actionpack 6.1.7 → 7.0.4.1

data/lib/action_controller/metal/params_wrapper.rb

@@ -9,11 +9,14 @@ module ActionController
   # Wraps the parameters hash into a nested hash. This will allow clients to
   # submit requests without having to specify any root elements.
   #
-  # This functionality is enabled in +config/initializers/wrap_parameters.rb+
-  # and can be customized.
+  # This functionality is enabled by default for JSON, and can be customized by
+  # setting the format array:
   #
-  # You could also turn it on per controller by setting the format array to
-  # a non-empty array:
+  #     class ApplicationController < ActionController::Base
+  #       wrap_parameters format: [:json, :xml]
+  #     end
+  #
+  # You could also turn it on per controller:
   #
   #     class UsersController < ApplicationController
   #       wrap_parameters format: [:json, :xml, :url_encoded_form, :multipart_form]
@@ -68,6 +71,12 @@ module ActionController
   # will try to check if <tt>Admin::User</tt> or +User+ model exists, and use it to
   # determine the wrapper key respectively. If both models don't exist,
   # it will then fallback to use +user+ as the key.
+  #
+  # To disable this functionality for a controller:
+  #
+  #     class UsersController < ApplicationController
+  #       wrap_parameters false
+  #     end
   module ParamsWrapper
     extend ActiveSupport::Concern
 
@@ -242,14 +251,14 @@ module ActionController
       end
     end
 
-    # Performs parameters wrapping upon the request. Called automatically
-    # by the metal call stack.
-    def process_action(*)
-      _perform_parameter_wrapping if _wrapper_enabled?
-      super
-    end
-
     private
+      # Performs parameters wrapping upon the request. Called automatically
+      # by the metal call stack.
+      def process_action(*)
+        _perform_parameter_wrapping if _wrapper_enabled?
+        super
+      end
+
       # Returns the wrapper key which will be used to store wrapped parameters.
       def _wrapper_key
         _wrapper_options.name

data/lib/action_controller/metal/permissions_policy.rb

@@ -1,37 +1,28 @@
 # frozen_string_literal: true
 
-module ActionController #:nodoc:
-  # HTTP Permissions Policy is a web standard for defining a mechanism to
-  # allow and deny the use of browser permissions in its own context, and
-  # in content within any <iframe> elements in the document.
-  #
-  # Full details of HTTP Permissions Policy specification and guidelines can
-  # be found at MDN:
-  #
-  # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy
-  #
-  # Examples of usage:
-  #
-  #   # Global policy
-  #   Rails.application.config.permissions_policy do |f|
-  #     f.camera      :none
-  #     f.gyroscope   :none
-  #     f.microphone  :none
-  #     f.usb         :none
-  #     f.fullscreen  :self
-  #     f.payment     :self, "https://secure.example.com"
-  #   end
-  #
-  #   # Controller level policy
-  #   class PagesController < ApplicationController
-  #     permissions_policy do |p|
-  #       p.geolocation "https://example.com"
-  #     end
-  #   end
+module ActionController # :nodoc:
   module PermissionsPolicy
     extend ActiveSupport::Concern
 
     module ClassMethods
+      # Overrides parts of the globally configured Feature-Policy
+      # header:
+      #
+      #   class PagesController < ApplicationController
+      #     permissions_policy do |policy|
+      #       policy.geolocation "https://example.com"
+      #     end
+      #   end
+      #
+      # Options can be passed similar to +before_action+. For example, pass
+      # <tt>only: :index</tt> to override the header on the index action only:
+      #
+      #   class PagesController < ApplicationController
+      #     permissions_policy(only: :index) do |policy|
+      #       policy.camera :self
+      #     end
+      #   end
+      #
       def permissions_policy(**options, &block)
         before_action(options) do
           if block_given?

data/lib/action_controller/metal/redirecting.rb

@@ -7,6 +7,12 @@ module ActionController
     include AbstractController::Logger
     include ActionController::UrlFor
 
+    class UnsafeRedirectError < StandardError; end
+
+    included do
+      mattr_accessor :raise_on_open_redirects, default: false
+    end
+
     # Redirects the browser to the target specified in +options+. This parameter can be any one of:
     #
     # * <tt>Hash</tt> - The URL will be generated by calling url_for with the +options+.
@@ -54,16 +60,42 @@ module ActionController
     #
     # Statements after +redirect_to+ in our controller get executed, so +redirect_to+ doesn't stop the execution of the function.
     # To terminate the execution of the function immediately after the +redirect_to+, use return.
+    #
     #   redirect_to post_url(@post) and return
+    #
+    # === Open Redirect protection
+    #
+    # By default, Rails protects against redirecting to external hosts for your app's safety, so called open redirects.
+    # Note: this was a new default in Rails 7.0, after upgrading opt-in by uncommenting the line with +raise_on_open_redirects+ in <tt>config/initializers/new_framework_defaults_7_0.rb</tt>
+    #
+    # Here #redirect_to automatically validates the potentially-unsafe URL:
+    #
+    #   redirect_to params[:redirect_url]
+    #
+    # Raises UnsafeRedirectError in the case of an unsafe redirect.
+    #
+    # To allow any external redirects pass <tt>allow_other_host: true</tt>, though using a user-provided param in that case is unsafe.
+    #
+    #   redirect_to "https://rubyonrails.org", allow_other_host: true
+    #
+    # See #url_from for more information on what an internal and safe URL is, or how to fall back to an alternate redirect URL in the unsafe case.
     def redirect_to(options = {}, response_options = {})
       raise ActionControllerError.new("Cannot redirect to nil!") unless options
       raise AbstractController::DoubleRenderError if response_body
 
+      allow_other_host = response_options.delete(:allow_other_host) { _allow_other_host }
+
       self.status        = _extract_redirect_to_status(options, response_options)
-      self.location      = _compute_redirect_to_location(request, options)
+      self.location      = _enforce_open_redirect_protection(_compute_redirect_to_location(request, options), allow_other_host: allow_other_host)
       self.response_body = "<html><body>You are being <a href=\"#{ERB::Util.unwrapped_html_escape(response.location)}\">redirected</a>.</body></html>"
     end
 
+    # Soft deprecated alias for #redirect_back_or_to where the +fallback_location+ location is supplied as a keyword argument instead
+    # of the first positional argument.
+    def redirect_back(fallback_location:, allow_other_host: _allow_other_host, **args)
+      redirect_back_or_to fallback_location, allow_other_host: allow_other_host, **args
+    end
+
     # Redirects the browser to the page that issued the request (the referrer)
     # if possible, otherwise redirects to the provided default fallback
     # location.
@@ -73,35 +105,37 @@ module ActionController
     # subject to browser security settings and user preferences. If the request
     # is missing this header, the <tt>fallback_location</tt> will be used.
     #
-    #   redirect_back fallback_location: { action: "show", id: 5 }
-    #   redirect_back fallback_location: @post
-    #   redirect_back fallback_location: "http://www.rubyonrails.org"
-    #   redirect_back fallback_location: "/images/screenshot.jpg"
-    #   redirect_back fallback_location: posts_url
-    #   redirect_back fallback_location: proc { edit_post_url(@post) }
-    #   redirect_back fallback_location: '/', allow_other_host: false
+    #   redirect_back_or_to({ action: "show", id: 5 })
+    #   redirect_back_or_to @post
+    #   redirect_back_or_to "http://www.rubyonrails.org"
+    #   redirect_back_or_to "/images/screenshot.jpg"
+    #   redirect_back_or_to posts_url
+    #   redirect_back_or_to proc { edit_post_url(@post) }
+    #   redirect_back_or_to '/', allow_other_host: false
     #
     # ==== Options
-    # * <tt>:fallback_location</tt> - The default fallback location that will be used on missing +Referer+ header.
     # * <tt>:allow_other_host</tt> - Allow or disallow redirection to the host that is different to the current host, defaults to true.
     #
     # All other options that can be passed to #redirect_to are accepted as
-    # options and the behavior is identical.
-    def redirect_back(fallback_location:, allow_other_host: true, **args)
-      referer = request.headers["Referer"]
-      redirect_to_referer = referer && (allow_other_host || _url_host_allowed?(referer))
-      redirect_to redirect_to_referer ? referer : fallback_location, **args
+    # options, and the behavior is identical.
+    def redirect_back_or_to(fallback_location, allow_other_host: _allow_other_host, **options)
+      if request.referer && (allow_other_host || _url_host_allowed?(request.referer))
+        redirect_to request.referer, allow_other_host: allow_other_host, **options
+      else
+        # The method level `allow_other_host` doesn't apply in the fallback case, omit and let the `redirect_to` handling take over.
+        redirect_to fallback_location, **options
+      end
     end
 
-    def _compute_redirect_to_location(request, options) #:nodoc:
+    def _compute_redirect_to_location(request, options) # :nodoc:
       case options
       # The scheme name consist of a letter followed by any combination of
       # letters, digits, and the plus ("+"), period ("."), or hyphen ("-")
       # characters; and is terminated by a colon (":").
       # See https://tools.ietf.org/html/rfc3986#section-3.1
       # The protocol relative scheme starts with a double slash "//".
-      when /\A([a-z][a-z\d\-+\.]*:|\/\/).*/i
-        options
+      when /\A([a-z][a-z\d\-+.]*:|\/\/).*/i
+        options.to_str
       when String
         request.protocol + request.host_with_port + options
       when Proc
@@ -113,7 +147,35 @@ module ActionController
     module_function :_compute_redirect_to_location
     public :_compute_redirect_to_location
 
+    # Verifies the passed +location+ is an internal URL that's safe to redirect to and returns it, or nil if not.
+    # Useful to wrap a params provided redirect URL and fallback to an alternate URL to redirect to:
+    #
+    #   redirect_to url_from(params[:redirect_url]) || root_url
+    #
+    # The +location+ is considered internal, and safe, if it's on the same host as <tt>request.host</tt>:
+    #
+    #   # If request.host is example.com:
+    #   url_from("https://example.com/profile") # => "https://example.com/profile"
+    #   url_from("http://example.com/profile")  # => "http://example.com/profile"
+    #   url_from("http://evil.com/profile")     # => nil
+    #
+    # Subdomains are considered part of the host:
+    #
+    #   # If request.host is on https://example.com or https://app.example.com, you'd get:
+    #   url_from("https://dev.example.com/profile") # => nil
+    #
+    # NOTE: there's a similarity with {url_for}[rdoc-ref:ActionDispatch::Routing::UrlFor#url_for], which generates an internal URL from various options from within the app, e.g. <tt>url_for(@post)</tt>.
+    # However, #url_from is meant to take an external parameter to verify as in <tt>url_from(params[:redirect_url])</tt>.
+    def url_from(location)
+      location = location.presence
+      location if location && _url_host_allowed?(location)
+    end
+
     private
+      def _allow_other_host
+        !raise_on_open_redirects
+      end
+
       def _extract_redirect_to_status(options, response_options)
         if options.is_a?(Hash) && options.key?(:status)
           Rack::Utils.status_code(options.delete(:status))
@@ -124,8 +186,21 @@ module ActionController
         end
       end
 
+      def _enforce_open_redirect_protection(location, allow_other_host:)
+        if allow_other_host || _url_host_allowed?(location)
+          location
+        else
+          raise UnsafeRedirectError, "Unsafe redirect to #{location.truncate(100).inspect}, pass allow_other_host: true to redirect anyway."
+        end
+      end
+
       def _url_host_allowed?(url)
-        URI(url.to_s).host == request.host
+        host = URI(url.to_s).host
+
+        return true if host == request.host
+        return false unless host.nil?
+        return false unless url.to_s.start_with?("/")
+        return !url.to_s.start_with?("//")
       rescue ArgumentError, URI::Error
         false
       end

data/lib/action_controller/metal/renderers.rb

@@ -31,8 +31,7 @@ module ActionController
       class_attribute :_renderers, default: Set.new.freeze
     end
 
-    # Used in <tt>ActionController::Base</tt>
-    # and <tt>ActionController::API</tt> to include all
+    # Used in ActionController::Base and ActionController::API to include all
     # renderers by default.
     module All
       extend ActiveSupport::Concern
@@ -45,7 +44,7 @@ module ActionController
 
     # Adds a new renderer to call within controller actions.
     # A renderer is invoked by passing its name as an option to
-    # <tt>AbstractController::Rendering#render</tt>. To create a renderer
+    # AbstractController::Rendering#render. To create a renderer
     # pass it a name and a block. The block takes two arguments, the first
     # is the value paired with its key and the second is the remaining
     # hash of options passed to +render+.
@@ -96,18 +95,18 @@ module ActionController
       # Adds, by name, a renderer or renderers to the +_renderers+ available
       # to call within controller actions.
       #
-      # It is useful when rendering from an <tt>ActionController::Metal</tt> controller or
+      # It is useful when rendering from an ActionController::Metal controller or
       # otherwise to add an available renderer proc to a specific controller.
       #
-      # Both <tt>ActionController::Base</tt> and <tt>ActionController::API</tt>
-      # include <tt>ActionController::Renderers::All</tt>, making all renderers
+      # Both ActionController::Base and ActionController::API
+      # include ActionController::Renderers::All, making all renderers
       # available in the controller. See <tt>Renderers::RENDERERS</tt> and <tt>Renderers.add</tt>.
       #
-      # Since <tt>ActionController::Metal</tt> controllers cannot render, the controller
-      # must include <tt>AbstractController::Rendering</tt>, <tt>ActionController::Rendering</tt>,
-      # and <tt>ActionController::Renderers</tt>, and have at least one renderer.
+      # Since ActionController::Metal controllers cannot render, the controller
+      # must include AbstractController::Rendering, ActionController::Rendering,
+      # and ActionController::Renderers, and have at least one renderer.
       #
-      # Rather than including <tt>ActionController::Renderers::All</tt> and including all renderers,
+      # Rather than including ActionController::Renderers::All and including all renderers,
       # you may specify which renderers to include by passing the renderer name or names to
       # +use_renderers+. For example, a controller that includes only the <tt>:json</tt> renderer
       # (+_render_with_renderer_json+) might look like:
@@ -133,7 +132,7 @@ module ActionController
       alias use_renderer use_renderers
     end
 
-    # Called by +render+ in <tt>AbstractController::Rendering</tt>
+    # Called by +render+ in AbstractController::Rendering
     # which sets the return value as the +response_body+.
     #
     # If no renderer is found, +super+ returns control to

data/lib/action_controller/metal/rendering.rb

@@ -24,19 +24,13 @@ module ActionController
       end
     end
 
-    # Before processing, set the request formats in current controller formats.
-    def process_action(*) #:nodoc:
-      self.formats = request.formats.map(&:ref).compact
-      super
-    end
-
     # Check for double render errors and set the content_type after rendering.
-    def render(*args) #:nodoc:
+    def render(*args) # :nodoc:
       raise ::AbstractController::DoubleRenderError if response_body
       super
     end
 
-    # Overwrite render_to_string because body can now be set to a Rack body.
+    # Override render_to_string because body can now be set to a Rack body.
     def render_to_string(*)
       result = super
       if result.respond_to?(:each)
@@ -53,6 +47,12 @@ module ActionController
     end
 
     private
+      # Before processing, set the request formats in current controller formats.
+      def process_action(*) # :nodoc:
+        self.formats = request.formats.filter_map(&:ref)
+        super
+      end
+
       def _process_variant(options)
         if defined?(request) && !request.nil? && request.variant.present?
           options[:variant] = request.variant

data/lib/action_controller/metal/request_forgery_protection.rb

@@ -4,11 +4,11 @@ require "rack/session/abstract/id"
 require "action_controller/metal/exceptions"
 require "active_support/security_utils"
 
-module ActionController #:nodoc:
-  class InvalidAuthenticityToken < ActionControllerError #:nodoc:
+module ActionController # :nodoc:
+  class InvalidAuthenticityToken < ActionControllerError # :nodoc:
   end
 
-  class InvalidCrossOriginRequest < ActionControllerError #:nodoc:
+  class InvalidCrossOriginRequest < ActionControllerError # :nodoc:
   end
 
   # Controller actions are protected from Cross-Site Request Forgery (CSRF) attacks
@@ -32,7 +32,7 @@ module ActionController #:nodoc:
   # response may be extracted. To prevent this, only XmlHttpRequest (known as XHR or
   # Ajax) requests are allowed to make requests for JavaScript responses.
   #
-  # Subclasses of <tt>ActionController::Base</tt> are protected by default with the
+  # Subclasses of ActionController::Base are protected by default with the
   # <tt>:exception</tt> strategy, which raises an
   # <tt>ActionController::InvalidAuthenticityToken</tt> error on unverified requests.
   #
@@ -92,7 +92,16 @@ module ActionController #:nodoc:
 
       # Controls whether URL-safe CSRF tokens are generated.
       config_accessor :urlsafe_csrf_tokens, instance_writer: false
-      self.urlsafe_csrf_tokens = false
+      self.urlsafe_csrf_tokens = true
+
+      singleton_class.redefine_method(:urlsafe_csrf_tokens=) do |urlsafe_csrf_tokens|
+        if urlsafe_csrf_tokens
+          ActiveSupport::Deprecation.warn("URL-safe CSRF tokens are now the default. Use 6.1 defaults or above.")
+        else
+          ActiveSupport::Deprecation.warn("Non-URL-safe CSRF tokens are deprecated. Use 6.1 defaults or above.")
+        end
+        config.urlsafe_csrf_tokens = urlsafe_csrf_tokens
+      end
 
       helper_method :form_authenticity_token
       helper_method :protect_against_forgery?
@@ -115,8 +124,8 @@ module ActionController #:nodoc:
       #
       # Valid Options:
       #
-      # * <tt>:only/:except</tt> - Only apply forgery protection to a subset of actions. For example <tt>only: [ :create, :create_all ]</tt>.
-      # * <tt>:if/:unless</tt> - Turn off the forgery protection entirely depending on the passed Proc or method reference.
+      # * <tt>:only</tt> / <tt>:except</tt> - Only apply forgery protection to a subset of actions. For example <tt>only: [ :create, :create_all ]</tt>.
+      # * <tt>:if</tt> / <tt>:unless</tt> - Turn off the forgery protection entirely depending on the passed Proc or method reference.
       # * <tt>:prepend</tt> - By default, the verification of the authentication token will be added at the position of the
       #   protect_from_forgery call in your application. This means any callbacks added before are run first. This is useful
       #   when you want your forgery protection to depend on other callbacks, like authentication methods (Oauth vs Cookie auth).
@@ -124,10 +133,26 @@ module ActionController #:nodoc:
       #   If you need to add verification to the beginning of the callback chain, use <tt>prepend: true</tt>.
       # * <tt>:with</tt> - Set the method to handle unverified request.
       #
-      # Valid unverified request handling methods are:
+      # Built-in unverified request handling methods are:
       # * <tt>:exception</tt> - Raises ActionController::InvalidAuthenticityToken exception.
       # * <tt>:reset_session</tt> - Resets the session.
       # * <tt>:null_session</tt> - Provides an empty session during request but doesn't reset it completely. Used as default if <tt>:with</tt> option is not specified.
+      #
+      # You can also implement custom strategy classes for unverified request handling:
+      #
+      #    class CustomStrategy
+      #      def initialize(controller)
+      #        @controller = controller
+      #      end
+      #
+      #      def handle_unverified_request
+      #        # Custom behaviour for unverfied request
+      #      end
+      #    end
+      #
+      #    class ApplicationController < ActionController:x:Base
+      #      protect_from_forgery with: CustomStrategy
+      #    end
       def protect_from_forgery(options = {})
         options = options.reverse_merge(prepend: false)
 
@@ -143,14 +168,23 @@ module ActionController #:nodoc:
       #
       # See +skip_before_action+ for allowed options.
       def skip_forgery_protection(options = {})
-        skip_before_action :verify_authenticity_token, options
+        skip_before_action :verify_authenticity_token, options.reverse_merge(raise: false)
       end
 
       private
         def protection_method_class(name)
-          ActionController::RequestForgeryProtection::ProtectionMethods.const_get(name.to_s.classify)
-        rescue NameError
-          raise ArgumentError, "Invalid request forgery protection method, use :null_session, :exception, or :reset_session"
+          case name
+          when :null_session
+            ProtectionMethods::NullSession
+          when :reset_session
+            ProtectionMethods::ResetSession
+          when :exception
+            ProtectionMethods::Exception
+          when Class
+            name
+          else
+            raise ArgumentError, "Invalid request forgery protection method, use :null_session, :exception, :reset_session, or a custom forgery protection class."
+          end
         end
     end
 
@@ -170,7 +204,7 @@ module ActionController #:nodoc:
         end
 
         private
-          class NullSessionHash < Rack::Session::Abstract::SessionHash #:nodoc:
+          class NullSessionHash < Rack::Session::Abstract::SessionHash # :nodoc:
             def initialize(req)
               super(nil, req)
               @data = {}
@@ -183,9 +217,13 @@ module ActionController #:nodoc:
             def exists?
               true
             end
+
+            def enabled?
+              false
+            end
           end
 
-          class NullCookieJar < ActionDispatch::Cookies::CookieJar #:nodoc:
+          class NullCookieJar < ActionDispatch::Cookies::CookieJar # :nodoc:
             def write(*)
               # nothing
             end
@@ -203,12 +241,14 @@ module ActionController #:nodoc:
       end
 
       class Exception
+        attr_accessor :warning_message
+
         def initialize(controller)
           @controller = controller
         end
 
         def handle_unverified_request
-          raise ActionController::InvalidAuthenticityToken
+          raise ActionController::InvalidAuthenticityToken, warning_message
         end
       end
     end
@@ -228,22 +268,31 @@ module ActionController #:nodoc:
         mark_for_same_origin_verification!
 
         if !verified_request?
-          if logger && log_warning_on_csrf_failure
-            if valid_request_origin?
-              logger.warn "Can't verify CSRF token authenticity."
-            else
-              logger.warn "HTTP Origin header (#{request.origin}) didn't match request.base_url (#{request.base_url})"
-            end
-          end
+          logger.warn unverified_request_warning_message if logger && log_warning_on_csrf_failure
+
           handle_unverified_request
         end
       end
 
       def handle_unverified_request # :doc:
-        forgery_protection_strategy.new(self).handle_unverified_request
+        protection_strategy = forgery_protection_strategy.new(self)
+
+        if protection_strategy.respond_to?(:warning_message)
+          protection_strategy.warning_message = unverified_request_warning_message
+        end
+
+        protection_strategy.handle_unverified_request
+      end
+
+      def unverified_request_warning_message # :nodoc:
+        if valid_request_origin?
+          "Can't verify CSRF token authenticity."
+        else
+          "HTTP Origin header (#{request.origin}) didn't match request.base_url (#{request.base_url})"
+        end
       end
 
-      #:nodoc:
+      # :nodoc:
       CROSS_ORIGIN_JAVASCRIPT_WARNING = "Security warning: an embedded " \
         "<script> tag on another site requested protected JavaScript. " \
         "If you know what you're doing, go ahead and disable forgery " \
@@ -303,15 +352,15 @@ module ActionController #:nodoc:
         [form_authenticity_param, request.x_csrf_token]
       end
 
-      # Sets the token value for the current session.
-      def form_authenticity_token(form_options: {})
+      # Creates the authenticity token for the current request.
+      def form_authenticity_token(form_options: {}) # :doc:
         masked_authenticity_token(session, form_options: form_options)
       end
 
       # Creates a masked version of the authenticity token that varies
       # on each request. The masking is used to mitigate SSL attacks
       # like BREACH.
-      def masked_authenticity_token(session, form_options: {}) # :doc:
+      def masked_authenticity_token(session, form_options: {})
         action, method = form_options.values_at(:action, :method)
 
         raw_token = if per_form_csrf_tokens && action && method
@@ -438,7 +487,7 @@ module ActionController #:nodoc:
 
       # Checks if the controller allows forgery protection.
       def protect_against_forgery? # :doc:
-        allow_forgery_protection
+        allow_forgery_protection && (!session.respond_to?(:enabled?) || session.enabled?)
       end
 
       NULL_ORIGIN_MESSAGE = <<~MSG
@@ -469,7 +518,7 @@ module ActionController #:nodoc:
 
       def generate_csrf_token # :nodoc:
         if urlsafe_csrf_tokens
-          SecureRandom.urlsafe_base64(AUTHENTICITY_TOKEN_LENGTH, padding: false)
+          SecureRandom.urlsafe_base64(AUTHENTICITY_TOKEN_LENGTH)
         else
           SecureRandom.base64(AUTHENTICITY_TOKEN_LENGTH)
         end

data/lib/action_controller/metal/rescue.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-module ActionController #:nodoc:
+module ActionController # :nodoc:
   # This module is responsible for providing +rescue_from+ helpers
   # to controllers and configuring when detailed exceptions must be
   # shown.

data/lib/action_controller/metal/streaming.rb

@@ -2,7 +2,7 @@
 
 require "rack/chunked"
 
-module ActionController #:nodoc:
+module ActionController # :nodoc:
   # Allows views to be streamed back to the client as they are rendered.
   #
   # By default, Rails renders views by first rendering the template
@@ -24,7 +24,7 @@ module ActionController #:nodoc:
   # Ruby implementation).
   #
   # Streaming can be added to a given template easily, all you need to do is
-  # to pass the :stream option.
+  # to pass the +:stream+ option.
   #
   #   class PostsController
   #     def index
@@ -59,8 +59,8 @@ module ActionController #:nodoc:
   #     render stream: true
   #   end
   #
-  # Notice that :stream only works with templates. Rendering :json
-  # or :xml with :stream won't work.
+  # Notice that +:stream+ only works with templates. Rendering +:json+
+  # or +:xml+ with +:stream+ won't work.
   #
   # == Communication between layout and template
   #
@@ -72,7 +72,7 @@ module ActionController #:nodoc:
   # variables set in the template to be used in the layout, they won't
   # work once you move to streaming. The proper way to communicate
   # between layout and template, regardless of whether you use streaming
-  # or not, is by using +content_for+, +provide+ and +yield+.
+  # or not, is by using +content_for+, +provide+, and +yield+.
   #
   # Take a simple example where the layout expects the template to tell
   # which title to use:
@@ -132,7 +132,7 @@ module ActionController #:nodoc:
   # That said, when streaming, you need to properly check your templates
   # and choose when to use +provide+ and +content_for+.
   #
-  # == Headers, cookies, session and flash
+  # == Headers, cookies, session, and flash
   #
   # When streaming, the HTTP headers are sent to the client right before
   # it renders the first line. This means that, modifying headers, cookies,
@@ -193,8 +193,6 @@ module ActionController #:nodoc:
   # To be described.
   #
   module Streaming
-    extend ActiveSupport::Concern
-
     private
       # Set proper cache control and transfer encoding when streaming
       def _process_options(options)