actionpack 7.0.4.2 → 7.0.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2c22bab78116ba16eb5b0040050758d1cdfdecb10e9f7d174116e8174c9f988f
-  data.tar.gz: 826c0844d869f71fd1e04b0295898ebe011a43085131224f1d12991fb8b3cbd0
+  metadata.gz: 53861f74b1eb42d6f13153c1cd5956f16e3eaa2277a18caff284b95e7f8ebde2
+  data.tar.gz: 1605a5742f7ea7e147e3771f2af1a8eb122d8debd0a263eda224d299f3dd31af
 SHA512:
-  metadata.gz: 109a5ec54e9e254d8db491ce49027ced3eb8ab8f35ee41823cef7ce661067eceedc795f371871765c687ce96c1f452513319ad7363d349b3bedcf8837f71c692
-  data.tar.gz: 334ce823a8637370f5b6cf6baec372eebd97b6e573294f0d7229bf032a81a55079e63fb11cbd3c536b96c74801d2c291ef2e16ca8a13bef6d43585bfe55dc7bf
+  metadata.gz: 1e20f00481154c15e9ac839df3c4d370734f18297b0dbfc2d6c111abe7dd55adefd1f5fbce2ca6ea698b23fbb0100463df862e26e9bfdc033a6bd87c0ac7e58a
+  data.tar.gz: d0b75b79e9021ffea2dc7debcbd3381d8b20ad2eed1460d64b026ceeb89cf639748ff9f52d8140875f8ee88a3403e015b02f45d16f21ad2dc221f62ef1fe6c70

data/CHANGELOG.md

@@ -1,3 +1,52 @@
+## Rails 7.0.5 (May 24, 2023) ##
+
+*   Do not return CSP headers for 304 Not Modified responses.
+
+    *Tobias Kraze*
+
+*   Fix `EtagWithFlash` when there is no `Flash` middleware available.
+
+    *fatkodima*
+
+*   Fix content-type header with `send_stream`.
+
+    *Elliot Crosby-McCullough*
+
+*   Address Selenium `:capabilities` deprecation warning.
+
+    *Ron Shinall*
+
+*   Fix cookie domain for domain: all on two letter single level TLD.
+
+    *John Hawthorn*
+
+*   Don't double log the `controller`, `action`, or `namespaced_controller` when using `ActiveRecord::QueryLog`
+
+    Previously if you set `config.active_record.query_log_tags` to an array that included
+    `:controller`, `:namespaced_controller`, or `:action`, that item would get logged twice.
+    This bug has been fixed.
+
+    *Alex Ghiculescu*
+
+*   Rescue `EOFError` exception from `rack` on a multipart request.
+
+    *Nikita Vasilevsky*
+
+*   Rescue `JSON::ParserError` in Cookies json deserializer to discards marshal dumps:
+
+    Without this change, if `action_dispatch.cookies_serializer` is set to `:json` and
+    the app tries to read a `:marshal` serialized cookie, it would error out which wouldn't
+    clear the cookie and force app users to manually clear it in their browser.
+
+    (See #45127 for original bug discussion)
+
+    *Nathan Bardoux*
+
+## Rails 7.0.4.3 (March 13, 2023) ##
+
+*   No changes.
+
+
 ## Rails 7.0.4.2 (January 24, 2023) ##
 
 *   Fix `domain: :all` for two letter TLD
@@ -24,7 +73,6 @@
 
     [CVE-2023-22792]
 
-
 ## Rails 7.0.4 (September 09, 2022) ##
 
 *   Prevent `ActionDispatch::ServerTiming` from overwriting existing values in `Server-Timing`.

data/lib/abstract_controller/helpers.rb

@@ -61,13 +61,14 @@ module AbstractController
       #   class ApplicationController < ActionController::Base
       #     helper_method :current_user, :logged_in?
       #
-      #     def current_user
-      #       @current_user ||= User.find_by(id: session[:user])
-      #     end
-      #
-      #     def logged_in?
-      #       current_user != nil
-      #     end
+      #     private
+      #       def current_user
+      #         @current_user ||= User.find_by(id: session[:user])
+      #       end
+      #
+      #       def logged_in?
+      #         current_user != nil
+      #       end
       #   end
       #
       # In a view:

data/lib/abstract_controller/rendering.rb

@@ -18,8 +18,10 @@ module AbstractController
     extend ActiveSupport::Concern
     include ActionView::ViewPaths
 
-    # Normalizes arguments, options and then delegates render_to_body and
+    # Normalizes arguments and options, and then delegates to render_to_body and
     # sticks the result in <tt>self.response_body</tt>.
+    #
+    # Supported options depend on the underlying +render_to_body+ implementation.
     def render(*args, &block)
       options = _normalize_render(*args, &block)
       rendered_body = render_to_body(options)
@@ -32,16 +34,12 @@ module AbstractController
       self.response_body = rendered_body
     end
 
-    # Raw rendering of a template to a string.
-    #
-    # It is similar to render, except that it does not
-    # set the +response_body+ and it should be guaranteed
-    # to always return a string.
+    # Similar to #render, but only returns the rendered template as a string,
+    # instead of setting +self.response_body+.
     #
-    # If a component extends the semantics of +response_body+
-    # (as ActionController extends it to be anything that
-    # responds to the method each), this method needs to be
-    # overridden in order to still return a string.
+    # If a component extends the semantics of +response_body+ (as ActionController
+    # extends it to be anything that responds to the method each), this method
+    # needs to be overridden in order to still return a string.
     def render_to_string(*args, &block)
       options = _normalize_render(*args, &block)
       render_to_body(options)
@@ -51,7 +49,7 @@ module AbstractController
     def render_to_body(options = {})
     end
 
-    # Returns Content-Type of rendered content.
+    # Returns +Content-Type+ of rendered content.
     def rendered_format
       Mime[:text]
     end

data/lib/action_controller/api.rb

@@ -40,7 +40,7 @@ module ActionController
   # can use <tt>render :json</tt> and siblings freely in your controllers. Keep
   # in mind that templates are not going to be rendered, so you need to ensure
   # your controller is calling either <tt>render</tt> or <tt>redirect_to</tt> in
-  # all actions, otherwise it will return 204 No Content.
+  # all actions, otherwise it will return <tt>204 No Content</tt>.
   #
   #   def show
   #     post = Post.find(params[:id])

data/lib/action_controller/metal/basic_implicit_render.rb

@@ -3,7 +3,9 @@
 module ActionController
   module BasicImplicitRender # :nodoc:
     def send_action(method, *args)
-      super.tap { default_render unless performed? }
+      ret = super
+      default_render unless performed?
+      ret
     end
 
     def default_render

data/lib/action_controller/metal/conditional_get.rb

@@ -33,86 +33,97 @@ module ActionController
       end
     end
 
-    # Sets the +etag+, +last_modified+, or both on the response and renders a
+    # Sets the +etag+, +last_modified+, or both on the response, and renders a
     # <tt>304 Not Modified</tt> response if the request is already fresh.
     #
-    # === Parameters:
-    #
-    # * <tt>:etag</tt> Sets a "weak" ETag validator on the response. See the
-    #   +:weak_etag+ option.
-    # * <tt>:weak_etag</tt> Sets a "weak" ETag validator on the response.
-    #   Requests that set If-None-Match header may return a 304 Not Modified
-    #   response if it matches the ETag exactly. A weak ETag indicates semantic
-    #   equivalence, not byte-for-byte equality, so they're good for caching
-    #   HTML pages in browser caches. They can't be used for responses that
-    #   must be byte-identical, like serving Range requests within a PDF file.
-    # * <tt>:strong_etag</tt> Sets a "strong" ETag validator on the response.
-    #   Requests that set If-None-Match header may return a 304 Not Modified
-    #   response if it matches the ETag exactly. A strong ETag implies exact
-    #   equality: the response must match byte for byte. This is necessary for
-    #   doing Range requests within a large video or PDF file, for example, or
-    #   for compatibility with some CDNs that don't support weak ETags.
-    # * <tt>:last_modified</tt> Sets a "weak" last-update validator on the
-    #   response. Subsequent requests that set If-Modified-Since may return a
-    #   304 Not Modified response if last_modified <= If-Modified-Since.
-    # * <tt>:public</tt> By default the Cache-Control header is private, set this to
-    #   +true+ if you want your application to be cacheable by other devices (proxy caches).
-    # * <tt>:cache_control</tt> When given will overwrite an existing Cache-Control header.
-    #   See https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html for more possibilities.
-    # * <tt>:template</tt> By default, the template digest for the current
-    #   controller/action is included in ETags. If the action renders a
-    #   different template, you can include its digest instead. If the action
-    #   doesn't render a template at all, you can pass <tt>template: false</tt>
-    #   to skip any attempt to check for a template digest.
-    #
-    # === Example:
+    # ==== Options
+    #
+    # [+:etag+]
+    #   Sets a "weak" ETag validator on the response. See the +:weak_etag+ option.
+    # [+:weak_etag+]
+    #   Sets a "weak" ETag validator on the response. Requests that specify an
+    #   +If-None-Match+ header may receive a <tt>304 Not Modified</tt> response
+    #   if the ETag matches exactly.
+    #
+    #   A weak ETag indicates semantic equivalence, not byte-for-byte equality,
+    #   so they're good for caching HTML pages in browser caches. They can't be
+    #   used for responses that must be byte-identical, like serving +Range+
+    #   requests within a PDF file.
+    # [+:strong_etag+]
+    #   Sets a "strong" ETag validator on the response. Requests that specify an
+    #   +If-None-Match+ header may receive a <tt>304 Not Modified</tt> response
+    #   if the ETag matches exactly.
+    #
+    #   A strong ETag implies exact equality -- the response must match byte for
+    #   byte. This is necessary for serving +Range+ requests within a large
+    #   video or PDF file, for example, or for compatibility with some CDNs that
+    #   don't support weak ETags.
+    # [+:last_modified+]
+    #   Sets a "weak" last-update validator on the response. Subsequent requests
+    #   that specify an +If-Modified-Since+ header may receive a <tt>304 Not Modified</tt>
+    #   response if +last_modified+ <= +If-Modified-Since+.
+    # [+:public+]
+    #   By default the +Cache-Control+ header is private. Set this option to
+    #   +true+ if you want your application to be cacheable by other devices,
+    #   such as proxy caches.
+    # [+:cache_control+]
+    #   When given, will overwrite an existing +Cache-Control+ header. For a
+    #   list of +Cache-Control+ directives, see the {article on
+    #   MDN}[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control].
+    # [+:template+]
+    #   By default, the template digest for the current controller/action is
+    #   included in ETags. If the action renders a different template, you can
+    #   include its digest instead. If the action doesn't render a template at
+    #   all, you can pass <tt>template: false</tt> to skip any attempt to check
+    #   for a template digest.
+    #
+    # ==== Examples
     #
     #   def show
     #     @article = Article.find(params[:id])
     #     fresh_when(etag: @article, last_modified: @article.updated_at, public: true)
     #   end
     #
-    # This will render the show template if the request isn't sending a matching ETag or
-    # If-Modified-Since header and just a <tt>304 Not Modified</tt> response if there's a match.
+    # This will send a <tt>304 Not Modified</tt> response if the request
+    # specifies a matching ETag and +If-Modified-Since+ header. Otherwise, it
+    # will render the +show+ template.
     #
-    # You can also just pass a record. In this case +last_modified+ will be set
-    # by calling +updated_at+ and +etag+ by passing the object itself.
+    # You can also just pass a record:
     #
     #   def show
     #     @article = Article.find(params[:id])
     #     fresh_when(@article)
     #   end
     #
+    # +etag+ will be set to the record, and +last_modified+ will be set to the
+    # record's +updated_at+.
+    #
     # You can also pass an object that responds to +maximum+, such as a
-    # collection of active records. In this case +last_modified+ will be set by
-    # calling <tt>maximum(:updated_at)</tt> on the collection (the timestamp of the
-    # most recently updated record) and the +etag+ by passing the object itself.
+    # collection of records:
     #
     #   def index
     #     @articles = Article.all
     #     fresh_when(@articles)
     #   end
     #
-    # When passing a record or a collection, you can still set the public header:
-    #
-    #   def show
-    #     @article = Article.find(params[:id])
-    #     fresh_when(@article, public: true)
-    #   end
+    # In this case, +etag+ will be set to the collection, and +last_modified+
+    # will be set to <tt>maximum(:updated_at)</tt> (the timestamp of the most
+    # recently updated record).
     #
-    # When overwriting Cache-Control header:
+    # When passing a record or a collection, you can still specify other
+    # options, such as +:public+ and +:cache_control+:
     #
     #   def show
     #     @article = Article.find(params[:id])
     #     fresh_when(@article, public: true, cache_control: { no_cache: true })
     #   end
     #
-    # This will set in the response Cache-Control = public, no-cache.
+    # The above will set <tt>Cache-Control: public, no-cache</tt> in the response.
     #
-    # When rendering a different template than the default controller/action
-    # style, you can indicate which digest to include in the ETag:
+    # When rendering a different template than the controller/action's default
+    # template, you can indicate which digest to include in the ETag:
     #
-    #   before_action { fresh_when @article, template: 'widgets/show' }
+    #   before_action { fresh_when @article, template: "widgets/show" }
     #
     def fresh_when(object = nil, etag: nil, weak_etag: nil, strong_etag: nil, last_modified: nil, public: false, cache_control: {}, template: nil)
       response.cache_control.delete(:no_store)
@@ -134,41 +145,16 @@ module ActionController
       head :not_modified if request.fresh?(response)
     end
 
-    # Sets the +etag+ and/or +last_modified+ on the response and checks it against
-    # the client request. If the request doesn't match the options provided, the
-    # request is considered stale and should be generated from scratch. Otherwise,
-    # it's fresh and we don't need to generate anything and a reply of <tt>304 Not Modified</tt> is sent.
-    #
-    # === Parameters:
-    #
-    # * <tt>:etag</tt> Sets a "weak" ETag validator on the response. See the
-    #   +:weak_etag+ option.
-    # * <tt>:weak_etag</tt> Sets a "weak" ETag validator on the response.
-    #   Requests that set If-None-Match header may return a 304 Not Modified
-    #   response if it matches the ETag exactly. A weak ETag indicates semantic
-    #   equivalence, not byte-for-byte equality, so they're good for caching
-    #   HTML pages in browser caches. They can't be used for responses that
-    #   must be byte-identical, like serving Range requests within a PDF file.
-    # * <tt>:strong_etag</tt> Sets a "strong" ETag validator on the response.
-    #   Requests that set If-None-Match header may return a 304 Not Modified
-    #   response if it matches the ETag exactly. A strong ETag implies exact
-    #   equality: the response must match byte for byte. This is necessary for
-    #   doing Range requests within a large video or PDF file, for example, or
-    #   for compatibility with some CDNs that don't support weak ETags.
-    # * <tt>:last_modified</tt> Sets a "weak" last-update validator on the
-    #   response. Subsequent requests that set If-Modified-Since may return a
-    #   304 Not Modified response if last_modified <= If-Modified-Since.
-    # * <tt>:public</tt> By default the Cache-Control header is private, set this to
-    #   +true+ if you want your application to be cacheable by other devices (proxy caches).
-    # * <tt>:cache_control</tt> When given will overwrite an existing Cache-Control header.
-    #   See https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html for more possibilities.
-    # * <tt>:template</tt> By default, the template digest for the current
-    #   controller/action is included in ETags. If the action renders a
-    #   different template, you can include its digest instead. If the action
-    #   doesn't render a template at all, you can pass <tt>template: false</tt>
-    #   to skip any attempt to check for a template digest.
-    #
-    # === Example:
+    # Sets the +etag+ and/or +last_modified+ on the response and checks them
+    # against the request. If the request doesn't match the provided options, it
+    # is considered stale, and the response should be rendered from scratch.
+    # Otherwise, it is fresh, and a <tt>304 Not Modified</tt> is sent.
+    #
+    # ==== Options
+    #
+    # See #fresh_when for supported options.
+    #
+    # ==== Examples
     #
     #   def show
     #     @article = Article.find(params[:id])
@@ -181,8 +167,7 @@ module ActionController
     #     end
     #   end
     #
-    # You can also just pass a record. In this case +last_modified+ will be set
-    # by calling +updated_at+ and +etag+ by passing the object itself.
+    # You can also just pass a record:
     #
     #   def show
     #     @article = Article.find(params[:id])
@@ -195,10 +180,11 @@ module ActionController
     #     end
     #   end
     #
+    # +etag+ will be set to the record, and +last_modified+ will be set to the
+    # record's +updated_at+.
+    #
     # You can also pass an object that responds to +maximum+, such as a
-    # collection of active records. In this case +last_modified+ will be set by
-    # calling <tt>maximum(:updated_at)</tt> on the collection (the timestamp of the
-    # most recently updated record) and the +etag+ by passing the object itself.
+    # collection of records:
     #
     #   def index
     #     @articles = Article.all
@@ -211,20 +197,12 @@ module ActionController
     #     end
     #   end
     #
-    # When passing a record or a collection, you can still set the public header:
-    #
-    #   def show
-    #     @article = Article.find(params[:id])
-    #
-    #     if stale?(@article, public: true)
-    #       @statistics = @article.really_expensive_call
-    #       respond_to do |format|
-    #         # all the supported formats
-    #       end
-    #     end
-    #   end
+    # In this case, +etag+ will be set to the collection, and +last_modified+
+    # will be set to <tt>maximum(:updated_at)</tt> (the timestamp of the most
+    # recently updated record).
     #
-    # When overwriting Cache-Control header:
+    # When passing a record or a collection, you can still specify other
+    # options, such as +:public+ and +:cache_control+:
     #
     #   def show
     #     @article = Article.find(params[:id])
@@ -237,13 +215,13 @@ module ActionController
     #     end
     #   end
     #
-    # This will set in the response Cache-Control = public, no-cache.
+    # The above will set <tt>Cache-Control: public, no-cache</tt> in the response.
     #
-    # When rendering a different template than the default controller/action
-    # style, you can indicate which digest to include in the ETag:
+    # When rendering a different template than the controller/action's default
+    # template, you can indicate which digest to include in the ETag:
     #
     #   def show
-    #     super if stale? @article, template: 'widgets/show'
+    #     super if stale?(@article, template: "widgets/show")
     #   end
     #
     def stale?(object = nil, **freshness_kwargs)
@@ -251,28 +229,48 @@ module ActionController
       !request.fresh?(response)
     end
 
-    # Sets an HTTP 1.1 Cache-Control header. Defaults to issuing a +private+
-    # instruction, so that intermediate caches must not cache the response.
+    # Sets the +Cache-Control+ header, overwriting existing directives. This
+    # method will also ensure an HTTP +Date+ header for client compatibility.
+    #
+    # Defaults to issuing the +private+ directive, so that intermediate caches
+    # must not cache the response.
+    #
+    # ==== Options
+    #
+    # [+:public+]
+    #   If true, replaces the default +private+ directive with the +public+
+    #   directive.
+    # [+:must_revalidate+]
+    #   If true, adds the +must-revalidate+ directive.
+    # [+:stale_while_revalidate+]
+    #   Sets the value of the +stale-while-revalidate+ directive.
+    # [+:stale_if_error+]
+    #   Sets the value of the +stale-if-error+ directive.
+    #
+    # Any additional key-value pairs are concatenated as directives. For a list
+    # of supported +Cache-Control+ directives, see the {article on
+    # MDN}[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control].
+    #
+    # ==== Examples
     #
-    #   expires_in 20.minutes
-    #   expires_in 3.hours, public: true
-    #   expires_in 3.hours, public: true, must_revalidate: true
+    #   expires_in 10.minutes
+    #   # => Cache-Control: max-age=600, private
     #
-    # This method will overwrite an existing Cache-Control header.
-    # See https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html for more possibilities.
+    #   expires_in 10.minutes, public: true
+    #   # => Cache-Control: max-age=600, public
     #
-    # HTTP Cache-Control Extensions for Stale Content. See https://tools.ietf.org/html/rfc5861
-    # It helps to cache an asset and serve it while is being revalidated and/or returning with an error.
+    #   expires_in 10.minutes, public: true, must_revalidate: true
+    #   # => Cache-Control: max-age=600, public, must-revalidate
     #
-    #   expires_in 3.hours, public: true, stale_while_revalidate: 60.seconds
-    #   expires_in 3.hours, public: true, stale_while_revalidate: 60.seconds, stale_if_error: 5.minutes
+    #   expires_in 1.hour, stale_while_revalidate: 60.seconds
+    #   # => Cache-Control: max-age=3600, private, stale-while-revalidate=60
     #
-    # HTTP Cache-Control Extensions other values: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control
-    # Any additional key-value pairs are concatenated onto the Cache-Control header in the response:
+    #   expires_in 1.hour, stale_if_error: 5.minutes
+    #   # => Cache-Control: max-age=3600, private, stale-if-error=300
     #
-    #   expires_in 3.hours, public: true, "s-maxage": 3.hours, "no-transform": true
+    #   expires_in 1.hour, public: true, "s-maxage": 3.hours, "no-transform": true
+    #   # => Cache-Control: max-age=3600, public, s-maxage=10800, no-transform=true
     #
-    # The method will also ensure an HTTP Date header for client compatibility.
     def expires_in(seconds, options = {})
       response.cache_control.delete(:no_store)
       response.cache_control.merge!(
@@ -288,7 +286,7 @@ module ActionController
       response.date = Time.now unless response.date?
     end
 
-    # Sets an HTTP 1.1 Cache-Control header of <tt>no-cache</tt>. This means the
+    # Sets an HTTP 1.1 +Cache-Control+ header of <tt>no-cache</tt>. This means the
     # resource will be marked as stale, so clients must always revalidate.
     # Intermediate/browser caches may still store the asset.
     def expires_now
@@ -311,7 +309,7 @@ module ActionController
                       public: public)
     end
 
-    # Sets an HTTP 1.1 Cache-Control header of <tt>no-store</tt>. This means the
+    # Sets an HTTP 1.1 +Cache-Control+ header of <tt>no-store</tt>. This means the
     # resource may not be stored in any cache.
     def no_store
       response.cache_control.replace(no_store: true)

data/lib/action_controller/metal/content_security_policy.rb

@@ -13,7 +13,7 @@ module ActionController # :nodoc:
     end
 
     module ClassMethods
-      # Overrides parts of the globally configured Content-Security-Policy
+      # Overrides parts of the globally configured +Content-Security-Policy+
       # header:
       #
       #   class PostsController < ApplicationController
@@ -31,7 +31,7 @@ module ActionController # :nodoc:
       #     end
       #   end
       #
-      # Pass +false+ to remove the Content-Security-Policy header:
+      # Pass +false+ to remove the +Content-Security-Policy+ header:
       #
       #   class PostsController < ApplicationController
       #     content_security_policy false, only: :index
@@ -50,14 +50,14 @@ module ActionController # :nodoc:
         end
       end
 
-      # Overrides the globally configured Content-Security-Policy-Report-Only
+      # Overrides the globally configured +Content-Security-Policy-Report-Only+
       # header:
       #
       #   class PostsController < ApplicationController
       #     content_security_policy_report_only only: :index
       #   end
       #
-      # Pass +false+ to remove the Content-Security-Policy-Report-Only header:
+      # Pass +false+ to remove the +Content-Security-Policy-Report-Only+ header:
       #
       #   class PostsController < ApplicationController
       #     content_security_policy_report_only false, only: :index

data/lib/action_controller/metal/data_streaming.rb

@@ -15,10 +15,10 @@ module ActionController # :nodoc:
     DEFAULT_SEND_FILE_DISPOSITION = "attachment" # :nodoc:
 
     private
-      # Sends the file. This uses a server-appropriate method (such as X-Sendfile)
-      # via the Rack::Sendfile middleware. The header to use is set via
+      # Sends the file. This uses a server-appropriate method (such as +X-Sendfile+)
+      # via the +Rack::Sendfile+ middleware. The header to use is set via
       # +config.action_dispatch.x_sendfile_header+.
-      # Your server can also configure this for you by setting the X-Sendfile-Type header.
+      # Your server can also configure this for you by setting the +X-Sendfile-Type+ header.
       #
       # Be careful to sanitize the path parameter if it is coming from a web
       # page. <tt>send_file(params[:path])</tt> allows a malicious user to
@@ -28,17 +28,17 @@ module ActionController # :nodoc:
       # * <tt>:filename</tt> - suggests a filename for the browser to use.
       #   Defaults to <tt>File.basename(path)</tt>.
       # * <tt>:type</tt> - specifies an HTTP content type.
-      #   You can specify either a string or a symbol for a registered type with <tt>Mime::Type.register</tt>, for example :json.
+      #   You can specify either a string or a symbol for a registered type with <tt>Mime::Type.register</tt>, for example +:json+.
       #   If omitted, the type will be inferred from the file extension specified in <tt>:filename</tt>.
-      #   If no content type is registered for the extension, the default type 'application/octet-stream' will be used.
+      #   If no content type is registered for the extension, the default type +application/octet-stream+ will be used.
       # * <tt>:disposition</tt> - specifies whether the file will be shown inline or downloaded.
-      #   Valid values are 'inline' and 'attachment' (default).
+      #   Valid values are <tt>"inline"</tt> and <tt>"attachment"</tt> (default).
       # * <tt>:status</tt> - specifies the status code to send with the response. Defaults to 200.
       # * <tt>:url_based_filename</tt> - set to +true+ if you want the browser to guess the filename from
       #   the URL, which is necessary for i18n filenames on certain browsers
       #   (setting <tt>:filename</tt> overrides this option).
       #
-      # The default Content-Type and Content-Disposition headers are
+      # The default +Content-Type+ and +Content-Disposition+ headers are
       # set to download arbitrary binary files in as many browsers as
       # possible. IE versions 4, 5, 5.5, and 6 are all known to have
       # a variety of quirks (especially when downloading over SSL).
@@ -55,17 +55,17 @@ module ActionController # :nodoc:
       #
       #   send_file '/path/to/404.html', type: 'text/html; charset=utf-8', disposition: 'inline', status: 404
       #
-      # Read about the other Content-* HTTP headers if you'd like to
-      # provide the user with more information (such as Content-Description) in
-      # https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.11.
+      # You can use other <tt>Content-*</tt> HTTP headers to provide additional
+      # information to the client. See MDN for a
+      # {list of HTTP headers}[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers].
       #
       # Also be aware that the document may be cached by proxies and browsers.
-      # The Pragma and Cache-Control headers declare how the file may be cached
+      # The +Pragma+ and +Cache-Control+ headers declare how the file may be cached
       # by intermediaries. They default to require clients to validate with
       # the server before releasing cached responses. See
       # https://www.mnot.net/cache_docs/ for an overview of web caching and
-      # https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9
-      # for the Cache-Control header spec.
+      # {RFC 9111}[https://www.rfc-editor.org/rfc/rfc9111.html#name-cache-control]
+      # for the +Cache-Control+ header spec.
       def send_file(path, options = {}) # :doc:
         raise MissingFile, "Cannot read file #{path}" unless File.file?(path) && File.readable?(path)
 
@@ -85,12 +85,12 @@ module ActionController # :nodoc:
       #
       # Options:
       # * <tt>:filename</tt> - suggests a filename for the browser to use.
-      # * <tt>:type</tt> - specifies an HTTP content type. Defaults to 'application/octet-stream'.
-      #   You can specify either a string or a symbol for a registered type with <tt>Mime::Type.register</tt>, for example :json.
+      # * <tt>:type</tt> - specifies an HTTP content type. Defaults to +application/octet-stream+.
+      #   You can specify either a string or a symbol for a registered type with <tt>Mime::Type.register</tt>, for example +:json+.
       #   If omitted, type will be inferred from the file extension specified in <tt>:filename</tt>.
-      #   If no content type is registered for the extension, the default type 'application/octet-stream' will be used.
+      #   If no content type is registered for the extension, the default type +application/octet-stream+ will be used.
       # * <tt>:disposition</tt> - specifies whether the file will be shown inline or downloaded.
-      #   Valid values are 'inline' and 'attachment' (default).
+      #   Valid values are <tt>"inline"</tt> and <tt>"attachment"</tt> (default).
       # * <tt>:status</tt> - specifies the status code to send with the response. Defaults to 200.
       #
       # Generic data download:
@@ -105,7 +105,7 @@ module ActionController # :nodoc:
       #
       #   send_data image.data, type: image.content_type, disposition: 'inline'
       #
-      # See +send_file+ for more information on HTTP Content-* headers and caching.
+      # See +send_file+ for more information on HTTP <tt>Content-*</tt> headers and caching.
       def send_data(data, options = {}) # :doc:
         send_file_headers! options
         render options.slice(:status, :content_type).merge(body: data)