actionpack 7.0.4.3 → 7.0.5.1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of actionpack might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +51 -1
- data/lib/abstract_controller/helpers.rb +8 -7
- data/lib/abstract_controller/rendering.rb +9 -11
- data/lib/action_controller/api.rb +1 -1
- data/lib/action_controller/metal/basic_implicit_render.rb +3 -1
- data/lib/action_controller/metal/conditional_get.rb +121 -123
- data/lib/action_controller/metal/content_security_policy.rb +4 -4
- data/lib/action_controller/metal/data_streaming.rb +18 -18
- data/lib/action_controller/metal/etag_with_flash.rb +1 -1
- data/lib/action_controller/metal/head.rb +1 -1
- data/lib/action_controller/metal/live.rb +1 -1
- data/lib/action_controller/metal/permissions_policy.rb +1 -1
- data/lib/action_controller/metal/redirecting.rb +19 -2
- data/lib/action_controller/metal/rendering.rb +114 -2
- data/lib/action_controller/metal/request_forgery_protection.rb +5 -3
- data/lib/action_controller/metal/streaming.rb +1 -1
- data/lib/action_controller/metal/url_for.rb +2 -4
- data/lib/action_controller/railtie.rb +2 -1
- data/lib/action_controller/renderer.rb +1 -20
- data/lib/action_dispatch/http/cache.rb +7 -7
- data/lib/action_dispatch/http/content_security_policy.rb +5 -1
- data/lib/action_dispatch/http/filter_parameters.rb +4 -24
- data/lib/action_dispatch/http/headers.rb +1 -1
- data/lib/action_dispatch/http/request.rb +15 -16
- data/lib/action_dispatch/http/response.rb +0 -4
- data/lib/action_dispatch/http/upload.rb +13 -2
- data/lib/action_dispatch/middleware/cookies.rb +6 -6
- data/lib/action_dispatch/middleware/remote_ip.rb +4 -4
- data/lib/action_dispatch/middleware/request_id.rb +2 -2
- data/lib/action_dispatch/middleware/static.rb +3 -3
- data/lib/action_dispatch/middleware/templates/routes/_table.html.erb +17 -8
- data/lib/action_dispatch/routing/mapper.rb +23 -0
- data/lib/action_dispatch/routing/url_for.rb +21 -21
- data/lib/action_dispatch/system_testing/driver.rb +1 -1
- data/lib/action_dispatch/testing/assertions/response.rb +1 -1
- data/lib/action_pack/gem_version.rb +2 -2
- metadata +14 -14
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: ffffa8c7f4e6595a5c24bc31fa18fcedb9159148d8fe7e4b0124d9e55f0fdce9
|
4
|
+
data.tar.gz: 3cc3953111b5ff5f631ab16bccd16cfb1679e7aba9c6bdd67b4eb5f4f1555cc6
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: '08f187c696c70d8ae6d2178877a4069d89b3e47a75ad01b87417236b04eb75a44168163785174bbcc3e1b301e24967dece59d747543578df27560289c8f4bcc9'
|
7
|
+
data.tar.gz: 2638644d64c596bac33fc32885bd03f338d2e241f5e74fe04946a92452768d2dec19845c3cea1c3e95a22b69fef2666ac8d7261bb2aa8650649cb1aca398027a
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,54 @@
|
|
1
|
+
## Rails 7.0.5.1 (June 26, 2023) ##
|
2
|
+
|
3
|
+
* Raise an exception if illegal characters are provide to redirect_to
|
4
|
+
[CVE-2023-28362]
|
5
|
+
|
6
|
+
*Zack Deveau*
|
7
|
+
|
8
|
+
## Rails 7.0.5 (May 24, 2023) ##
|
9
|
+
|
10
|
+
* Do not return CSP headers for 304 Not Modified responses.
|
11
|
+
|
12
|
+
*Tobias Kraze*
|
13
|
+
|
14
|
+
* Fix `EtagWithFlash` when there is no `Flash` middleware available.
|
15
|
+
|
16
|
+
*fatkodima*
|
17
|
+
|
18
|
+
* Fix content-type header with `send_stream`.
|
19
|
+
|
20
|
+
*Elliot Crosby-McCullough*
|
21
|
+
|
22
|
+
* Address Selenium `:capabilities` deprecation warning.
|
23
|
+
|
24
|
+
*Ron Shinall*
|
25
|
+
|
26
|
+
* Fix cookie domain for domain: all on two letter single level TLD.
|
27
|
+
|
28
|
+
*John Hawthorn*
|
29
|
+
|
30
|
+
* Don't double log the `controller`, `action`, or `namespaced_controller` when using `ActiveRecord::QueryLog`
|
31
|
+
|
32
|
+
Previously if you set `config.active_record.query_log_tags` to an array that included
|
33
|
+
`:controller`, `:namespaced_controller`, or `:action`, that item would get logged twice.
|
34
|
+
This bug has been fixed.
|
35
|
+
|
36
|
+
*Alex Ghiculescu*
|
37
|
+
|
38
|
+
* Rescue `EOFError` exception from `rack` on a multipart request.
|
39
|
+
|
40
|
+
*Nikita Vasilevsky*
|
41
|
+
|
42
|
+
* Rescue `JSON::ParserError` in Cookies json deserializer to discards marshal dumps:
|
43
|
+
|
44
|
+
Without this change, if `action_dispatch.cookies_serializer` is set to `:json` and
|
45
|
+
the app tries to read a `:marshal` serialized cookie, it would error out which wouldn't
|
46
|
+
clear the cookie and force app users to manually clear it in their browser.
|
47
|
+
|
48
|
+
(See #45127 for original bug discussion)
|
49
|
+
|
50
|
+
*Nathan Bardoux*
|
51
|
+
|
1
52
|
## Rails 7.0.4.3 (March 13, 2023) ##
|
2
53
|
|
3
54
|
* No changes.
|
@@ -29,7 +80,6 @@
|
|
29
80
|
|
30
81
|
[CVE-2023-22792]
|
31
82
|
|
32
|
-
|
33
83
|
## Rails 7.0.4 (September 09, 2022) ##
|
34
84
|
|
35
85
|
* Prevent `ActionDispatch::ServerTiming` from overwriting existing values in `Server-Timing`.
|
@@ -61,13 +61,14 @@ module AbstractController
|
|
61
61
|
# class ApplicationController < ActionController::Base
|
62
62
|
# helper_method :current_user, :logged_in?
|
63
63
|
#
|
64
|
-
#
|
65
|
-
#
|
66
|
-
#
|
67
|
-
#
|
68
|
-
#
|
69
|
-
#
|
70
|
-
#
|
64
|
+
# private
|
65
|
+
# def current_user
|
66
|
+
# @current_user ||= User.find_by(id: session[:user])
|
67
|
+
# end
|
68
|
+
#
|
69
|
+
# def logged_in?
|
70
|
+
# current_user != nil
|
71
|
+
# end
|
71
72
|
# end
|
72
73
|
#
|
73
74
|
# In a view:
|
@@ -18,8 +18,10 @@ module AbstractController
|
|
18
18
|
extend ActiveSupport::Concern
|
19
19
|
include ActionView::ViewPaths
|
20
20
|
|
21
|
-
# Normalizes arguments
|
21
|
+
# Normalizes arguments and options, and then delegates to render_to_body and
|
22
22
|
# sticks the result in <tt>self.response_body</tt>.
|
23
|
+
#
|
24
|
+
# Supported options depend on the underlying +render_to_body+ implementation.
|
23
25
|
def render(*args, &block)
|
24
26
|
options = _normalize_render(*args, &block)
|
25
27
|
rendered_body = render_to_body(options)
|
@@ -32,16 +34,12 @@ module AbstractController
|
|
32
34
|
self.response_body = rendered_body
|
33
35
|
end
|
34
36
|
|
35
|
-
#
|
36
|
-
#
|
37
|
-
# It is similar to render, except that it does not
|
38
|
-
# set the +response_body+ and it should be guaranteed
|
39
|
-
# to always return a string.
|
37
|
+
# Similar to #render, but only returns the rendered template as a string,
|
38
|
+
# instead of setting +self.response_body+.
|
40
39
|
#
|
41
|
-
# If a component extends the semantics of +response_body+
|
42
|
-
#
|
43
|
-
#
|
44
|
-
# overridden in order to still return a string.
|
40
|
+
# If a component extends the semantics of +response_body+ (as ActionController
|
41
|
+
# extends it to be anything that responds to the method each), this method
|
42
|
+
# needs to be overridden in order to still return a string.
|
45
43
|
def render_to_string(*args, &block)
|
46
44
|
options = _normalize_render(*args, &block)
|
47
45
|
render_to_body(options)
|
@@ -51,7 +49,7 @@ module AbstractController
|
|
51
49
|
def render_to_body(options = {})
|
52
50
|
end
|
53
51
|
|
54
|
-
# Returns Content-Type of rendered content.
|
52
|
+
# Returns +Content-Type+ of rendered content.
|
55
53
|
def rendered_format
|
56
54
|
Mime[:text]
|
57
55
|
end
|
@@ -40,7 +40,7 @@ module ActionController
|
|
40
40
|
# can use <tt>render :json</tt> and siblings freely in your controllers. Keep
|
41
41
|
# in mind that templates are not going to be rendered, so you need to ensure
|
42
42
|
# your controller is calling either <tt>render</tt> or <tt>redirect_to</tt> in
|
43
|
-
# all actions, otherwise it will return 204 No Content
|
43
|
+
# all actions, otherwise it will return <tt>204 No Content</tt>.
|
44
44
|
#
|
45
45
|
# def show
|
46
46
|
# post = Post.find(params[:id])
|
@@ -33,86 +33,97 @@ module ActionController
|
|
33
33
|
end
|
34
34
|
end
|
35
35
|
|
36
|
-
# Sets the +etag+, +last_modified+, or both on the response and renders a
|
36
|
+
# Sets the +etag+, +last_modified+, or both on the response, and renders a
|
37
37
|
# <tt>304 Not Modified</tt> response if the request is already fresh.
|
38
38
|
#
|
39
|
-
#
|
40
|
-
#
|
41
|
-
#
|
42
|
-
# +:weak_etag+ option.
|
43
|
-
#
|
44
|
-
#
|
45
|
-
#
|
46
|
-
#
|
47
|
-
#
|
48
|
-
#
|
49
|
-
#
|
50
|
-
#
|
51
|
-
#
|
52
|
-
#
|
53
|
-
#
|
54
|
-
#
|
55
|
-
#
|
56
|
-
#
|
57
|
-
#
|
58
|
-
#
|
59
|
-
#
|
60
|
-
#
|
61
|
-
#
|
62
|
-
#
|
63
|
-
#
|
64
|
-
#
|
65
|
-
#
|
66
|
-
#
|
67
|
-
#
|
68
|
-
#
|
39
|
+
# ==== Options
|
40
|
+
#
|
41
|
+
# [+:etag+]
|
42
|
+
# Sets a "weak" ETag validator on the response. See the +:weak_etag+ option.
|
43
|
+
# [+:weak_etag+]
|
44
|
+
# Sets a "weak" ETag validator on the response. Requests that specify an
|
45
|
+
# +If-None-Match+ header may receive a <tt>304 Not Modified</tt> response
|
46
|
+
# if the ETag matches exactly.
|
47
|
+
#
|
48
|
+
# A weak ETag indicates semantic equivalence, not byte-for-byte equality,
|
49
|
+
# so they're good for caching HTML pages in browser caches. They can't be
|
50
|
+
# used for responses that must be byte-identical, like serving +Range+
|
51
|
+
# requests within a PDF file.
|
52
|
+
# [+:strong_etag+]
|
53
|
+
# Sets a "strong" ETag validator on the response. Requests that specify an
|
54
|
+
# +If-None-Match+ header may receive a <tt>304 Not Modified</tt> response
|
55
|
+
# if the ETag matches exactly.
|
56
|
+
#
|
57
|
+
# A strong ETag implies exact equality -- the response must match byte for
|
58
|
+
# byte. This is necessary for serving +Range+ requests within a large
|
59
|
+
# video or PDF file, for example, or for compatibility with some CDNs that
|
60
|
+
# don't support weak ETags.
|
61
|
+
# [+:last_modified+]
|
62
|
+
# Sets a "weak" last-update validator on the response. Subsequent requests
|
63
|
+
# that specify an +If-Modified-Since+ header may receive a <tt>304 Not Modified</tt>
|
64
|
+
# response if +last_modified+ <= +If-Modified-Since+.
|
65
|
+
# [+:public+]
|
66
|
+
# By default the +Cache-Control+ header is private. Set this option to
|
67
|
+
# +true+ if you want your application to be cacheable by other devices,
|
68
|
+
# such as proxy caches.
|
69
|
+
# [+:cache_control+]
|
70
|
+
# When given, will overwrite an existing +Cache-Control+ header. For a
|
71
|
+
# list of +Cache-Control+ directives, see the {article on
|
72
|
+
# MDN}[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control].
|
73
|
+
# [+:template+]
|
74
|
+
# By default, the template digest for the current controller/action is
|
75
|
+
# included in ETags. If the action renders a different template, you can
|
76
|
+
# include its digest instead. If the action doesn't render a template at
|
77
|
+
# all, you can pass <tt>template: false</tt> to skip any attempt to check
|
78
|
+
# for a template digest.
|
79
|
+
#
|
80
|
+
# ==== Examples
|
69
81
|
#
|
70
82
|
# def show
|
71
83
|
# @article = Article.find(params[:id])
|
72
84
|
# fresh_when(etag: @article, last_modified: @article.updated_at, public: true)
|
73
85
|
# end
|
74
86
|
#
|
75
|
-
# This will
|
76
|
-
# If-Modified-Since header
|
87
|
+
# This will send a <tt>304 Not Modified</tt> response if the request
|
88
|
+
# specifies a matching ETag and +If-Modified-Since+ header. Otherwise, it
|
89
|
+
# will render the +show+ template.
|
77
90
|
#
|
78
|
-
# You can also just pass a record
|
79
|
-
# by calling +updated_at+ and +etag+ by passing the object itself.
|
91
|
+
# You can also just pass a record:
|
80
92
|
#
|
81
93
|
# def show
|
82
94
|
# @article = Article.find(params[:id])
|
83
95
|
# fresh_when(@article)
|
84
96
|
# end
|
85
97
|
#
|
98
|
+
# +etag+ will be set to the record, and +last_modified+ will be set to the
|
99
|
+
# record's +updated_at+.
|
100
|
+
#
|
86
101
|
# You can also pass an object that responds to +maximum+, such as a
|
87
|
-
# collection of
|
88
|
-
# calling <tt>maximum(:updated_at)</tt> on the collection (the timestamp of the
|
89
|
-
# most recently updated record) and the +etag+ by passing the object itself.
|
102
|
+
# collection of records:
|
90
103
|
#
|
91
104
|
# def index
|
92
105
|
# @articles = Article.all
|
93
106
|
# fresh_when(@articles)
|
94
107
|
# end
|
95
108
|
#
|
96
|
-
#
|
97
|
-
#
|
98
|
-
#
|
99
|
-
# @article = Article.find(params[:id])
|
100
|
-
# fresh_when(@article, public: true)
|
101
|
-
# end
|
109
|
+
# In this case, +etag+ will be set to the collection, and +last_modified+
|
110
|
+
# will be set to <tt>maximum(:updated_at)</tt> (the timestamp of the most
|
111
|
+
# recently updated record).
|
102
112
|
#
|
103
|
-
# When
|
113
|
+
# When passing a record or a collection, you can still specify other
|
114
|
+
# options, such as +:public+ and +:cache_control+:
|
104
115
|
#
|
105
116
|
# def show
|
106
117
|
# @article = Article.find(params[:id])
|
107
118
|
# fresh_when(@article, public: true, cache_control: { no_cache: true })
|
108
119
|
# end
|
109
120
|
#
|
110
|
-
#
|
121
|
+
# The above will set <tt>Cache-Control: public, no-cache</tt> in the response.
|
111
122
|
#
|
112
|
-
# When rendering a different template than the
|
113
|
-
#
|
123
|
+
# When rendering a different template than the controller/action's default
|
124
|
+
# template, you can indicate which digest to include in the ETag:
|
114
125
|
#
|
115
|
-
# before_action { fresh_when @article, template:
|
126
|
+
# before_action { fresh_when @article, template: "widgets/show" }
|
116
127
|
#
|
117
128
|
def fresh_when(object = nil, etag: nil, weak_etag: nil, strong_etag: nil, last_modified: nil, public: false, cache_control: {}, template: nil)
|
118
129
|
response.cache_control.delete(:no_store)
|
@@ -134,41 +145,16 @@ module ActionController
|
|
134
145
|
head :not_modified if request.fresh?(response)
|
135
146
|
end
|
136
147
|
|
137
|
-
# Sets the +etag+ and/or +last_modified+ on the response and checks
|
138
|
-
# the
|
139
|
-
#
|
140
|
-
# it
|
141
|
-
#
|
142
|
-
#
|
143
|
-
#
|
144
|
-
#
|
145
|
-
#
|
146
|
-
#
|
147
|
-
# Requests that set If-None-Match header may return a 304 Not Modified
|
148
|
-
# response if it matches the ETag exactly. A weak ETag indicates semantic
|
149
|
-
# equivalence, not byte-for-byte equality, so they're good for caching
|
150
|
-
# HTML pages in browser caches. They can't be used for responses that
|
151
|
-
# must be byte-identical, like serving Range requests within a PDF file.
|
152
|
-
# * <tt>:strong_etag</tt> Sets a "strong" ETag validator on the response.
|
153
|
-
# Requests that set If-None-Match header may return a 304 Not Modified
|
154
|
-
# response if it matches the ETag exactly. A strong ETag implies exact
|
155
|
-
# equality: the response must match byte for byte. This is necessary for
|
156
|
-
# doing Range requests within a large video or PDF file, for example, or
|
157
|
-
# for compatibility with some CDNs that don't support weak ETags.
|
158
|
-
# * <tt>:last_modified</tt> Sets a "weak" last-update validator on the
|
159
|
-
# response. Subsequent requests that set If-Modified-Since may return a
|
160
|
-
# 304 Not Modified response if last_modified <= If-Modified-Since.
|
161
|
-
# * <tt>:public</tt> By default the Cache-Control header is private, set this to
|
162
|
-
# +true+ if you want your application to be cacheable by other devices (proxy caches).
|
163
|
-
# * <tt>:cache_control</tt> When given will overwrite an existing Cache-Control header.
|
164
|
-
# See https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html for more possibilities.
|
165
|
-
# * <tt>:template</tt> By default, the template digest for the current
|
166
|
-
# controller/action is included in ETags. If the action renders a
|
167
|
-
# different template, you can include its digest instead. If the action
|
168
|
-
# doesn't render a template at all, you can pass <tt>template: false</tt>
|
169
|
-
# to skip any attempt to check for a template digest.
|
170
|
-
#
|
171
|
-
# === Example:
|
148
|
+
# Sets the +etag+ and/or +last_modified+ on the response and checks them
|
149
|
+
# against the request. If the request doesn't match the provided options, it
|
150
|
+
# is considered stale, and the response should be rendered from scratch.
|
151
|
+
# Otherwise, it is fresh, and a <tt>304 Not Modified</tt> is sent.
|
152
|
+
#
|
153
|
+
# ==== Options
|
154
|
+
#
|
155
|
+
# See #fresh_when for supported options.
|
156
|
+
#
|
157
|
+
# ==== Examples
|
172
158
|
#
|
173
159
|
# def show
|
174
160
|
# @article = Article.find(params[:id])
|
@@ -181,8 +167,7 @@ module ActionController
|
|
181
167
|
# end
|
182
168
|
# end
|
183
169
|
#
|
184
|
-
# You can also just pass a record
|
185
|
-
# by calling +updated_at+ and +etag+ by passing the object itself.
|
170
|
+
# You can also just pass a record:
|
186
171
|
#
|
187
172
|
# def show
|
188
173
|
# @article = Article.find(params[:id])
|
@@ -195,10 +180,11 @@ module ActionController
|
|
195
180
|
# end
|
196
181
|
# end
|
197
182
|
#
|
183
|
+
# +etag+ will be set to the record, and +last_modified+ will be set to the
|
184
|
+
# record's +updated_at+.
|
185
|
+
#
|
198
186
|
# You can also pass an object that responds to +maximum+, such as a
|
199
|
-
# collection of
|
200
|
-
# calling <tt>maximum(:updated_at)</tt> on the collection (the timestamp of the
|
201
|
-
# most recently updated record) and the +etag+ by passing the object itself.
|
187
|
+
# collection of records:
|
202
188
|
#
|
203
189
|
# def index
|
204
190
|
# @articles = Article.all
|
@@ -211,20 +197,12 @@ module ActionController
|
|
211
197
|
# end
|
212
198
|
# end
|
213
199
|
#
|
214
|
-
#
|
215
|
-
#
|
216
|
-
#
|
217
|
-
# @article = Article.find(params[:id])
|
218
|
-
#
|
219
|
-
# if stale?(@article, public: true)
|
220
|
-
# @statistics = @article.really_expensive_call
|
221
|
-
# respond_to do |format|
|
222
|
-
# # all the supported formats
|
223
|
-
# end
|
224
|
-
# end
|
225
|
-
# end
|
200
|
+
# In this case, +etag+ will be set to the collection, and +last_modified+
|
201
|
+
# will be set to <tt>maximum(:updated_at)</tt> (the timestamp of the most
|
202
|
+
# recently updated record).
|
226
203
|
#
|
227
|
-
# When
|
204
|
+
# When passing a record or a collection, you can still specify other
|
205
|
+
# options, such as +:public+ and +:cache_control+:
|
228
206
|
#
|
229
207
|
# def show
|
230
208
|
# @article = Article.find(params[:id])
|
@@ -237,13 +215,13 @@ module ActionController
|
|
237
215
|
# end
|
238
216
|
# end
|
239
217
|
#
|
240
|
-
#
|
218
|
+
# The above will set <tt>Cache-Control: public, no-cache</tt> in the response.
|
241
219
|
#
|
242
|
-
# When rendering a different template than the
|
243
|
-
#
|
220
|
+
# When rendering a different template than the controller/action's default
|
221
|
+
# template, you can indicate which digest to include in the ETag:
|
244
222
|
#
|
245
223
|
# def show
|
246
|
-
# super if stale?
|
224
|
+
# super if stale?(@article, template: "widgets/show")
|
247
225
|
# end
|
248
226
|
#
|
249
227
|
def stale?(object = nil, **freshness_kwargs)
|
@@ -251,28 +229,48 @@ module ActionController
|
|
251
229
|
!request.fresh?(response)
|
252
230
|
end
|
253
231
|
|
254
|
-
# Sets
|
255
|
-
#
|
232
|
+
# Sets the +Cache-Control+ header, overwriting existing directives. This
|
233
|
+
# method will also ensure an HTTP +Date+ header for client compatibility.
|
234
|
+
#
|
235
|
+
# Defaults to issuing the +private+ directive, so that intermediate caches
|
236
|
+
# must not cache the response.
|
237
|
+
#
|
238
|
+
# ==== Options
|
239
|
+
#
|
240
|
+
# [+:public+]
|
241
|
+
# If true, replaces the default +private+ directive with the +public+
|
242
|
+
# directive.
|
243
|
+
# [+:must_revalidate+]
|
244
|
+
# If true, adds the +must-revalidate+ directive.
|
245
|
+
# [+:stale_while_revalidate+]
|
246
|
+
# Sets the value of the +stale-while-revalidate+ directive.
|
247
|
+
# [+:stale_if_error+]
|
248
|
+
# Sets the value of the +stale-if-error+ directive.
|
249
|
+
#
|
250
|
+
# Any additional key-value pairs are concatenated as directives. For a list
|
251
|
+
# of supported +Cache-Control+ directives, see the {article on
|
252
|
+
# MDN}[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control].
|
253
|
+
#
|
254
|
+
# ==== Examples
|
256
255
|
#
|
257
|
-
# expires_in
|
258
|
-
#
|
259
|
-
# expires_in 3.hours, public: true, must_revalidate: true
|
256
|
+
# expires_in 10.minutes
|
257
|
+
# # => Cache-Control: max-age=600, private
|
260
258
|
#
|
261
|
-
#
|
262
|
-
#
|
259
|
+
# expires_in 10.minutes, public: true
|
260
|
+
# # => Cache-Control: max-age=600, public
|
263
261
|
#
|
264
|
-
#
|
265
|
-
#
|
262
|
+
# expires_in 10.minutes, public: true, must_revalidate: true
|
263
|
+
# # => Cache-Control: max-age=600, public, must-revalidate
|
266
264
|
#
|
267
|
-
# expires_in
|
268
|
-
#
|
265
|
+
# expires_in 1.hour, stale_while_revalidate: 60.seconds
|
266
|
+
# # => Cache-Control: max-age=3600, private, stale-while-revalidate=60
|
269
267
|
#
|
270
|
-
#
|
271
|
-
#
|
268
|
+
# expires_in 1.hour, stale_if_error: 5.minutes
|
269
|
+
# # => Cache-Control: max-age=3600, private, stale-if-error=300
|
272
270
|
#
|
273
|
-
# expires_in
|
271
|
+
# expires_in 1.hour, public: true, "s-maxage": 3.hours, "no-transform": true
|
272
|
+
# # => Cache-Control: max-age=3600, public, s-maxage=10800, no-transform=true
|
274
273
|
#
|
275
|
-
# The method will also ensure an HTTP Date header for client compatibility.
|
276
274
|
def expires_in(seconds, options = {})
|
277
275
|
response.cache_control.delete(:no_store)
|
278
276
|
response.cache_control.merge!(
|
@@ -288,7 +286,7 @@ module ActionController
|
|
288
286
|
response.date = Time.now unless response.date?
|
289
287
|
end
|
290
288
|
|
291
|
-
# Sets an HTTP 1.1 Cache-Control header of <tt>no-cache</tt>. This means the
|
289
|
+
# Sets an HTTP 1.1 +Cache-Control+ header of <tt>no-cache</tt>. This means the
|
292
290
|
# resource will be marked as stale, so clients must always revalidate.
|
293
291
|
# Intermediate/browser caches may still store the asset.
|
294
292
|
def expires_now
|
@@ -311,7 +309,7 @@ module ActionController
|
|
311
309
|
public: public)
|
312
310
|
end
|
313
311
|
|
314
|
-
# Sets an HTTP 1.1 Cache-Control header of <tt>no-store</tt>. This means the
|
312
|
+
# Sets an HTTP 1.1 +Cache-Control+ header of <tt>no-store</tt>. This means the
|
315
313
|
# resource may not be stored in any cache.
|
316
314
|
def no_store
|
317
315
|
response.cache_control.replace(no_store: true)
|
@@ -13,7 +13,7 @@ module ActionController # :nodoc:
|
|
13
13
|
end
|
14
14
|
|
15
15
|
module ClassMethods
|
16
|
-
# Overrides parts of the globally configured Content-Security-Policy
|
16
|
+
# Overrides parts of the globally configured +Content-Security-Policy+
|
17
17
|
# header:
|
18
18
|
#
|
19
19
|
# class PostsController < ApplicationController
|
@@ -31,7 +31,7 @@ module ActionController # :nodoc:
|
|
31
31
|
# end
|
32
32
|
# end
|
33
33
|
#
|
34
|
-
# Pass +false+ to remove the Content-Security-Policy header:
|
34
|
+
# Pass +false+ to remove the +Content-Security-Policy+ header:
|
35
35
|
#
|
36
36
|
# class PostsController < ApplicationController
|
37
37
|
# content_security_policy false, only: :index
|
@@ -50,14 +50,14 @@ module ActionController # :nodoc:
|
|
50
50
|
end
|
51
51
|
end
|
52
52
|
|
53
|
-
# Overrides the globally configured Content-Security-Policy-Report-Only
|
53
|
+
# Overrides the globally configured +Content-Security-Policy-Report-Only+
|
54
54
|
# header:
|
55
55
|
#
|
56
56
|
# class PostsController < ApplicationController
|
57
57
|
# content_security_policy_report_only only: :index
|
58
58
|
# end
|
59
59
|
#
|
60
|
-
# Pass +false+ to remove the Content-Security-Policy-Report-Only header:
|
60
|
+
# Pass +false+ to remove the +Content-Security-Policy-Report-Only+ header:
|
61
61
|
#
|
62
62
|
# class PostsController < ApplicationController
|
63
63
|
# content_security_policy_report_only false, only: :index
|
@@ -15,10 +15,10 @@ module ActionController # :nodoc:
|
|
15
15
|
DEFAULT_SEND_FILE_DISPOSITION = "attachment" # :nodoc:
|
16
16
|
|
17
17
|
private
|
18
|
-
# Sends the file. This uses a server-appropriate method (such as X-Sendfile)
|
19
|
-
# via the Rack::Sendfile middleware. The header to use is set via
|
18
|
+
# Sends the file. This uses a server-appropriate method (such as +X-Sendfile+)
|
19
|
+
# via the +Rack::Sendfile+ middleware. The header to use is set via
|
20
20
|
# +config.action_dispatch.x_sendfile_header+.
|
21
|
-
# Your server can also configure this for you by setting the X-Sendfile-Type header.
|
21
|
+
# Your server can also configure this for you by setting the +X-Sendfile-Type+ header.
|
22
22
|
#
|
23
23
|
# Be careful to sanitize the path parameter if it is coming from a web
|
24
24
|
# page. <tt>send_file(params[:path])</tt> allows a malicious user to
|
@@ -28,17 +28,17 @@ module ActionController # :nodoc:
|
|
28
28
|
# * <tt>:filename</tt> - suggests a filename for the browser to use.
|
29
29
|
# Defaults to <tt>File.basename(path)</tt>.
|
30
30
|
# * <tt>:type</tt> - specifies an HTTP content type.
|
31
|
-
# You can specify either a string or a symbol for a registered type with <tt>Mime::Type.register</tt>, for example
|
31
|
+
# You can specify either a string or a symbol for a registered type with <tt>Mime::Type.register</tt>, for example +:json+.
|
32
32
|
# If omitted, the type will be inferred from the file extension specified in <tt>:filename</tt>.
|
33
|
-
# If no content type is registered for the extension, the default type
|
33
|
+
# If no content type is registered for the extension, the default type +application/octet-stream+ will be used.
|
34
34
|
# * <tt>:disposition</tt> - specifies whether the file will be shown inline or downloaded.
|
35
|
-
# Valid values are
|
35
|
+
# Valid values are <tt>"inline"</tt> and <tt>"attachment"</tt> (default).
|
36
36
|
# * <tt>:status</tt> - specifies the status code to send with the response. Defaults to 200.
|
37
37
|
# * <tt>:url_based_filename</tt> - set to +true+ if you want the browser to guess the filename from
|
38
38
|
# the URL, which is necessary for i18n filenames on certain browsers
|
39
39
|
# (setting <tt>:filename</tt> overrides this option).
|
40
40
|
#
|
41
|
-
# The default Content-Type and Content-Disposition headers are
|
41
|
+
# The default +Content-Type+ and +Content-Disposition+ headers are
|
42
42
|
# set to download arbitrary binary files in as many browsers as
|
43
43
|
# possible. IE versions 4, 5, 5.5, and 6 are all known to have
|
44
44
|
# a variety of quirks (especially when downloading over SSL).
|
@@ -55,17 +55,17 @@ module ActionController # :nodoc:
|
|
55
55
|
#
|
56
56
|
# send_file '/path/to/404.html', type: 'text/html; charset=utf-8', disposition: 'inline', status: 404
|
57
57
|
#
|
58
|
-
#
|
59
|
-
#
|
60
|
-
# https://
|
58
|
+
# You can use other <tt>Content-*</tt> HTTP headers to provide additional
|
59
|
+
# information to the client. See MDN for a
|
60
|
+
# {list of HTTP headers}[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers].
|
61
61
|
#
|
62
62
|
# Also be aware that the document may be cached by proxies and browsers.
|
63
|
-
# The Pragma and Cache-Control headers declare how the file may be cached
|
63
|
+
# The +Pragma+ and +Cache-Control+ headers declare how the file may be cached
|
64
64
|
# by intermediaries. They default to require clients to validate with
|
65
65
|
# the server before releasing cached responses. See
|
66
66
|
# https://www.mnot.net/cache_docs/ for an overview of web caching and
|
67
|
-
# https://www.
|
68
|
-
# for the Cache-Control header spec.
|
67
|
+
# {RFC 9111}[https://www.rfc-editor.org/rfc/rfc9111.html#name-cache-control]
|
68
|
+
# for the +Cache-Control+ header spec.
|
69
69
|
def send_file(path, options = {}) # :doc:
|
70
70
|
raise MissingFile, "Cannot read file #{path}" unless File.file?(path) && File.readable?(path)
|
71
71
|
|
@@ -85,12 +85,12 @@ module ActionController # :nodoc:
|
|
85
85
|
#
|
86
86
|
# Options:
|
87
87
|
# * <tt>:filename</tt> - suggests a filename for the browser to use.
|
88
|
-
# * <tt>:type</tt> - specifies an HTTP content type. Defaults to
|
89
|
-
# You can specify either a string or a symbol for a registered type with <tt>Mime::Type.register</tt>, for example
|
88
|
+
# * <tt>:type</tt> - specifies an HTTP content type. Defaults to +application/octet-stream+.
|
89
|
+
# You can specify either a string or a symbol for a registered type with <tt>Mime::Type.register</tt>, for example +:json+.
|
90
90
|
# If omitted, type will be inferred from the file extension specified in <tt>:filename</tt>.
|
91
|
-
# If no content type is registered for the extension, the default type
|
91
|
+
# If no content type is registered for the extension, the default type +application/octet-stream+ will be used.
|
92
92
|
# * <tt>:disposition</tt> - specifies whether the file will be shown inline or downloaded.
|
93
|
-
# Valid values are
|
93
|
+
# Valid values are <tt>"inline"</tt> and <tt>"attachment"</tt> (default).
|
94
94
|
# * <tt>:status</tt> - specifies the status code to send with the response. Defaults to 200.
|
95
95
|
#
|
96
96
|
# Generic data download:
|
@@ -105,7 +105,7 @@ module ActionController # :nodoc:
|
|
105
105
|
#
|
106
106
|
# send_data image.data, type: image.content_type, disposition: 'inline'
|
107
107
|
#
|
108
|
-
# See +send_file+ for more information on HTTP Content
|
108
|
+
# See +send_file+ for more information on HTTP <tt>Content-*</tt> headers and caching.
|
109
109
|
def send_data(data, options = {}) # :doc:
|
110
110
|
send_file_headers! options
|
111
111
|
render options.slice(:status, :content_type).merge(body: data)
|