action_dispatch/journey/path/pattern.rb +36 -27
data/lib/action_dispatch/journey/route.rb +8 -14
data/lib/action_dispatch/journey/router/utils.rb +2 -2
data/lib/action_dispatch/journey/router.rb +10 -9
data/lib/action_dispatch/journey/routes.rb +5 -5
data/lib/action_dispatch/journey/visualizer/fsm.js +49 -24
data/lib/action_dispatch/journey/visualizer/index.html.erb +1 -1
data/lib/action_dispatch/log_subscriber.rb +23 -0
data/lib/action_dispatch/middleware/actionable_exceptions.rb +5 -7
data/lib/action_dispatch/middleware/assume_ssl.rb +24 -0
data/lib/action_dispatch/middleware/callbacks.rb +2 -0
data/lib/action_dispatch/middleware/cookies.rb +97 -107
data/lib/action_dispatch/middleware/debug_exceptions.rb +31 -28
data/lib/action_dispatch/middleware/debug_locks.rb +7 -4
data/lib/action_dispatch/middleware/debug_view.rb +7 -2
data/lib/action_dispatch/middleware/exception_wrapper.rb +190 -27
data/lib/action_dispatch/middleware/executor.rb +3 -0
data/lib/action_dispatch/middleware/flash.rb +24 -18
data/lib/action_dispatch/middleware/host_authorization.rb +19 -20
data/lib/action_dispatch/middleware/public_exceptions.rb +5 -3
data/lib/action_dispatch/middleware/reloader.rb +7 -5
data/lib/action_dispatch/middleware/remote_ip.rb +32 -19
data/lib/action_dispatch/middleware/request_id.rb +5 -3
data/lib/action_dispatch/middleware/server_timing.rb +76 -0
data/lib/action_dispatch/middleware/session/abstract_store.rb +6 -1
data/lib/action_dispatch/middleware/session/cache_store.rb +2 -0
data/lib/action_dispatch/middleware/session/cookie_store.rb +19 -13
data/lib/action_dispatch/middleware/session/mem_cache_store.rb +3 -1
data/lib/action_dispatch/middleware/show_exceptions.rb +30 -25
data/lib/action_dispatch/middleware/ssl.rb +18 -6
data/lib/action_dispatch/middleware/stack.rb +34 -11
data/lib/action_dispatch/middleware/static.rb +16 -16
data/lib/action_dispatch/middleware/templates/rescues/_actions.html.erb +2 -2
data/lib/action_dispatch/middleware/templates/rescues/_message_and_suggestions.html.erb +5 -5
data/lib/action_dispatch/middleware/templates/rescues/_request_and_response.html.erb +4 -11
data/lib/action_dispatch/middleware/templates/rescues/_source.html.erb +8 -1
data/lib/action_dispatch/middleware/templates/rescues/_trace.html.erb +2 -2
data/lib/action_dispatch/middleware/templates/rescues/blocked_host.html.erb +10 -5
data/lib/action_dispatch/middleware/templates/rescues/blocked_host.text.erb +7 -3
data/lib/action_dispatch/middleware/templates/rescues/diagnostics.html.erb +9 -9
data/lib/action_dispatch/middleware/templates/rescues/diagnostics.text.erb +2 -2
data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.html.erb +3 -3
data/lib/action_dispatch/middleware/templates/rescues/layout.erb +45 -18
data/lib/action_dispatch/middleware/templates/rescues/missing_exact_template.html.erb +19 -15
data/lib/action_dispatch/middleware/templates/rescues/missing_template.html.erb +4 -4
data/lib/action_dispatch/middleware/templates/rescues/routing_error.html.erb +6 -6
data/lib/action_dispatch/middleware/templates/rescues/template_error.html.erb +7 -7
data/lib/action_dispatch/middleware/templates/rescues/unknown_action.html.erb +4 -4
data/lib/action_dispatch/middleware/templates/rescues/unknown_action.text.erb +1 -1
data/lib/action_dispatch/middleware/templates/routes/_route.html.erb +3 -0
data/lib/action_dispatch/middleware/templates/routes/_table.html.erb +64 -55
data/lib/action_dispatch/railtie.rb +20 -4
data/lib/action_dispatch/request/session.rb +59 -19
data/lib/action_dispatch/request/utils.rb +8 -3
data/lib/action_dispatch/routing/inspector.rb +55 -7
data/lib/action_dispatch/routing/mapper.rb +117 -107
data/lib/action_dispatch/routing/polymorphic_routes.rb +2 -0
data/lib/action_dispatch/routing/redirection.rb +20 -8
data/lib/action_dispatch/routing/route_set.rb +67 -27
data/lib/action_dispatch/routing/routes_proxy.rb +11 -16
data/lib/action_dispatch/routing/url_for.rb +29 -26
data/lib/action_dispatch/routing.rb +12 -13
data/lib/action_dispatch/system_test_case.rb +8 -8
data/lib/action_dispatch/system_testing/browser.rb +20 -29
data/lib/action_dispatch/system_testing/driver.rb +34 -18
data/lib/action_dispatch/system_testing/test_helpers/screenshot_helper.rb +35 -20
data/lib/action_dispatch/system_testing/test_helpers/setup_and_teardown.rb +0 -8
data/lib/action_dispatch/testing/assertion_response.rb +1 -1
data/lib/action_dispatch/testing/assertions/response.rb +14 -7
data/lib/action_dispatch/testing/assertions/routing.rb +70 -30
data/lib/action_dispatch/testing/assertions.rb +3 -4
data/lib/action_dispatch/testing/integration.rb +33 -25
data/lib/action_dispatch/testing/request_encoder.rb +4 -1
data/lib/action_dispatch/testing/test_process.rb +5 -30
data/lib/action_dispatch/testing/test_request.rb +1 -1
data/lib/action_dispatch/testing/test_response.rb +34 -2
data/lib/action_dispatch.rb +38 -4
data/lib/action_pack/gem_version.rb +4 -4
data/lib/action_pack/version.rb +1 -1
data/lib/action_pack.rb +1 -1
metadata +67 -30

data/lib/action_dispatch/http/mime_negotiation.rb CHANGED Viewed

@@ -16,12 +16,26 @@ module ActionDispatch
       included do
         mattr_accessor :ignore_accept_header, default: false
+        def return_only_media_type_on_content_type=(value)
+          ActionDispatch.deprecator.warn(
+            "`config.action_dispatch.return_only_request_media_type_on_content_type` is deprecated and will" \
+              " be removed in Rails 7.2."
+          )
+        end
+        def return_only_media_type_on_content_type
+          ActionDispatch.deprecator.warn(
+            "`config.action_dispatch.return_only_request_media_type_on_content_type` is deprecated and will" \
+            " be removed in Rails 7.2."
+          )
+        end
       end
       # The MIME type of the HTTP request, such as Mime[:xml].
       def content_mime_type
         fetch_header("action_dispatch.request.content_type") do |k|
-          v = if get_header("CONTENT_TYPE") =~ /^([^,\;]*)/
+          v = if get_header("CONTENT_TYPE") =~ /^([^,;]*)/
             Mime::Type.lookup($1.strip.downcase)
           else
             nil
@@ -32,10 +46,6 @@ module ActionDispatch
         end
       end
-      def content_type
-        content_mime_type && content_mime_type.to_s
-      end
       def has_content_type? # :nodoc:
         get_header "CONTENT_TYPE"
       end
@@ -62,7 +72,7 @@ module ActionDispatch
       #   GET /posts/5.xhtml | request.format => Mime[:html]
       #   GET /posts/5       | request.format => Mime[:html] or Mime[:js], or request.accepts.first
       #
-      def format(view_path = [])
+      def format(_view_path = nil)
         formats.first || Mime::NullType.instance
       end
@@ -71,7 +81,7 @@ module ActionDispatch
           v = if params_readable?
             Array(Mime[parameters[:format]])
           elsif use_accept_header && valid_accept_header
-            accepts
+            accepts.dup
           elsif extension_format = format_from_path_extension
             [extension_format]
           elsif xhr?
@@ -80,7 +90,7 @@ module ActionDispatch
             [Mime[:html]]
           end
-          v = v.select do |format|
+          v.select! do |format|
             format.symbol || format.ref == "*/*"
           end
@@ -92,7 +102,7 @@ module ActionDispatch
       def variant=(variant)
         variant = Array(variant)
-        if variant.all? { |v| v.is_a?(Symbol) }
+        if variant.all?(Symbol)
           @variant = ActiveSupport::ArrayInquirer.new(variant)
         else
           raise ArgumentError, "request.variant must be set to a Symbol or an Array of Symbols."
@@ -122,8 +132,8 @@ module ActionDispatch
       # Sets the \formats by string extensions. This differs from #format= by allowing you
       # to set multiple, ordered formats, which is useful when you want to have a fallback.
       #
-      # In this example, the :iphone format will be used if it's available, otherwise it'll fallback
-      # to the :html format.
+      # In this example, the +:iphone+ format will be used if it's available, otherwise it'll fall back
+      # to the +:html+ format.
       #
       #   class ApplicationController < ActionController::Base
       #     before_action :adjust_format_for_iphone_with_html_fallback
@@ -162,22 +172,22 @@ module ActionDispatch
         # in which case we assume you're a browser and send HTML.
         BROWSER_LIKE_ACCEPTS = /,\s*\*\/\*|\*\/\*\s*,/
-        def params_readable? # :doc:
+        def params_readable?
           parameters[:format]
         rescue *RESCUABLE_MIME_FORMAT_ERRORS
           false
         end
-        def valid_accept_header # :doc:
+        def valid_accept_header
           (xhr? && (accept.present? || content_mime_type)) ||
             (accept.present? && !accept.match?(BROWSER_LIKE_ACCEPTS))
         end
-        def use_accept_header # :doc:
+        def use_accept_header
           !self.class.ignore_accept_header
         end
-        def format_from_path_extension # :doc:
+        def format_from_path_extension
           path = get_header("action_dispatch.original_path") || get_header("PATH_INFO")
           if match = path && path.match(/\.(\w+)\z/)
             Mime[match.captures.first]

data/lib/action_dispatch/http/mime_type.rb CHANGED Viewed

@@ -1,7 +1,6 @@
 # frozen_string_literal: true
 require "singleton"
-require "active_support/core_ext/symbol/starts_ends_with"
 module Mime
   class Mimes
@@ -12,25 +11,34 @@ module Mime
     def initialize
       @mimes = []
       @symbols = []
+      @symbols_set = Set.new
     end
-    def each
-      @mimes.each { |x| yield x }
+    def each(&block)
+      @mimes.each(&block)
     end
     def <<(type)
       @mimes << type
-      @symbols << type.to_sym
+      sym_type = type.to_sym
+      @symbols << sym_type
+      @symbols_set << sym_type
     end
     def delete_if
       @mimes.delete_if do |x|
         if yield x
-          @symbols.delete(x.to_sym)
+          sym_type = x.to_sym
+          @symbols.delete(sym_type)
+          @symbols_set.delete(sym_type)
           true
         end
       end
     end
+    def valid_symbols?(symbols) # :nodoc
+      symbols.all? { |s| @symbols_set.include?(s) }
+    end
   end
   SET              = Mimes.new
@@ -43,9 +51,17 @@ module Mime
       Type.lookup_by_extension(type)
     end
-    def fetch(type)
+    def symbols
+      SET.symbols
+    end
+    def valid_symbols?(symbols) # :nodoc:
+      SET.valid_symbols?(symbols)
+    end
+    def fetch(type, &block)
       return type if type.is_a?(Type)
-      EXTENSION_LOOKUP.fetch(type.to_s) { |k| yield k }
+      EXTENSION_LOOKUP.fetch(type.to_s, &block)
     end
   end
@@ -68,7 +84,7 @@ module Mime
     @register_callbacks = []
     # A simple helper class used in parsing the accept header.
-    class AcceptItem #:nodoc:
+    class AcceptItem # :nodoc:
       attr_accessor :index, :name, :q
       alias :to_s :name
@@ -86,7 +102,7 @@ module Mime
       end
     end
-    class AcceptList #:nodoc:
+    class AcceptList # :nodoc:
       def self.sort!(list)
         list.sort!
@@ -136,14 +152,18 @@ module Mime
     class << self
       TRAILING_STAR_REGEXP = /^(text|application)\/\*/
-      PARAMETER_SEPARATOR_REGEXP = /;\s*\w+="?\w+"?/
+      # all media-type parameters need to be before the q-parameter
+      # https://www.rfc-editor.org/rfc/rfc7231#section-5.3.2
+      PARAMETER_SEPARATOR_REGEXP = /;\s*q="?/
+      ACCEPT_HEADER_REGEXP = /[^,\s"](?:[^,"]|"[^"]*")*/
       def register_callback(&block)
         @register_callbacks << block
       end
       def lookup(string)
-        LOOKUP[string] || Type.new(string)
+        # fallback to the media-type without parameters if it was not found
+        LOOKUP[string] || LOOKUP[string.split(";", 2)[0]&.rstrip] || Type.new(string)
       end
       def lookup_by_extension(extension)
@@ -172,12 +192,14 @@ module Mime
       def parse(accept_header)
         if !accept_header.include?(",")
-          accept_header = accept_header.split(PARAMETER_SEPARATOR_REGEXP).first
-          return [] unless accept_header
-          parse_trailing_star(accept_header) || [Mime::Type.lookup(accept_header)].compact
+          if (index = accept_header.index(PARAMETER_SEPARATOR_REGEXP))
+            accept_header = accept_header[0, index].strip
+          end
+          return [] if accept_header.blank?
+          parse_trailing_star(accept_header) || Array(Mime::Type.lookup(accept_header))
         else
           list, index = [], 0
-          accept_header.split(",").each do |header|
+          accept_header.scan(ACCEPT_HEADER_REGEXP).each do |header|
             params, q = header.split(PARAMETER_SEPARATOR_REGEXP)
             next unless params
@@ -200,10 +222,10 @@ module Mime
       end
       # For an input of <tt>'text'</tt>, returns <tt>[Mime[:json], Mime[:xml], Mime[:ics],
-      # Mime[:html], Mime[:css], Mime[:csv], Mime[:js], Mime[:yaml], Mime[:text]</tt>.
+      # Mime[:html], Mime[:css], Mime[:csv], Mime[:js], Mime[:yaml], Mime[:text]]</tt>.
       #
       # For an input of <tt>'application'</tt>, returns <tt>[Mime[:html], Mime[:js],
-      # Mime[:xml], Mime[:yaml], Mime[:atom], Mime[:json], Mime[:rss], Mime[:url_encoded_form]</tt>.
+      # Mime[:xml], Mime[:yaml], Mime[:atom], Mime[:json], Mime[:rss], Mime[:url_encoded_form]]</tt>.
       def parse_data_with_trailing_star(type)
         Mime::SET.select { |m| m.match?(type) }
       end
@@ -226,10 +248,9 @@ module Mime
     attr_reader :hash
     MIME_NAME = "[a-zA-Z0-9][a-zA-Z0-9#{Regexp.escape('!#$&-^_.+')}]{0,126}"
-    MIME_PARAMETER_KEY = "[a-zA-Z0-9][a-zA-Z0-9#{Regexp.escape('!#$&-^_.+')}]{0,126}"
-    MIME_PARAMETER_VALUE = "#{Regexp.escape('"')}?[a-zA-Z0-9][a-zA-Z0-9#{Regexp.escape('!#$&-^_.+')}]{0,126}#{Regexp.escape('"')}?"
-    MIME_PARAMETER = "\s*\;\s*#{MIME_PARAMETER_KEY}(?:\=#{MIME_PARAMETER_VALUE})?"
-    MIME_REGEXP = /\A(?:\*\/\*|#{MIME_NAME}\/(?:\*|#{MIME_NAME})(?>\s*#{MIME_PARAMETER}\s*)*)\z/
+    MIME_PARAMETER_VALUE = "(?:#{MIME_NAME}|\"[^\"\r\\\\]*\")"
+    MIME_PARAMETER = "\s*;\s*#{MIME_NAME}(?:=#{MIME_PARAMETER_VALUE})?"
+    MIME_REGEXP = /\A(?:\*\/\*|#{MIME_NAME}\/(?:\*|#{MIME_NAME})(?>#{MIME_PARAMETER})*\s*)\z/
     class InvalidMimeType < StandardError; end
@@ -293,7 +314,7 @@ module Mime
     end
     def html?
-      (symbol == :html) || /html/.match?(@string)
+      (symbol == :html) || @string.include?("html")
     end
     def all?; false; end

data/lib/action_dispatch/http/mime_types.rb CHANGED Viewed

@@ -18,6 +18,7 @@ Mime::Type.register "image/gif", :gif, [], %w(gif)
 Mime::Type.register "image/bmp", :bmp, [], %w(bmp)
 Mime::Type.register "image/tiff", :tiff, [], %w(tif tiff)
 Mime::Type.register "image/svg+xml", :svg
+Mime::Type.register "image/webp", :webp, [], %w(webp)
 Mime::Type.register "video/mpeg", :mpeg, [], %w(mpg mpeg mpe)
@@ -43,7 +44,8 @@ Mime::Type.register "application/x-www-form-urlencoded", :url_encoded_form
 # https://www.ietf.org/rfc/rfc4627.txt
 # http://www.json.org/JSONRequest.html
-Mime::Type.register "application/json", :json, %w( text/x-json application/jsonrequest )
+# https://www.ietf.org/rfc/rfc7807.txt
+Mime::Type.register "application/json", :json, %w( text/x-json application/jsonrequest application/problem+json )
 Mime::Type.register "application/pdf", :pdf, [], %w(pdf)
 Mime::Type.register "application/zip", :zip, [], %w(zip)

data/lib/action_dispatch/http/parameters.rb CHANGED Viewed

@@ -17,8 +17,8 @@ module ActionDispatch
       # Raised when raw data from the request cannot be parsed by the parser
       # defined for request's content MIME type.
       class ParseError < StandardError
-        def initialize
-          super($!.message)
+        def initialize(message = $!.message)
+          super(message)
         end
       end
@@ -62,7 +62,7 @@ module ActionDispatch
       end
       alias :params :parameters
-      def path_parameters=(parameters) #:nodoc:
+      def path_parameters=(parameters) # :nodoc:
         delete_header("action_dispatch.request.parameters")
         parameters = Request::Utils.set_binary_encoding(self, parameters, parameters[:controller], parameters[:action])
@@ -76,9 +76,9 @@ module ActionDispatch
       end
       # Returns a hash with the \parameters used to form the \path of the request.
-      # Returned hash keys are strings:
+      # Returned hash keys are symbols:
       #
-      #   {'action' => 'my_action', 'controller' => 'my_controller'}
+      #   { action: "my_action", controller: "my_controller" }
       def path_parameters
         get_header(PARAMETERS_KEY) || set_header(PARAMETERS_KEY, {})
       end
@@ -93,7 +93,7 @@ module ActionDispatch
             strategy.call(raw_post)
           rescue # JSON or Ruby code block errors.
             log_parse_error_once
-            raise ParseError
+            raise ParseError, "Error occurred while parsing request parameters"
           end
         end

data/lib/action_dispatch/http/permissions_policy.rb CHANGED Viewed

@@ -2,34 +2,50 @@
 require "active_support/core_ext/object/deep_dup"
-module ActionDispatch #:nodoc:
+module ActionDispatch # :nodoc:
+  # = Action Dispatch \PermissionsPolicy
+  #
+  # Configures the HTTP
+  # {Feature-Policy}[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy]
+  # response header to specify which browser features the current document and
+  # its iframes can use.
+  #
+  # Example global policy:
+  #
+  #   Rails.application.config.permissions_policy do |policy|
+  #     policy.camera      :none
+  #     policy.gyroscope   :none
+  #     policy.microphone  :none
+  #     policy.usb         :none
+  #     policy.fullscreen  :self
+  #     policy.payment     :self, "https://secure.example.com"
+  #   end
+  #
+  # The Feature-Policy header has been renamed to Permissions-Policy.
+  # The Permissions-Policy requires a different implementation and isn't
+  # yet supported by all browsers. To avoid having to rename this
+  # middleware in the future we use the new name for the middleware but
+  # keep the old header name and implementation for now.
   class PermissionsPolicy
     class Middleware
-      CONTENT_TYPE = "Content-Type"
-      # The Feature-Policy header has been renamed to Permissions-Policy.
-      # The Permissions-Policy requires a different implementation and isn't
-      # yet supported by all browsers. To avoid having to rename this
-      # middleware in the future we use the new name for the middleware but
-      # keep the old header name and implementation for now.
-      POLICY       = "Feature-Policy"
       def initialize(app)
         @app = app
       end
       def call(env)
-        request = ActionDispatch::Request.new(env)
         _, headers, _ = response = @app.call(env)
         return response unless html_response?(headers)
         return response if policy_present?(headers)
+        request = ActionDispatch::Request.new(env)
         if policy = request.permissions_policy
-          headers[POLICY] = policy.build(request.controller_instance)
+          headers[ActionDispatch::Constants::FEATURE_POLICY] = policy.build(request.controller_instance)
         end
         if policy_empty?(policy)
-          headers.delete(POLICY)
+          headers.delete(ActionDispatch::Constants::FEATURE_POLICY)
         end
         response
@@ -37,13 +53,13 @@ module ActionDispatch #:nodoc:
       private
         def html_response?(headers)
-          if content_type = headers[CONTENT_TYPE]
-            /html/.match?(content_type)
+          if content_type = headers[Rack::CONTENT_TYPE]
+            content_type.include?("html")
           end
         end
         def policy_present?(headers)
-          headers[POLICY]
+          headers[ActionDispatch::Constants::FEATURE_POLICY]
         end
         def policy_empty?(policy)
@@ -69,7 +85,7 @@ module ActionDispatch #:nodoc:
     }.freeze
     # List of available permissions can be found at
-    # https://github.com/w3c/webappsec-permissions-policy/blob/master/features.md#policy-controlled-features
+    # https://github.com/w3c/webappsec-permissions-policy/blob/main/features.md#policy-controlled-features
     DIRECTIVES = {
       accelerometer:        "accelerometer",
       ambient_light_sensor: "ambient-light-sensor",
@@ -79,15 +95,18 @@ module ActionDispatch #:nodoc:
       fullscreen:           "fullscreen",
       geolocation:          "geolocation",
       gyroscope:            "gyroscope",
+      hid:                  "hid",
+      idle_detection:       "idle_detection",
       magnetometer:         "magnetometer",
       microphone:           "microphone",
       midi:                 "midi",
       payment:              "payment",
       picture_in_picture:   "picture-in-picture",
-      speaker:              "speaker",
+      screen_wake_lock:     "screen-wake-lock",
+      serial:               "serial",
+      sync_xhr:             "sync-xhr",
       usb:                  "usb",
-      vibrate:              "vibrate",
-      vr:                   "vr",
+      web_share:            "web-share",
     }.freeze
     private_constant :MAPPINGS, :DIRECTIVES
@@ -113,6 +132,25 @@ module ActionDispatch #:nodoc:
       end
     end
+    %w[speaker vibrate vr].each do |directive|
+      define_method(directive) do |*sources|
+        ActionDispatch.deprecator.warn(<<~MSG)
+          The `#{directive}` permissions policy directive is deprecated
+          and will be removed in Rails 7.2.
+          There is no browser support for this directive, and no plan
+          for browser support in the future. You can just remove this
+          directive from your application.
+        MSG
+        if sources.first
+          @directives[directive] = apply_mappings(sources)
+        else
+          @directives.delete(directive)
+        end
+      end
+    end
     def build(context = nil)
       build_directives(context).compact.join("; ")
     end

data/lib/action_dispatch/http/rack_cache.rb CHANGED Viewed

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
+# :enddoc:
 require "rack/cache"
 require "rack/cache/context"
 require "active_support/cache"