actionpack 7.0.8 → 7.1.0

data/CHANGELOG.md

@@ -1,591 +1,542 @@
-## Rails 7.0.8 (September 09, 2023) ##
-
-*   Fix `HostAuthorization` potentially displaying the value of the
-    X_FORWARDED_HOST header when the HTTP_HOST header is being blocked.
-
-    *Hartley McGuire*, *Daniel Schlosser*
-
-
-## Rails 7.0.7.2 (August 22, 2023) ##
-
-*   No changes.
-
-
-## Rails 7.0.7.1 (August 22, 2023) ##
-
-*   No changes.
-
-
-## Rails 7.0.7 (August 09, 2023) ##
+## Rails 7.1.0 (October 05, 2023) ##
 
 *   No changes.
 
 
-## Rails 7.0.6 (June 29, 2023) ##
+## Rails 7.1.0.rc2 (October 01, 2023) ##
 
 *   No changes.
 
 
-## Rails 7.0.5.1 (June 26, 2023) ##
+## Rails 7.1.0.rc1 (September 27, 2023) ##
 
-*   Raise an exception if illegal characters are provide to redirect_to
-    [CVE-2023-28362]
+*   Add support for `#deep_merge` and `#deep_merge!` to
+    `ActionController::Parameters`.
 
-    *Zack Deveau*
+    *Sean Doyle*
 
-## Rails 7.0.5 (May 24, 2023) ##
 
-*   Do not return CSP headers for 304 Not Modified responses.
+## Rails 7.1.0.beta1 (September 13, 2023) ##
 
-    *Tobias Kraze*
+*   `AbstractController::Translation.raise_on_missing_translations` removed
 
-*   Fix `EtagWithFlash` when there is no `Flash` middleware available.
-
-    *fatkodima*
-
-*   Fix content-type header with `send_stream`.
-
-    *Elliot Crosby-McCullough*
-
-*   Address Selenium `:capabilities` deprecation warning.
-
-    *Ron Shinall*
-
-*   Fix cookie domain for domain: all on two letter single level TLD.
-
-    *John Hawthorn*
-
-*   Don't double log the `controller`, `action`, or `namespaced_controller` when using `ActiveRecord::QueryLog`
-
-    Previously if you set `config.active_record.query_log_tags` to an array that included
-    `:controller`, `:namespaced_controller`, or `:action`, that item would get logged twice.
-    This bug has been fixed.
+    This was a private API, and has been removed in favour of a more broadly applicable
+    `config.i18n.raise_on_missing_translations`. See the upgrading guide for more information.
 
     *Alex Ghiculescu*
 
-*   Rescue `EOFError` exception from `rack` on a multipart request.
-
-    *Nikita Vasilevsky*
-
-*   Rescue `JSON::ParserError` in Cookies json deserializer to discards marshal dumps:
-
-    Without this change, if `action_dispatch.cookies_serializer` is set to `:json` and
-    the app tries to read a `:marshal` serialized cookie, it would error out which wouldn't
-    clear the cookie and force app users to manually clear it in their browser.
+*   Add `ActionController::Parameters#extract_value` method to allow extracting serialized values from params
 
-    (See #45127 for original bug discussion)
-
-    *Nathan Bardoux*
-
-## Rails 7.0.4.3 (March 13, 2023) ##
-
-*   No changes.
+    ```ruby
+    params = ActionController::Parameters.new(id: "1_123", tags: "ruby,rails")
+    params.extract_value(:id) # => ["1", "123"]
+    params.extract_value(:tags, delimiter: ",") # => ["ruby", "rails"]
+    ```
 
+    *Nikita Vasilevsky*
 
-## Rails 7.0.4.2 (January 24, 2023) ##
+*   Parse JSON `response.parsed_body` with `ActiveSupport::HashWithIndifferentAccess`
 
-*   Fix `domain: :all` for two letter TLD
+    Integrate with Minitest's new `assert_pattern` by parsing the JSON contents
+    of `response.parsed_body` with `ActiveSupport::HashWithIndifferentAccess`, so
+    that it's pattern-matching compatible.
 
-    This fixes a compatibility issue introduced in our previous security
-    release when using `domain: :all` with a two letter but single level top
-    level domain domain (like `.ca`, rather than `.co.uk`).
+    *Sean Doyle*
 
+*   Add support for Playwright as a driver for system tests.
 
-## Rails 7.0.4.1 (January 17, 2023) ##
+    *Yuki Nishijima*
 
-*   Fix sec issue with _url_host_allowed?
+*   Fix `HostAuthorization` potentially displaying the value of the
+    X_FORWARDED_HOST header when the HTTP_HOST header is being blocked.
 
-    Disallow certain strings from `_url_host_allowed?` to avoid a redirect
-    to malicious sites.
+    *Hartley McGuire*, *Daniel Schlosser*
 
-    [CVE-2023-22797]
+*   Rename `fixture_file_upload` method to `file_fixture_upload`
 
-*   Avoid regex backtracking on If-None-Match header
+    Declare an alias to preserve the backwards compatibility of `fixture_file_upload`
 
-    [CVE-2023-22795]
+    *Sean Doyle*
 
-*   Use string#split instead of regex for domain parts
+*   `ActionDispatch::SystemTesting::TestHelpers::ScreenshotHelper` saves the screenshot path in test metadata on failure.
 
-    [CVE-2023-22792]
+    *Matija Čupić*
 
-## Rails 7.0.4 (September 09, 2022) ##
+*   `config.dom_testing_default_html_version` controls the HTML parser used by
+    `ActionDispatch::Assertions#html_document`.
 
-*   Prevent `ActionDispatch::ServerTiming` from overwriting existing values in `Server-Timing`.
+    The Rails 7.1 default configuration opts into the HTML5 parser when it is supported, to better
+    represent what the DOM would be in a browser user agent. Previously this test helper always used
+    Nokogiri's HTML4 parser.
 
-    Previously, if another middleware down the chain set `Server-Timing` header,
-    it would overwritten by `ActionDispatch::ServerTiming`.
+    *Mike Dalessio*
 
-    *Jakub Malinowski*
+*   The `with_routing` helper can now be called at the class level. When called at the class level, the routes will
+    be setup before each test, and reset after every test. For example:
 
+    ```ruby
+    class RoutingTest < ActionController::TestCase
+      with_routing do |routes|
+        routes.draw do
+          resources :articles
+          resources :authors
+        end
+      end
 
-## Rails 7.0.3.1 (July 12, 2022) ##
+      def test_articles_route
+        assert_routing("/articles", controller: "articles", action: "index")
+      end
 
-*   No changes.
+       def test_authors_route
+        assert_routing("/authors", controller: "authors", action: "index")
+      end
+    end
+    ```
 
+    *Andrew Novoselac*
 
-## Rails 7.0.3 (May 09, 2022) ##
+*   The `Mime::Type` now supports handling types with parameters and correctly handles quotes.
+    When parsing the accept header, the parameters before the q-parameter are kept and if a matching mime-type exists it is used.
+    To keep the current functionality, a fallback is created to look for the media-type without the parameters.
 
-*   Allow relative redirects when `raise_on_open_redirects` is enabled.
+    This change allows for custom MIME-types that are more complex like `application/vnd.api+json; profile="https://jsonapi.org/profiles/ethanresnick/cursor-pagination/" ext="https://jsonapi.org/ext/atomic"` for the [JSON API](https://jsonapi.org/).
 
-    *Tom Hughes*
+    *Nicolas Erni*
 
-*   Fix `authenticate_with_http_basic` to allow for missing password.
+*   The url_for helpers now support a new option called `path_params`.
+    This is very useful in situations where you only want to add a required param that is part of the route's URL but for other route not append an extraneous query param.
 
-    Before Rails 7.0 it was possible to handle basic authentication with only a username.
+    Given the following router...
 
     ```ruby
-    authenticate_with_http_basic do |token, _|
-      ApiClient.authenticate(token)
+    Rails.application.routes.draw do
+      scope ":account_id" do
+        get "dashboard" => "pages#dashboard", as: :dashboard
+        get "search/:term" => "search#search", as: :search
+      end
+      delete "signout" => "sessions#destroy", as: :signout
     end
     ```
 
-    This ability is restored.
-
-    *Jean Boussier*
-
-*   Fix `content_security_policy` returning invalid directives.
-
-    Directives such as `self`, `unsafe-eval` and few others were not
-    single quoted when the directive was the result of calling a lambda
-    returning an array.
+    And given the following `ApplicationController`
 
     ```ruby
-    content_security_policy do |policy|
-      policy.frame_ancestors lambda { [:self, "https://example.com"] }
+    class ApplicationController < ActionController::Base
+      def default_url_options
+        { path_params: { account_id: "foo" } }
+      end
     end
     ```
 
-    With this fix the policy generated from above will now be valid.
-
-    *Edouard Chin*
-
-*   Fix `skip_forgery_protection` to run without raising an error if forgery
-    protection has not been enabled / `verify_authenticity_token` is not a
-    defined callback.
-
-    This fix prevents the Rails 7.0 Welcome Page (`/`) from raising an
-    `ArgumentError` if `default_protect_from_forgery` is false.
-
-    *Brad Trick*
-
-*   Fix `ActionController::Live` to copy the IsolatedExecutionState in the ephemeral thread.
-
-    Since its inception `ActionController::Live` has been copying thread local variables
-    to keep things such as `CurrentAttributes` set from middlewares working in the controller action.
-
-    With the introduction of `IsolatedExecutionState` in 7.0, some of that global state was lost in
-    `ActionController::Live` controllers.
-
-    *Jean Boussier*
-
-*   Fix setting `trailing_slash: true` in route definition.
+    The standard url_for helper and friends will now behave as follows:
 
     ```ruby
-    get '/test' => "test#index", as: :test, trailing_slash: true
+    dashboard_path # => /foo/dashboard
+    dashboard_path(account_id: "bar") # => /bar/dashboard
 
-    test_path() # => "/test/"
+    signout_path # => /signout
+    signout_path(account_id: "bar") # => /signout?account_id=bar
+    signout_path(account_id: "bar", path_params: { account_id: "baz" }) # => /signout?account_id=bar
+    search_path("quin") # => /foo/search/quin
     ```
 
-    *Jean Boussier*
-
-## Rails 7.0.2.4 (April 26, 2022) ##
-
-*   Allow Content Security Policy DSL to generate for API responses.
-
-    *Tim Wade*
-
-## Rails 7.0.2.3 (March 08, 2022) ##
+    *Jason Meller, Jeremy Beker*
 
-*   No changes.
+*   Change `action_dispatch.show_exceptions` to one of `:all`, `:rescuable`, or
+    `:none`. `:all` and `:none` behave the same as the previous `true` and
+    `false` respectively. The new `:rescuable` option will only show exceptions
+    that can be rescued (e.g. `ActiveRecord::RecordNotFound`). `:rescuable` is
+    now the default for the test environment.
 
+    *Jon Dufresne*
 
-## Rails 7.0.2.2 (February 11, 2022) ##
+*   `config.action_dispatch.cookies_serializer` now accepts `:message_pack` and
+    `:message_pack_allow_marshal` as serializers. These serializers require the
+    [`msgpack` gem](https://rubygems.org/gems/msgpack) (>= 1.7.0).
 
-*   No changes.
+    The Message Pack format can provide improved performance and smaller payload
+    sizes. It also supports roundtripping some Ruby types that are not supported
+    by JSON. For example:
 
+      ```ruby
+      cookies.encrypted[:foo] = [{ a: 1 }, { b: 2 }.with_indifferent_access, 1.to_d, Time.at(0, 123)]
 
-## Rails 7.0.2.1 (February 11, 2022) ##
+      # BEFORE with config.action_dispatch.cookies_serializer = :json
+      cookies.encrypted[:foo]
+      # => [{"a"=>1}, {"b"=>2}, "1.0", "1969-12-31T18:00:00.000-06:00"]
+      cookies.encrypted[:foo].map(&:class)
+      # => [Hash, Hash, String, String]
 
-*   Under certain circumstances, the middleware isn't informed that the
-    response body has been fully closed which result in request state not
-    being fully reset before the next request
+      # AFTER with config.action_dispatch.cookies_serializer = :message_pack
+      cookies.encrypted[:foo]
+      # => [{:a=>1}, {"b"=>2}, 0.1e1, 1969-12-31 18:00:00.000123 -0600]
+      cookies.encrypted[:foo].map(&:class)
+      # => [Hash, ActiveSupport::HashWithIndifferentAccess, BigDecimal, Time]
+      ```
 
-    [CVE-2022-23633]
+    The `:message_pack` serializer can fall back to deserializing with
+    `ActiveSupport::JSON` when necessary, and the `:message_pack_allow_marshal`
+    serializer can fall back to deserializing with `Marshal` as well as
+    `ActiveSupport::JSON`. Additionally, the `:marshal`, `:json`, and
+    `:json_allow_marshal` (AKA `:hybrid`) serializers can now fall back to
+    deserializing with `ActiveSupport::MessagePack` when necessary. These
+    behaviors ensure old cookies can still be read so that migration is easier.
 
+    *Jonathan Hefner*
 
-## Rails 7.0.2 (February 08, 2022) ##
-
-*   No changes.
-
+*   Remove leading dot from domains on cookies set with `domain: :all`, to meet RFC6265 requirements
 
-## Rails 7.0.1 (January 06, 2022) ##
+    *Gareth Adams*
 
-*   Fix `ActionController::Parameters` methods to keep the original logger context when creating a new copy
-    of the original object.
+*   Include source location in routes extended view.
 
-    *Yutaka Kamei*
+    ```bash
+    $ bin/rails routes --expanded
 
+    ...
+    --[ Route 14 ]----------
+    Prefix            | new_gist
+    Verb              | GET
+    URI               | /gist(.:format)
+    Controller#Action | gists/gists#new
+    Source Location   | config/routes/gist.rb:3
+    ```
 
-## Rails 7.0.0 (December 15, 2021) ##
-
-*   Deprecate `Rails.application.config.action_controller.urlsafe_csrf_tokens`. This config is now always enabled.
-
-    *Étienne Barrié*
-
-*   Instance variables set in requests in a `ActionController::TestCase` are now cleared before the next request
-
-    This means if you make multiple requests in the same test, instance variables set in the first request will
-    not persist into the second one. (It's not recommended to make multiple requests in the same test.)
-
-    *Alex Ghiculescu*
-
-
-## Rails 7.0.0.rc3 (December 14, 2021) ##
-
-*   No changes.
-
-
-## Rails 7.0.0.rc2 (December 14, 2021) ##
-
-*   Fix X_FORWARDED_HOST protection.  [CVE-2021-44528]
-
-
-## Rails 7.0.0.rc1 (December 06, 2021) ##
-
-*   `Rails.application.executor` hooks can now be called around every request in a `ActionController::TestCase`
-
-    This helps to better simulate request or job local state being reset between requests and prevent state
-    leaking from one request to another.
-
-    To enable this, set `config.active_support.executor_around_test_case = true` (this is the default in Rails 7).
-
-    *Alex Ghiculescu*
+    *Luan Vieira, John Hawthorn and Daniel Colson*
 
-*   Consider onion services secure for cookies.
+*   Add `without` as an alias of `except` on `ActiveController::Parameters`.
 
-    *Justin Tracey*
+    *Hidde-Jan Jongsma*
 
-*   Remove deprecated `Rails.config.action_view.raise_on_missing_translations`.
+*   Expand search field on `rails/info/routes` to also search **route name**, **http verb** and **controller#action**.
 
-    *Rafael Mendonça França*
+    *Jason Kotchoff*
 
-*   Remove deprecated support to passing a path to `fixture_file_upload` relative to `fixture_path`.
+*   Remove deprecated `poltergeist` and `webkit` (capybara-webkit) driver registration for system testing.
 
     *Rafael Mendonça França*
 
-*   Remove deprecated `ActionDispatch::SystemTestCase#host!`.
+*   Remove deprecated ability to assign a single value to `config.action_dispatch.trusted_proxies`.
 
     *Rafael Mendonça França*
 
-*   Remove deprecated `Rails.config.action_dispatch.hosts_response_app`.
+*   Deprecate `config.action_dispatch.return_only_request_media_type_on_content_type`.
 
     *Rafael Mendonça França*
 
-*   Remove deprecated `ActionDispatch::Response.return_only_media_type_on_content_type`.
+*   Remove deprecated behavior on `Request#content_type`.
 
     *Rafael Mendonça França*
 
-*   Raise `ActionController::Redirecting::UnsafeRedirectError` for unsafe `redirect_to` redirects.
-
-    This allows `rescue_from` to be used to add a default fallback route:
+*   Change `ActionController::Instrumentation` to pass `filtered_path` instead of `fullpath` in the event payload to filter sensitive query params
 
     ```ruby
-    rescue_from ActionController::Redirecting::UnsafeRedirectError do
-      redirect_to root_url
-    end
+    get "/posts?password=test"
+    request.fullpath         # => "/posts?password=test"
+    request.filtered_path    # => "/posts?password=[FILTERED]"
     ```
 
-    *Kasper Timm Hansen*, *Chris Oliver*
+    *Ritikesh G*
 
-*   Add `url_from` to verify a redirect location is internal.
+*   Deprecate `AbstractController::Helpers::MissingHelperError`
 
-    Takes the open redirect protection from `redirect_to` so users can wrap a
-    param, and fall back to an alternate redirect URL when the param provided
-    one is unsafe.
+    *Hartley McGuire*
+
+*   Change `ActionDispatch::Testing::TestResponse#parsed_body` to parse HTML as
+    a Nokogiri document
 
     ```ruby
-    def create
-      redirect_to url_from(params[:redirect_url]) || root_url
-    end
+    get "/posts"
+    response.content_type         # => "text/html; charset=utf-8"
+    response.parsed_body.class    # => Nokogiri::HTML5::Document
+    response.parsed_body.to_html  # => "<!DOCTYPE html>\n<html>\n..."
     ```
 
-    *dmcge*, *Kasper Timm Hansen*
+    *Sean Doyle*
 
-*   Allow Capybara driver name overrides in `SystemTestCase::driven_by`
+*   Deprecate `ActionDispatch::IllegalStateError`.
 
-    Allow users to prevent conflicts among drivers that use the same driver
-    type (selenium, poltergeist, webkit, rack test).
+    *Samuel Williams*
 
-    Fixes #42502
+*   Add HTTP::Request#route_uri_pattern that returns URI pattern of matched route.
 
-    *Chris LaRose*
+    *Joel Hawksley*, *Kate Higa*
 
-*   Allow multiline to be passed in routes when using wildcard segments.
-
-    Previously routes with newlines weren't detected when using wildcard segments, returning
-    a `No route matches` error.
-    After this change, routes with newlines are detected on wildcard segments. Example
-
-    ```ruby
-      draw do
-        get "/wildcard/*wildcard_segment", to: SimpleApp.new("foo#index"), as: :wildcard
-      end
+*   Add `ActionDispatch::AssumeSSL` middleware that can be turned on via `config.assume_ssl`.
+    It makes the application believe that all requests are arriving over SSL. This is useful
+    when proxying through a load balancer that terminates SSL, the forwarded request will appear
+    as though its HTTP instead of HTTPS to the application. This makes redirects and cookie
+    security target HTTP instead of HTTPS. This middleware makes the server assume that the
+    proxy already terminated SSL, and that the request really is HTTPS.
 
-      # After the change, the path matches.
-      assert_equal "/wildcard/a%0Anewline", url_helpers.wildcard_path(wildcard_segment: "a\nnewline")
-    ```
+    *DHH*
 
-    Fixes #39103
+*   Only use HostAuthorization middleware if `config.hosts` is not empty
 
-    *Ignacio Chiazzo*
+    *Hartley McGuire*
 
-*   Treat html suffix in controller translation.
+*   Allow raising an error when a callback's only/unless symbols aren't existing methods.
 
-    *Rui Onodera*, *Gavin Miller*
+    When `before_action :callback, only: :action_name` is declared on a controller that doesn't respond to `action_name`, raise an exception at request time. This is a safety measure to ensure that typos or forgetfulness don't prevent a crucial callback from being run when it should.
 
-*   Allow permitting numeric params.
+    For new applications, raising an error for undefined actions is turned on by default. If you do not want to opt-in to this behavior set `config.action_pack.raise_on_missing_callback_actions` to `false` in your application configuration. See #43487 for more details.
 
-    Previously it was impossible to permit different fields on numeric parameters.
-    After this change you can specify different fields for each numbered parameter.
-    For example params like,
-    ```ruby
-    book: {
-            authors_attributes: {
-              '0': { name: "William Shakespeare", age_of_death: "52" },
-              '1': { name: "Unattributed Assistant" },
-              '2': "Not a hash",
-              'new_record': { name: "Some name" }
-            }
-          }
-    ```
+    *Jess Bees*
 
-    Before you could permit name on each author with,
-    `permit book: { authors_attributes: [ :name ] }`
+*   Allow cookie options[:domain] to accept a proc to set the cookie domain on a more flexible per-request basis
 
-    After this change you can permit different keys on each numbered element,
-    `permit book: { authors_attributes: { '1': [ :name ], '0': [ :name, :age_of_death ] } }`
+    *RobL*
 
-    Fixes #41625
+*   When a host is not specified for an `ActionController::Renderer`'s env,
+    the host and related options will now be derived from the routes'
+    `default_url_options` and `ActionDispatch::Http::URL.secure_protocol`.
 
-    *Adam Hess*
+    This means that for an application with a configuration like:
 
-*   Update `HostAuthorization` middleware to render debug info only
-    when `config.consider_all_requests_local` is set to true.
+      ```ruby
+      Rails.application.default_url_options = { host: "rubyonrails.org" }
+      Rails.application.config.force_ssl = true
+      ```
 
-    Also, blocked host info is always logged with level `error`.
+    rendering a URL like:
 
-    Fixes #42813
+      ```ruby
+      ApplicationController.renderer.render inline: "<%= blog_url %>"
+      ```
 
-    *Nikita Vyrko*
+    will now return `"https://rubyonrails.org/blog"` instead of
+    `"http://example.org/blog"`.
 
-*  Add Server-Timing middleware
+    *Jonathan Hefner*
 
-   Server-Timing specification defines how the server can communicate to browsers performance metrics
-   about the request it is responding to.
+*   Add details of cookie name and size to `CookieOverflow` exception.
 
-   The ServerTiming middleware is enabled by default on `development` environment by default using the
-   `config.server_timing` setting and set the relevant duration metrics in the `Server-Timing` header
+    *Andy Waite*
 
-   The full specification for Server-Timing header can be found in: https://www.w3.org/TR/server-timing/#dfn-server-timing-header-field
+*   Don't double log the `controller`, `action`, or `namespaced_controller` when using `ActiveRecord::QueryLog`
 
-   *Sebastian Sogamoso*, *Guillermo Iguaran*
+    Previously if you set `config.active_record.query_log_tags` to an array that included
+    `:controller`, `:namespaced_controller`, or `:action`, that item would get logged twice.
+    This bug has been fixed.
 
+    *Alex Ghiculescu*
 
-## Rails 7.0.0.alpha2 (September 15, 2021) ##
+*   Add the following permissions policy directives: `hid`, `idle-detection`, `screen-wake-lock`,
+    `serial`, `sync-xhr`, `web-share`.
 
-*   No changes.
+    *Guillaume Cabanel*
 
+*   The `speaker`, `vibrate`, and `vr` permissions policy directives are now
+    deprecated.
 
-## Rails 7.0.0.alpha1 (September 15, 2021) ##
+    There is no browser support for these directives, and no plan for browser
+    support in the future. You can just remove these directives from your
+    application.
 
-*   Use a static error message when raising `ActionDispatch::Http::Parameters::ParseError`
-    to avoid inadvertently logging the HTTP request body at the `fatal` level when it contains
-    malformed JSON.
+    *Jonathan Hefner*
 
-    Fixes #41145
+*   Added the `:status` option to `assert_redirected_to` to specify the precise
+    HTTP status of the redirect. Defaults to `:redirect` for backwards
+    compatibility.
 
-    *Aaron Lahey*
+    *Jon Dufresne*
 
-*   Add `Middleware#delete!` to delete middleware or raise if not found.
+*   Rescue `JSON::ParserError` in Cookies JSON deserializer to discards marshal dumps:
 
-    `Middleware#delete!` works just like `Middleware#delete` but will
-    raise an error if the middleware isn't found.
+    Without this change, if `action_dispatch.cookies_serializer` is set to `:json` and
+    the app tries to read a `:marshal` serialized cookie, it would error out which wouldn't
+    clear the cookie and force app users to manually clear it in their browser.
 
-    *Alex Ghiculescu*, *Petrik de Heus*, *Junichi Sato*
+    (See #45127 for original bug discussion)
 
-*   Raise error on unpermitted open redirects.
+    *Nathan Bardoux*
 
-    Add `allow_other_host` options to `redirect_to`.
-    Opt in to this behaviour with `ActionController::Base.raise_on_open_redirects = true`.
+*   Add `HTTP_REFERER` when following redirects on integration tests
 
-    *Gannon McGibbon*
+    This makes `follow_redirect!` a closer simulation of what happens in a real browser
 
-*   Deprecate `poltergeist` and `webkit` (capybara-webkit) driver registration for system testing (they will be removed in Rails 7.1). Add `cuprite` instead.
+    *Felipe Sateler*
 
-    [Poltergeist](https://github.com/teampoltergeist/poltergeist) and [capybara-webkit](https://github.com/thoughtbot/capybara-webkit) are already not maintained. These usage in Rails are removed for avoiding confusing users.
+*   Added `exclude?` method to `ActionController::Parameters`.
 
-    [Cuprite](https://github.com/rubycdp/cuprite) is a good alternative to Poltergeist. Some guide descriptions are replaced from Poltergeist to Cuprite.
+    *Ian Neubert*
 
-    *Yusuke Iwaki*
+*   Rescue `EOFError` exception from `rack` on a multipart request.
 
-*   Exclude additional flash types from `ActionController::Base.action_methods`.
+    *Nikita Vasilevsky*
 
-    Ensures that additional flash types defined on ActionController::Base subclasses
-    are not listed as actions on that controller.
+*   Log redirects from routes the same way as redirects from controllers.
 
-        class MyController < ApplicationController
-          add_flash_types :hype
-        end
+    *Dennis Paagman*
 
-        MyController.action_methods.include?('hype') # => false
+*   Prevent `ActionDispatch::ServerTiming` from overwriting existing values in `Server-Timing`.
+    Previously, if another middleware down the chain set `Server-Timing` header,
+    it would overwritten by `ActionDispatch::ServerTiming`.
 
-    *Gavin Morrice*
+    *Jakub Malinowski*
 
-*   OpenSSL constants are now used for Digest computations.
+*   Allow opting out of the `SameSite` cookie attribute when setting a cookie.
 
-    *Dirkjan Bussink*
+    You can opt out of `SameSite` by passing `same_site: nil`.
 
-*   Remove IE6-7-8 file download related hack/fix from ActionController::DataStreaming module.
+    `cookies[:foo] = { value: "bar", same_site: nil }`
 
-    Due to the age of those versions of IE this fix is no longer relevant, more importantly it creates an edge-case for unexpected Cache-Control headers.
+    Previously, this incorrectly set the `SameSite` attribute to the value of the `cookies_same_site_protection` setting.
 
-    *Tadas Sasnauskas*
+    *Alex Ghiculescu*
 
-*   Configuration setting to skip logging an uncaught exception backtrace when the exception is
-    present in `rescued_responses`.
+*   Allow using `helper_method`s in `content_security_policy` and `permissions_policy`
 
-    It may be too noisy to get all backtraces logged for applications that manage uncaught
-    exceptions via `rescued_responses` and `exceptions_app`.
-    `config.action_dispatch.log_rescued_responses` (defaults to `true`) can be set to `false` in
-    this case, so that only exceptions not found in `rescued_responses` will be logged.
+    Previously you could access basic helpers (defined in helper modules), but not
+    helper methods defined using `helper_method`. Now you can use either.
 
-    *Alexander Azarov*, *Mike Dalessio*
+    ```ruby
+    content_security_policy do |p|
+      p.default_src "https://example.com"
+      p.script_src "https://example.com" if helpers.script_csp?
+    end
+    ```
 
-*   Ignore file fixtures on `db:fixtures:load`.
+    *Alex Ghiculescu*
 
-    *Kevin Sjöberg*
+*   Reimplement `ActionController::Parameters#has_value?` and `#value?` to avoid parameters and hashes comparison.
 
-*   Fix ActionController::Live controller test deadlocks by removing the body buffer size limit for tests.
+    Deprecated equality between parameters and hashes is going to be removed in Rails 7.2.
+    The new implementation takes care of conversions.
 
-    *Dylan Thacker-Smith*
+    *Seva Stefkin*
 
-*   New `ActionController::ConditionalGet#no_store` method to set HTTP cache control `no-store` directive.
+*   Allow only String and Symbol keys in `ActionController::Parameters`.
+    Raise `ActionController::InvalidParameterKey` when initializing Parameters
+    with keys that aren't strings or symbols.
 
-    *Tadas Sasnauskas*
+    *Seva Stefkin*
 
-*   Drop support for the `SERVER_ADDR` header.
+*   Add the ability to use custom logic for storing and retrieving CSRF tokens.
 
-    Following up https://github.com/rack/rack/pull/1573 and https://github.com/rails/rails/pull/42349.
+    By default, the token will be stored in the session.  Custom classes can be
+    defined to specify arbitrary behavior, but the ability to store them in
+    encrypted cookies is built in.
 
-    *Ricardo Díaz*
+    *Andrew Kowpak*
 
-*   Set session options when initializing a basic session.
+*   Make ActionController::Parameters#values cast nested hashes into parameters.
 
     *Gannon McGibbon*
 
-*   Add `cache_control: {}` option to `fresh_when` and `stale?`.
+*   Introduce `html:` and `screenshot:` kwargs for system test screenshot helper
 
-    Works as a shortcut to set `response.cache_control` with the above methods.
+    Use these as an alternative to the already-available environment variables.
 
-    *Jacopo Beschi*
+    For example, this will display a screenshot in iTerm, save the HTML, and output
+    its path.
 
-*   Writing into a disabled session will now raise an error.
+    ```ruby
+    take_screenshot(html: true, screenshot: "inline")
+    ```
 
-    Previously when no session store was set, writing into the session would silently fail.
+    *Alex Ghiculescu*
 
-    *Jean Boussier*
+*   Allow `ActionController::Parameters#to_h` to receive a block.
 
-*   Add support for 'require-trusted-types-for' and 'trusted-types' headers.
+    *Bob Farrell*
 
-    Fixes #42034.
+*   Allow relative redirects when `raise_on_open_redirects` is enabled
 
-    *lfalcao*
+    *Tom Hughes*
 
-*   Remove inline styles and address basic accessibility issues on rescue templates.
+*   Allow Content Security Policy DSL to generate for API responses.
 
-    *Jacob Herrington*
+    *Tim Wade*
 
-*   Add support for 'private, no-store' Cache-Control headers.
+*   Fix `authenticate_with_http_basic` to allow for missing password.
 
-    Previously, 'no-store' was exclusive; no other directives could be specified.
+    Before Rails 7.0 it was possible to handle basic authentication with only a username.
 
-    *Alex Smith*
+    ```ruby
+    authenticate_with_http_basic do |token, _|
+      ApiClient.authenticate(token)
+    end
+    ```
 
-*   Expand payload of `unpermitted_parameters.action_controller` instrumentation to allow subscribers to
-    know which controller action received unpermitted parameters.
+    This ability is restored.
 
-    *bbuchalter*
+    *Jean Boussier*
 
-*   Add `ActionController::Live#send_stream` that makes it more convenient to send generated streams:
+*   Fix `content_security_policy` returning invalid directives.
 
-    ```ruby
-    send_stream(filename: "subscribers.csv") do |stream|
-      stream.writeln "email_address,updated_at"
+    Directives such as `self`, `unsafe-eval` and few others were not
+    single quoted when the directive was the result of calling a lambda
+    returning an array.
 
-      @subscribers.find_each do |subscriber|
-        stream.writeln [ subscriber.email_address, subscriber.updated_at ].join(",")
-      end
+    ```ruby
+    content_security_policy do |policy|
+      policy.frame_ancestors lambda { [:self, "https://example.com"] }
     end
     ```
 
-    *DHH*
+    With this fix the policy generated from above will now be valid.
 
-*   Add `ActionController::Live::Buffer#writeln` to write a line to the stream with a newline included.
+    *Edouard Chin*
 
-    *DHH*
+*   Fix `skip_forgery_protection` to run without raising an error if forgery
+    protection has not been enabled / `verify_authenticity_token` is not a
+    defined callback.
 
-*   `ActionDispatch::Request#content_type` now returned Content-Type header as it is.
+    This fix prevents the Rails 7.0 Welcome Page (`/`) from raising an
+    `ArgumentError` if `default_protect_from_forgery` is false.
 
-    Previously, `ActionDispatch::Request#content_type` returned value does NOT contain charset part.
-    This behavior changed to returned Content-Type header containing charset part as it is.
+    *Brad Trick*
 
-    If you want just MIME type, please use `ActionDispatch::Request#media_type` instead.
+*   Make `redirect_to` return an empty response body.
 
-    Before:
+    Application controllers that wish to add a response body after calling
+    `redirect_to` can continue to do so.
 
-    ```ruby
-    request = ActionDispatch::Request.new("CONTENT_TYPE" => "text/csv; header=present; charset=utf-16", "REQUEST_METHOD" => "GET")
-    request.content_type #=> "text/csv"
-    ```
+    *Jon Dufresne*
 
-    After:
+*   Use non-capturing group for subdomain matching in `ActionDispatch::HostAuthorization`
 
-    ```ruby
-    request = ActionDispatch::Request.new("Content-Type" => "text/csv; header=present; charset=utf-16", "REQUEST_METHOD" => "GET")
-    request.content_type #=> "text/csv; header=present; charset=utf-16"
-    request.media_type   #=> "text/csv"
-    ```
+    Since we do nothing with the captured subdomain group, we can use a non-capturing group instead.
 
-    *Rafael Mendonça França*
+    *Sam Bostock*
 
-*   Change `ActionDispatch::Request#media_type` to return `nil` when the request don't have a `Content-Type` header.
+*   Fix `ActionController::Live` to copy the IsolatedExecutionState in the ephemeral thread.
 
-    *Rafael Mendonça França*
+    Since its inception `ActionController::Live` has been copying thread local variables
+    to keep things such as `CurrentAttributes` set from middlewares working in the controller action.
 
-*   Fix error in `ActionController::LogSubscriber` that would happen when throwing inside a controller action.
+    With the introduction of `IsolatedExecutionState` in 7.0, some of that global state was lost in
+    `ActionController::Live` controllers.
 
-    *Janko Marohnić*
+    *Jean Boussier*
 
-*   Allow anything with `#to_str` (like `Addressable::URI`) as a `redirect_to` location.
+*   Fix setting `trailing_slash: true` in route definition.
+
+    ```ruby
+    get '/test' => "test#index", as: :test, trailing_slash: true
 
-    *ojab*
+    test_path() # => "/test/"
+    ```
 
-*   Change the request method to a `GET` when passing failed requests down to `config.exceptions_app`.
+    *Jean Boussier*
 
-    *Alex Robbin*
+*   Make `Session#merge!` stringify keys.
 
-*   Deprecate the ability to assign a single value to `config.action_dispatch.trusted_proxies`
-    as `RemoteIp` middleware behaves inconsistently depending on whether this is configured
-    with a single value or an enumerable.
+    Previously `Session#update` would, but `merge!` wouldn't.
 
-    Fixes #40772.
+    *Drew Bragg*
 
-    *Christian Sutter*
+*   Add `:unsafe_hashes` mapping for `content_security_policy`
 
-*   Add `redirect_back_or_to(fallback_location, **)` as a more aesthetically pleasing version of `redirect_back fallback_location:, **`.
-    The old method name is retained without explicit deprecation.
+    ```ruby
+    # Before
+    policy.script_src  :strict_dynamic, "'unsafe-hashes'", "'sha256-rRMdkshZyJlCmDX27XnL7g3zXaxv7ei6Sg+yt4R3svU='"
 
-    *DHH*
+    # After
+    policy.script_src  :strict_dynamic, :unsafe_hashes, "'sha256-rRMdkshZyJlCmDX27XnL7g3zXaxv7ei6Sg+yt4R3svU='"
+    ```
 
+    *Igor Morozov*
 
-Please check [6-1-stable](https://github.com/rails/rails/blob/6-1-stable/actionpack/CHANGELOG.md) for previous changes.
+Please check [7-0-stable](https://github.com/rails/rails/blob/7-0-stable/actionpack/CHANGELOG.md) for previous changes.