actionpack 7.0.4.3 → 7.0.5.1

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of actionpack might be problematic. Click here for more details.

Files changed (38) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +51 -1
  3. data/lib/abstract_controller/helpers.rb +8 -7
  4. data/lib/abstract_controller/rendering.rb +9 -11
  5. data/lib/action_controller/api.rb +1 -1
  6. data/lib/action_controller/metal/basic_implicit_render.rb +3 -1
  7. data/lib/action_controller/metal/conditional_get.rb +121 -123
  8. data/lib/action_controller/metal/content_security_policy.rb +4 -4
  9. data/lib/action_controller/metal/data_streaming.rb +18 -18
  10. data/lib/action_controller/metal/etag_with_flash.rb +1 -1
  11. data/lib/action_controller/metal/head.rb +1 -1
  12. data/lib/action_controller/metal/live.rb +1 -1
  13. data/lib/action_controller/metal/permissions_policy.rb +1 -1
  14. data/lib/action_controller/metal/redirecting.rb +19 -2
  15. data/lib/action_controller/metal/rendering.rb +114 -2
  16. data/lib/action_controller/metal/request_forgery_protection.rb +5 -3
  17. data/lib/action_controller/metal/streaming.rb +1 -1
  18. data/lib/action_controller/metal/url_for.rb +2 -4
  19. data/lib/action_controller/railtie.rb +2 -1
  20. data/lib/action_controller/renderer.rb +1 -20
  21. data/lib/action_dispatch/http/cache.rb +7 -7
  22. data/lib/action_dispatch/http/content_security_policy.rb +5 -1
  23. data/lib/action_dispatch/http/filter_parameters.rb +4 -24
  24. data/lib/action_dispatch/http/headers.rb +1 -1
  25. data/lib/action_dispatch/http/request.rb +15 -16
  26. data/lib/action_dispatch/http/response.rb +0 -4
  27. data/lib/action_dispatch/http/upload.rb +13 -2
  28. data/lib/action_dispatch/middleware/cookies.rb +6 -6
  29. data/lib/action_dispatch/middleware/remote_ip.rb +4 -4
  30. data/lib/action_dispatch/middleware/request_id.rb +2 -2
  31. data/lib/action_dispatch/middleware/static.rb +3 -3
  32. data/lib/action_dispatch/middleware/templates/routes/_table.html.erb +17 -8
  33. data/lib/action_dispatch/routing/mapper.rb +23 -0
  34. data/lib/action_dispatch/routing/url_for.rb +21 -21
  35. data/lib/action_dispatch/system_testing/driver.rb +1 -1
  36. data/lib/action_dispatch/testing/assertions/response.rb +1 -1
  37. data/lib/action_pack/gem_version.rb +2 -2
  38. metadata +14 -14
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: a6767fc53a6245fa8cf50e270d45f161b736ecac2617775983506517053fc85c
4
- data.tar.gz: 46c3f7e78ff2cac14ca4eefbf1eb3d72fc41e514571356eec3fc9693ce04d7d7
3
+ metadata.gz: ffffa8c7f4e6595a5c24bc31fa18fcedb9159148d8fe7e4b0124d9e55f0fdce9
4
+ data.tar.gz: 3cc3953111b5ff5f631ab16bccd16cfb1679e7aba9c6bdd67b4eb5f4f1555cc6
5
5
  SHA512:
6
- metadata.gz: 74c5700fdeecb9ca7ab1b60c88dcc30f55cf04c62ba7ac4204aad1b787ef7686ab0354a3ae462738f01333867dbcf2df676250797cb6022f8241b1eb3bdc1f86
7
- data.tar.gz: 715809e75921eaef199ff1f775a6756c21be3954942189ed817a763ed5197c5aaac85b8620b684324d7e117e9b804572911de4e3d442eb3169f59229f233691a
6
+ metadata.gz: '08f187c696c70d8ae6d2178877a4069d89b3e47a75ad01b87417236b04eb75a44168163785174bbcc3e1b301e24967dece59d747543578df27560289c8f4bcc9'
7
+ data.tar.gz: 2638644d64c596bac33fc32885bd03f338d2e241f5e74fe04946a92452768d2dec19845c3cea1c3e95a22b69fef2666ac8d7261bb2aa8650649cb1aca398027a
data/CHANGELOG.md CHANGED
@@ -1,3 +1,54 @@
1
+ ## Rails 7.0.5.1 (June 26, 2023) ##
2
+
3
+ * Raise an exception if illegal characters are provide to redirect_to
4
+ [CVE-2023-28362]
5
+
6
+ *Zack Deveau*
7
+
8
+ ## Rails 7.0.5 (May 24, 2023) ##
9
+
10
+ * Do not return CSP headers for 304 Not Modified responses.
11
+
12
+ *Tobias Kraze*
13
+
14
+ * Fix `EtagWithFlash` when there is no `Flash` middleware available.
15
+
16
+ *fatkodima*
17
+
18
+ * Fix content-type header with `send_stream`.
19
+
20
+ *Elliot Crosby-McCullough*
21
+
22
+ * Address Selenium `:capabilities` deprecation warning.
23
+
24
+ *Ron Shinall*
25
+
26
+ * Fix cookie domain for domain: all on two letter single level TLD.
27
+
28
+ *John Hawthorn*
29
+
30
+ * Don't double log the `controller`, `action`, or `namespaced_controller` when using `ActiveRecord::QueryLog`
31
+
32
+ Previously if you set `config.active_record.query_log_tags` to an array that included
33
+ `:controller`, `:namespaced_controller`, or `:action`, that item would get logged twice.
34
+ This bug has been fixed.
35
+
36
+ *Alex Ghiculescu*
37
+
38
+ * Rescue `EOFError` exception from `rack` on a multipart request.
39
+
40
+ *Nikita Vasilevsky*
41
+
42
+ * Rescue `JSON::ParserError` in Cookies json deserializer to discards marshal dumps:
43
+
44
+ Without this change, if `action_dispatch.cookies_serializer` is set to `:json` and
45
+ the app tries to read a `:marshal` serialized cookie, it would error out which wouldn't
46
+ clear the cookie and force app users to manually clear it in their browser.
47
+
48
+ (See #45127 for original bug discussion)
49
+
50
+ *Nathan Bardoux*
51
+
1
52
  ## Rails 7.0.4.3 (March 13, 2023) ##
2
53
 
3
54
  * No changes.
@@ -29,7 +80,6 @@
29
80
 
30
81
  [CVE-2023-22792]
31
82
 
32
-
33
83
  ## Rails 7.0.4 (September 09, 2022) ##
34
84
 
35
85
  * Prevent `ActionDispatch::ServerTiming` from overwriting existing values in `Server-Timing`.
@@ -61,13 +61,14 @@ module AbstractController
61
61
  # class ApplicationController < ActionController::Base
62
62
  # helper_method :current_user, :logged_in?
63
63
  #
64
- # def current_user
65
- # @current_user ||= User.find_by(id: session[:user])
66
- # end
67
- #
68
- # def logged_in?
69
- # current_user != nil
70
- # end
64
+ # private
65
+ # def current_user
66
+ # @current_user ||= User.find_by(id: session[:user])
67
+ # end
68
+ #
69
+ # def logged_in?
70
+ # current_user != nil
71
+ # end
71
72
  # end
72
73
  #
73
74
  # In a view:
@@ -18,8 +18,10 @@ module AbstractController
18
18
  extend ActiveSupport::Concern
19
19
  include ActionView::ViewPaths
20
20
 
21
- # Normalizes arguments, options and then delegates render_to_body and
21
+ # Normalizes arguments and options, and then delegates to render_to_body and
22
22
  # sticks the result in <tt>self.response_body</tt>.
23
+ #
24
+ # Supported options depend on the underlying +render_to_body+ implementation.
23
25
  def render(*args, &block)
24
26
  options = _normalize_render(*args, &block)
25
27
  rendered_body = render_to_body(options)
@@ -32,16 +34,12 @@ module AbstractController
32
34
  self.response_body = rendered_body
33
35
  end
34
36
 
35
- # Raw rendering of a template to a string.
36
- #
37
- # It is similar to render, except that it does not
38
- # set the +response_body+ and it should be guaranteed
39
- # to always return a string.
37
+ # Similar to #render, but only returns the rendered template as a string,
38
+ # instead of setting +self.response_body+.
40
39
  #
41
- # If a component extends the semantics of +response_body+
42
- # (as ActionController extends it to be anything that
43
- # responds to the method each), this method needs to be
44
- # overridden in order to still return a string.
40
+ # If a component extends the semantics of +response_body+ (as ActionController
41
+ # extends it to be anything that responds to the method each), this method
42
+ # needs to be overridden in order to still return a string.
45
43
  def render_to_string(*args, &block)
46
44
  options = _normalize_render(*args, &block)
47
45
  render_to_body(options)
@@ -51,7 +49,7 @@ module AbstractController
51
49
  def render_to_body(options = {})
52
50
  end
53
51
 
54
- # Returns Content-Type of rendered content.
52
+ # Returns +Content-Type+ of rendered content.
55
53
  def rendered_format
56
54
  Mime[:text]
57
55
  end
@@ -40,7 +40,7 @@ module ActionController
40
40
  # can use <tt>render :json</tt> and siblings freely in your controllers. Keep
41
41
  # in mind that templates are not going to be rendered, so you need to ensure
42
42
  # your controller is calling either <tt>render</tt> or <tt>redirect_to</tt> in
43
- # all actions, otherwise it will return 204 No Content.
43
+ # all actions, otherwise it will return <tt>204 No Content</tt>.
44
44
  #
45
45
  # def show
46
46
  # post = Post.find(params[:id])
@@ -3,7 +3,9 @@
3
3
  module ActionController
4
4
  module BasicImplicitRender # :nodoc:
5
5
  def send_action(method, *args)
6
- super.tap { default_render unless performed? }
6
+ ret = super
7
+ default_render unless performed?
8
+ ret
7
9
  end
8
10
 
9
11
  def default_render
@@ -33,86 +33,97 @@ module ActionController
33
33
  end
34
34
  end
35
35
 
36
- # Sets the +etag+, +last_modified+, or both on the response and renders a
36
+ # Sets the +etag+, +last_modified+, or both on the response, and renders a
37
37
  # <tt>304 Not Modified</tt> response if the request is already fresh.
38
38
  #
39
- # === Parameters:
40
- #
41
- # * <tt>:etag</tt> Sets a "weak" ETag validator on the response. See the
42
- # +:weak_etag+ option.
43
- # * <tt>:weak_etag</tt> Sets a "weak" ETag validator on the response.
44
- # Requests that set If-None-Match header may return a 304 Not Modified
45
- # response if it matches the ETag exactly. A weak ETag indicates semantic
46
- # equivalence, not byte-for-byte equality, so they're good for caching
47
- # HTML pages in browser caches. They can't be used for responses that
48
- # must be byte-identical, like serving Range requests within a PDF file.
49
- # * <tt>:strong_etag</tt> Sets a "strong" ETag validator on the response.
50
- # Requests that set If-None-Match header may return a 304 Not Modified
51
- # response if it matches the ETag exactly. A strong ETag implies exact
52
- # equality: the response must match byte for byte. This is necessary for
53
- # doing Range requests within a large video or PDF file, for example, or
54
- # for compatibility with some CDNs that don't support weak ETags.
55
- # * <tt>:last_modified</tt> Sets a "weak" last-update validator on the
56
- # response. Subsequent requests that set If-Modified-Since may return a
57
- # 304 Not Modified response if last_modified <= If-Modified-Since.
58
- # * <tt>:public</tt> By default the Cache-Control header is private, set this to
59
- # +true+ if you want your application to be cacheable by other devices (proxy caches).
60
- # * <tt>:cache_control</tt> When given will overwrite an existing Cache-Control header.
61
- # See https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html for more possibilities.
62
- # * <tt>:template</tt> By default, the template digest for the current
63
- # controller/action is included in ETags. If the action renders a
64
- # different template, you can include its digest instead. If the action
65
- # doesn't render a template at all, you can pass <tt>template: false</tt>
66
- # to skip any attempt to check for a template digest.
67
- #
68
- # === Example:
39
+ # ==== Options
40
+ #
41
+ # [+:etag+]
42
+ # Sets a "weak" ETag validator on the response. See the +:weak_etag+ option.
43
+ # [+:weak_etag+]
44
+ # Sets a "weak" ETag validator on the response. Requests that specify an
45
+ # +If-None-Match+ header may receive a <tt>304 Not Modified</tt> response
46
+ # if the ETag matches exactly.
47
+ #
48
+ # A weak ETag indicates semantic equivalence, not byte-for-byte equality,
49
+ # so they're good for caching HTML pages in browser caches. They can't be
50
+ # used for responses that must be byte-identical, like serving +Range+
51
+ # requests within a PDF file.
52
+ # [+:strong_etag+]
53
+ # Sets a "strong" ETag validator on the response. Requests that specify an
54
+ # +If-None-Match+ header may receive a <tt>304 Not Modified</tt> response
55
+ # if the ETag matches exactly.
56
+ #
57
+ # A strong ETag implies exact equality -- the response must match byte for
58
+ # byte. This is necessary for serving +Range+ requests within a large
59
+ # video or PDF file, for example, or for compatibility with some CDNs that
60
+ # don't support weak ETags.
61
+ # [+:last_modified+]
62
+ # Sets a "weak" last-update validator on the response. Subsequent requests
63
+ # that specify an +If-Modified-Since+ header may receive a <tt>304 Not Modified</tt>
64
+ # response if +last_modified+ <= +If-Modified-Since+.
65
+ # [+:public+]
66
+ # By default the +Cache-Control+ header is private. Set this option to
67
+ # +true+ if you want your application to be cacheable by other devices,
68
+ # such as proxy caches.
69
+ # [+:cache_control+]
70
+ # When given, will overwrite an existing +Cache-Control+ header. For a
71
+ # list of +Cache-Control+ directives, see the {article on
72
+ # MDN}[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control].
73
+ # [+:template+]
74
+ # By default, the template digest for the current controller/action is
75
+ # included in ETags. If the action renders a different template, you can
76
+ # include its digest instead. If the action doesn't render a template at
77
+ # all, you can pass <tt>template: false</tt> to skip any attempt to check
78
+ # for a template digest.
79
+ #
80
+ # ==== Examples
69
81
  #
70
82
  # def show
71
83
  # @article = Article.find(params[:id])
72
84
  # fresh_when(etag: @article, last_modified: @article.updated_at, public: true)
73
85
  # end
74
86
  #
75
- # This will render the show template if the request isn't sending a matching ETag or
76
- # If-Modified-Since header and just a <tt>304 Not Modified</tt> response if there's a match.
87
+ # This will send a <tt>304 Not Modified</tt> response if the request
88
+ # specifies a matching ETag and +If-Modified-Since+ header. Otherwise, it
89
+ # will render the +show+ template.
77
90
  #
78
- # You can also just pass a record. In this case +last_modified+ will be set
79
- # by calling +updated_at+ and +etag+ by passing the object itself.
91
+ # You can also just pass a record:
80
92
  #
81
93
  # def show
82
94
  # @article = Article.find(params[:id])
83
95
  # fresh_when(@article)
84
96
  # end
85
97
  #
98
+ # +etag+ will be set to the record, and +last_modified+ will be set to the
99
+ # record's +updated_at+.
100
+ #
86
101
  # You can also pass an object that responds to +maximum+, such as a
87
- # collection of active records. In this case +last_modified+ will be set by
88
- # calling <tt>maximum(:updated_at)</tt> on the collection (the timestamp of the
89
- # most recently updated record) and the +etag+ by passing the object itself.
102
+ # collection of records:
90
103
  #
91
104
  # def index
92
105
  # @articles = Article.all
93
106
  # fresh_when(@articles)
94
107
  # end
95
108
  #
96
- # When passing a record or a collection, you can still set the public header:
97
- #
98
- # def show
99
- # @article = Article.find(params[:id])
100
- # fresh_when(@article, public: true)
101
- # end
109
+ # In this case, +etag+ will be set to the collection, and +last_modified+
110
+ # will be set to <tt>maximum(:updated_at)</tt> (the timestamp of the most
111
+ # recently updated record).
102
112
  #
103
- # When overwriting Cache-Control header:
113
+ # When passing a record or a collection, you can still specify other
114
+ # options, such as +:public+ and +:cache_control+:
104
115
  #
105
116
  # def show
106
117
  # @article = Article.find(params[:id])
107
118
  # fresh_when(@article, public: true, cache_control: { no_cache: true })
108
119
  # end
109
120
  #
110
- # This will set in the response Cache-Control = public, no-cache.
121
+ # The above will set <tt>Cache-Control: public, no-cache</tt> in the response.
111
122
  #
112
- # When rendering a different template than the default controller/action
113
- # style, you can indicate which digest to include in the ETag:
123
+ # When rendering a different template than the controller/action's default
124
+ # template, you can indicate which digest to include in the ETag:
114
125
  #
115
- # before_action { fresh_when @article, template: 'widgets/show' }
126
+ # before_action { fresh_when @article, template: "widgets/show" }
116
127
  #
117
128
  def fresh_when(object = nil, etag: nil, weak_etag: nil, strong_etag: nil, last_modified: nil, public: false, cache_control: {}, template: nil)
118
129
  response.cache_control.delete(:no_store)
@@ -134,41 +145,16 @@ module ActionController
134
145
  head :not_modified if request.fresh?(response)
135
146
  end
136
147
 
137
- # Sets the +etag+ and/or +last_modified+ on the response and checks it against
138
- # the client request. If the request doesn't match the options provided, the
139
- # request is considered stale and should be generated from scratch. Otherwise,
140
- # it's fresh and we don't need to generate anything and a reply of <tt>304 Not Modified</tt> is sent.
141
- #
142
- # === Parameters:
143
- #
144
- # * <tt>:etag</tt> Sets a "weak" ETag validator on the response. See the
145
- # +:weak_etag+ option.
146
- # * <tt>:weak_etag</tt> Sets a "weak" ETag validator on the response.
147
- # Requests that set If-None-Match header may return a 304 Not Modified
148
- # response if it matches the ETag exactly. A weak ETag indicates semantic
149
- # equivalence, not byte-for-byte equality, so they're good for caching
150
- # HTML pages in browser caches. They can't be used for responses that
151
- # must be byte-identical, like serving Range requests within a PDF file.
152
- # * <tt>:strong_etag</tt> Sets a "strong" ETag validator on the response.
153
- # Requests that set If-None-Match header may return a 304 Not Modified
154
- # response if it matches the ETag exactly. A strong ETag implies exact
155
- # equality: the response must match byte for byte. This is necessary for
156
- # doing Range requests within a large video or PDF file, for example, or
157
- # for compatibility with some CDNs that don't support weak ETags.
158
- # * <tt>:last_modified</tt> Sets a "weak" last-update validator on the
159
- # response. Subsequent requests that set If-Modified-Since may return a
160
- # 304 Not Modified response if last_modified <= If-Modified-Since.
161
- # * <tt>:public</tt> By default the Cache-Control header is private, set this to
162
- # +true+ if you want your application to be cacheable by other devices (proxy caches).
163
- # * <tt>:cache_control</tt> When given will overwrite an existing Cache-Control header.
164
- # See https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html for more possibilities.
165
- # * <tt>:template</tt> By default, the template digest for the current
166
- # controller/action is included in ETags. If the action renders a
167
- # different template, you can include its digest instead. If the action
168
- # doesn't render a template at all, you can pass <tt>template: false</tt>
169
- # to skip any attempt to check for a template digest.
170
- #
171
- # === Example:
148
+ # Sets the +etag+ and/or +last_modified+ on the response and checks them
149
+ # against the request. If the request doesn't match the provided options, it
150
+ # is considered stale, and the response should be rendered from scratch.
151
+ # Otherwise, it is fresh, and a <tt>304 Not Modified</tt> is sent.
152
+ #
153
+ # ==== Options
154
+ #
155
+ # See #fresh_when for supported options.
156
+ #
157
+ # ==== Examples
172
158
  #
173
159
  # def show
174
160
  # @article = Article.find(params[:id])
@@ -181,8 +167,7 @@ module ActionController
181
167
  # end
182
168
  # end
183
169
  #
184
- # You can also just pass a record. In this case +last_modified+ will be set
185
- # by calling +updated_at+ and +etag+ by passing the object itself.
170
+ # You can also just pass a record:
186
171
  #
187
172
  # def show
188
173
  # @article = Article.find(params[:id])
@@ -195,10 +180,11 @@ module ActionController
195
180
  # end
196
181
  # end
197
182
  #
183
+ # +etag+ will be set to the record, and +last_modified+ will be set to the
184
+ # record's +updated_at+.
185
+ #
198
186
  # You can also pass an object that responds to +maximum+, such as a
199
- # collection of active records. In this case +last_modified+ will be set by
200
- # calling <tt>maximum(:updated_at)</tt> on the collection (the timestamp of the
201
- # most recently updated record) and the +etag+ by passing the object itself.
187
+ # collection of records:
202
188
  #
203
189
  # def index
204
190
  # @articles = Article.all
@@ -211,20 +197,12 @@ module ActionController
211
197
  # end
212
198
  # end
213
199
  #
214
- # When passing a record or a collection, you can still set the public header:
215
- #
216
- # def show
217
- # @article = Article.find(params[:id])
218
- #
219
- # if stale?(@article, public: true)
220
- # @statistics = @article.really_expensive_call
221
- # respond_to do |format|
222
- # # all the supported formats
223
- # end
224
- # end
225
- # end
200
+ # In this case, +etag+ will be set to the collection, and +last_modified+
201
+ # will be set to <tt>maximum(:updated_at)</tt> (the timestamp of the most
202
+ # recently updated record).
226
203
  #
227
- # When overwriting Cache-Control header:
204
+ # When passing a record or a collection, you can still specify other
205
+ # options, such as +:public+ and +:cache_control+:
228
206
  #
229
207
  # def show
230
208
  # @article = Article.find(params[:id])
@@ -237,13 +215,13 @@ module ActionController
237
215
  # end
238
216
  # end
239
217
  #
240
- # This will set in the response Cache-Control = public, no-cache.
218
+ # The above will set <tt>Cache-Control: public, no-cache</tt> in the response.
241
219
  #
242
- # When rendering a different template than the default controller/action
243
- # style, you can indicate which digest to include in the ETag:
220
+ # When rendering a different template than the controller/action's default
221
+ # template, you can indicate which digest to include in the ETag:
244
222
  #
245
223
  # def show
246
- # super if stale? @article, template: 'widgets/show'
224
+ # super if stale?(@article, template: "widgets/show")
247
225
  # end
248
226
  #
249
227
  def stale?(object = nil, **freshness_kwargs)
@@ -251,28 +229,48 @@ module ActionController
251
229
  !request.fresh?(response)
252
230
  end
253
231
 
254
- # Sets an HTTP 1.1 Cache-Control header. Defaults to issuing a +private+
255
- # instruction, so that intermediate caches must not cache the response.
232
+ # Sets the +Cache-Control+ header, overwriting existing directives. This
233
+ # method will also ensure an HTTP +Date+ header for client compatibility.
234
+ #
235
+ # Defaults to issuing the +private+ directive, so that intermediate caches
236
+ # must not cache the response.
237
+ #
238
+ # ==== Options
239
+ #
240
+ # [+:public+]
241
+ # If true, replaces the default +private+ directive with the +public+
242
+ # directive.
243
+ # [+:must_revalidate+]
244
+ # If true, adds the +must-revalidate+ directive.
245
+ # [+:stale_while_revalidate+]
246
+ # Sets the value of the +stale-while-revalidate+ directive.
247
+ # [+:stale_if_error+]
248
+ # Sets the value of the +stale-if-error+ directive.
249
+ #
250
+ # Any additional key-value pairs are concatenated as directives. For a list
251
+ # of supported +Cache-Control+ directives, see the {article on
252
+ # MDN}[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control].
253
+ #
254
+ # ==== Examples
256
255
  #
257
- # expires_in 20.minutes
258
- # expires_in 3.hours, public: true
259
- # expires_in 3.hours, public: true, must_revalidate: true
256
+ # expires_in 10.minutes
257
+ # # => Cache-Control: max-age=600, private
260
258
  #
261
- # This method will overwrite an existing Cache-Control header.
262
- # See https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html for more possibilities.
259
+ # expires_in 10.minutes, public: true
260
+ # # => Cache-Control: max-age=600, public
263
261
  #
264
- # HTTP Cache-Control Extensions for Stale Content. See https://tools.ietf.org/html/rfc5861
265
- # It helps to cache an asset and serve it while is being revalidated and/or returning with an error.
262
+ # expires_in 10.minutes, public: true, must_revalidate: true
263
+ # # => Cache-Control: max-age=600, public, must-revalidate
266
264
  #
267
- # expires_in 3.hours, public: true, stale_while_revalidate: 60.seconds
268
- # expires_in 3.hours, public: true, stale_while_revalidate: 60.seconds, stale_if_error: 5.minutes
265
+ # expires_in 1.hour, stale_while_revalidate: 60.seconds
266
+ # # => Cache-Control: max-age=3600, private, stale-while-revalidate=60
269
267
  #
270
- # HTTP Cache-Control Extensions other values: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control
271
- # Any additional key-value pairs are concatenated onto the Cache-Control header in the response:
268
+ # expires_in 1.hour, stale_if_error: 5.minutes
269
+ # # => Cache-Control: max-age=3600, private, stale-if-error=300
272
270
  #
273
- # expires_in 3.hours, public: true, "s-maxage": 3.hours, "no-transform": true
271
+ # expires_in 1.hour, public: true, "s-maxage": 3.hours, "no-transform": true
272
+ # # => Cache-Control: max-age=3600, public, s-maxage=10800, no-transform=true
274
273
  #
275
- # The method will also ensure an HTTP Date header for client compatibility.
276
274
  def expires_in(seconds, options = {})
277
275
  response.cache_control.delete(:no_store)
278
276
  response.cache_control.merge!(
@@ -288,7 +286,7 @@ module ActionController
288
286
  response.date = Time.now unless response.date?
289
287
  end
290
288
 
291
- # Sets an HTTP 1.1 Cache-Control header of <tt>no-cache</tt>. This means the
289
+ # Sets an HTTP 1.1 +Cache-Control+ header of <tt>no-cache</tt>. This means the
292
290
  # resource will be marked as stale, so clients must always revalidate.
293
291
  # Intermediate/browser caches may still store the asset.
294
292
  def expires_now
@@ -311,7 +309,7 @@ module ActionController
311
309
  public: public)
312
310
  end
313
311
 
314
- # Sets an HTTP 1.1 Cache-Control header of <tt>no-store</tt>. This means the
312
+ # Sets an HTTP 1.1 +Cache-Control+ header of <tt>no-store</tt>. This means the
315
313
  # resource may not be stored in any cache.
316
314
  def no_store
317
315
  response.cache_control.replace(no_store: true)
@@ -13,7 +13,7 @@ module ActionController # :nodoc:
13
13
  end
14
14
 
15
15
  module ClassMethods
16
- # Overrides parts of the globally configured Content-Security-Policy
16
+ # Overrides parts of the globally configured +Content-Security-Policy+
17
17
  # header:
18
18
  #
19
19
  # class PostsController < ApplicationController
@@ -31,7 +31,7 @@ module ActionController # :nodoc:
31
31
  # end
32
32
  # end
33
33
  #
34
- # Pass +false+ to remove the Content-Security-Policy header:
34
+ # Pass +false+ to remove the +Content-Security-Policy+ header:
35
35
  #
36
36
  # class PostsController < ApplicationController
37
37
  # content_security_policy false, only: :index
@@ -50,14 +50,14 @@ module ActionController # :nodoc:
50
50
  end
51
51
  end
52
52
 
53
- # Overrides the globally configured Content-Security-Policy-Report-Only
53
+ # Overrides the globally configured +Content-Security-Policy-Report-Only+
54
54
  # header:
55
55
  #
56
56
  # class PostsController < ApplicationController
57
57
  # content_security_policy_report_only only: :index
58
58
  # end
59
59
  #
60
- # Pass +false+ to remove the Content-Security-Policy-Report-Only header:
60
+ # Pass +false+ to remove the +Content-Security-Policy-Report-Only+ header:
61
61
  #
62
62
  # class PostsController < ApplicationController
63
63
  # content_security_policy_report_only false, only: :index
@@ -15,10 +15,10 @@ module ActionController # :nodoc:
15
15
  DEFAULT_SEND_FILE_DISPOSITION = "attachment" # :nodoc:
16
16
 
17
17
  private
18
- # Sends the file. This uses a server-appropriate method (such as X-Sendfile)
19
- # via the Rack::Sendfile middleware. The header to use is set via
18
+ # Sends the file. This uses a server-appropriate method (such as +X-Sendfile+)
19
+ # via the +Rack::Sendfile+ middleware. The header to use is set via
20
20
  # +config.action_dispatch.x_sendfile_header+.
21
- # Your server can also configure this for you by setting the X-Sendfile-Type header.
21
+ # Your server can also configure this for you by setting the +X-Sendfile-Type+ header.
22
22
  #
23
23
  # Be careful to sanitize the path parameter if it is coming from a web
24
24
  # page. <tt>send_file(params[:path])</tt> allows a malicious user to
@@ -28,17 +28,17 @@ module ActionController # :nodoc:
28
28
  # * <tt>:filename</tt> - suggests a filename for the browser to use.
29
29
  # Defaults to <tt>File.basename(path)</tt>.
30
30
  # * <tt>:type</tt> - specifies an HTTP content type.
31
- # You can specify either a string or a symbol for a registered type with <tt>Mime::Type.register</tt>, for example :json.
31
+ # You can specify either a string or a symbol for a registered type with <tt>Mime::Type.register</tt>, for example +:json+.
32
32
  # If omitted, the type will be inferred from the file extension specified in <tt>:filename</tt>.
33
- # If no content type is registered for the extension, the default type 'application/octet-stream' will be used.
33
+ # If no content type is registered for the extension, the default type +application/octet-stream+ will be used.
34
34
  # * <tt>:disposition</tt> - specifies whether the file will be shown inline or downloaded.
35
- # Valid values are 'inline' and 'attachment' (default).
35
+ # Valid values are <tt>"inline"</tt> and <tt>"attachment"</tt> (default).
36
36
  # * <tt>:status</tt> - specifies the status code to send with the response. Defaults to 200.
37
37
  # * <tt>:url_based_filename</tt> - set to +true+ if you want the browser to guess the filename from
38
38
  # the URL, which is necessary for i18n filenames on certain browsers
39
39
  # (setting <tt>:filename</tt> overrides this option).
40
40
  #
41
- # The default Content-Type and Content-Disposition headers are
41
+ # The default +Content-Type+ and +Content-Disposition+ headers are
42
42
  # set to download arbitrary binary files in as many browsers as
43
43
  # possible. IE versions 4, 5, 5.5, and 6 are all known to have
44
44
  # a variety of quirks (especially when downloading over SSL).
@@ -55,17 +55,17 @@ module ActionController # :nodoc:
55
55
  #
56
56
  # send_file '/path/to/404.html', type: 'text/html; charset=utf-8', disposition: 'inline', status: 404
57
57
  #
58
- # Read about the other Content-* HTTP headers if you'd like to
59
- # provide the user with more information (such as Content-Description) in
60
- # https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.11.
58
+ # You can use other <tt>Content-*</tt> HTTP headers to provide additional
59
+ # information to the client. See MDN for a
60
+ # {list of HTTP headers}[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers].
61
61
  #
62
62
  # Also be aware that the document may be cached by proxies and browsers.
63
- # The Pragma and Cache-Control headers declare how the file may be cached
63
+ # The +Pragma+ and +Cache-Control+ headers declare how the file may be cached
64
64
  # by intermediaries. They default to require clients to validate with
65
65
  # the server before releasing cached responses. See
66
66
  # https://www.mnot.net/cache_docs/ for an overview of web caching and
67
- # https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9
68
- # for the Cache-Control header spec.
67
+ # {RFC 9111}[https://www.rfc-editor.org/rfc/rfc9111.html#name-cache-control]
68
+ # for the +Cache-Control+ header spec.
69
69
  def send_file(path, options = {}) # :doc:
70
70
  raise MissingFile, "Cannot read file #{path}" unless File.file?(path) && File.readable?(path)
71
71
 
@@ -85,12 +85,12 @@ module ActionController # :nodoc:
85
85
  #
86
86
  # Options:
87
87
  # * <tt>:filename</tt> - suggests a filename for the browser to use.
88
- # * <tt>:type</tt> - specifies an HTTP content type. Defaults to 'application/octet-stream'.
89
- # You can specify either a string or a symbol for a registered type with <tt>Mime::Type.register</tt>, for example :json.
88
+ # * <tt>:type</tt> - specifies an HTTP content type. Defaults to +application/octet-stream+.
89
+ # You can specify either a string or a symbol for a registered type with <tt>Mime::Type.register</tt>, for example +:json+.
90
90
  # If omitted, type will be inferred from the file extension specified in <tt>:filename</tt>.
91
- # If no content type is registered for the extension, the default type 'application/octet-stream' will be used.
91
+ # If no content type is registered for the extension, the default type +application/octet-stream+ will be used.
92
92
  # * <tt>:disposition</tt> - specifies whether the file will be shown inline or downloaded.
93
- # Valid values are 'inline' and 'attachment' (default).
93
+ # Valid values are <tt>"inline"</tt> and <tt>"attachment"</tt> (default).
94
94
  # * <tt>:status</tt> - specifies the status code to send with the response. Defaults to 200.
95
95
  #
96
96
  # Generic data download:
@@ -105,7 +105,7 @@ module ActionController # :nodoc:
105
105
  #
106
106
  # send_data image.data, type: image.content_type, disposition: 'inline'
107
107
  #
108
- # See +send_file+ for more information on HTTP Content-* headers and caching.
108
+ # See +send_file+ for more information on HTTP <tt>Content-*</tt> headers and caching.
109
109
  def send_data(data, options = {}) # :doc:
110
110
  send_file_headers! options
111
111
  render options.slice(:status, :content_type).merge(body: data)