actionpack 7.1.6 → 8.1.2

data/CHANGELOG.md

@@ -1,729 +1,504 @@
-## Rails 7.1.6 (October 28, 2025) ##
+## Rails 8.1.2 (January 08, 2026) ##
 
-*   No changes.
+*   Add `config.action_controller.live_streaming_excluded_keys` to control execution state sharing in ActionController::Live.
 
+    When using ActionController::Live, actions are executed in a separate thread that shares
+    state from the parent thread. This new configuration allows applications to opt-out specific
+    state keys that should not be shared.
 
-## Rails 7.1.5.2 (August 13, 2025) ##
-
-*   No changes.
-
-
-## Rails 7.1.5.1 (December 10, 2024) ##
-
-*   Add validation to content security policies to disallow spaces and semicolons.
-    Developers should use multiple arguments, and different directive methods instead.
-
-    [CVE-2024-54133]
-
-    *Gannon McGibbon*
-
-
-## Rails 7.1.5 (October 30, 2024) ##
-
-*   No changes.
-
-
-## Rails 7.1.4.2 (October 23, 2024) ##
-
-*   No changes.
-
-
-## Rails 7.1.4.1 (October 15, 2024) ##
-
-*   Avoid regex backtracking in HTTP Token authentication
-
-    [CVE-2024-47887]
-
-    *John Hawthorn*
-
-*   Avoid regex backtracking in query parameter filtering
-
-    [CVE-2024-41128]
-
-    *John Hawthorn*
-
-## Rails 7.1.4 (August 22, 2024) ##
-
-*   Resolve deprecation warning in latest `selenium-webdriver`.
-
-    *Earlopain*
-
-*   Don't preload Selenium browser when remote.
-
-    *Noah Horton*
-
-*   Fix crash for invalid Content-Type in ShowExceptions middleware.
-
-    *Earlopain*
-
-*   Fix inconsistent results of `params.deep_transform_keys`.
-
-    *Iago Pimenta*
-
-*   Do not report rendered errors except 500.
-
-    *Nikita Vasilevsky*
-
-*   Improve routes source location detection.
-
-    *Jean Boussier*
-
-*   Fix `Request#raw_post` raising `NoMethodError` when `rack.input` is `nil`.
-
-    *Hartley McGuire*
-
-*   Fix url generation in nested engine when script name is empty.
-
-    *zzak*
-
-*   Fix `Mime::Type.parse` handling type parameters for HTTP Accept headers.
-
-    *Taylor Chaparro*
-
-*   Fix the error page that is displayed when a view template is missing to account for nested controller paths in the
-    suggested correct location for the missing template.
-
-    *Joshua Young*
-
-*   Fix a regression in 7.1.3 passing a `to:` option without a controller when the controller is already defined by a scope.
+    This is useful when streaming inside a `connected_to` block, where you may want
+    the streaming thread to use its own database connection context.
 
     ```ruby
-    Rails.application.routes.draw do
-      controller :home do
-        get "recent", to: "recent_posts"
-      end
-    end
+    # config/application.rb
+    config.action_controller.live_streaming_excluded_keys = [:active_record_connected_to_stack]
     ```
 
-    *Étienne Barrié*
-
-*   Fix `ActionDispatch::Executor` middleware to report errors handled by `ActionDispatch::ShowExceptions`
-
-    In the default production environment, `ShowExceptions` rescues uncaught errors
-    and returns a response. Because of this the executor wouldn't report production
-    errors with the default Rails configuration.
+    By default, all keys are shared.
 
-    *Jean Boussier*
+    *Eileen M. Uchitelle*
 
+*   Fix `IpSpoofAttackError` message to include `Forwarded` header content.
 
-## Rails 7.1.3.4 (June 04, 2024) ##
+    Without it, the error message may be misleading.
 
-*   Include the HTTP Permissions-Policy on non-HTML Content-Types
-    [CVE-2024-28103]
+    *zzak*
 
-    *Aaron Patterson*
 
-## Rails 7.1.3.3 (May 16, 2024) ##
+## Rails 8.1.1 (October 28, 2025) ##
 
-*   No changes.
+*   Allow methods starting with underscore to be action methods.
 
+    Disallowing methods starting with an underscore from being action methods
+    was an unintended side effect of the performance optimization in
+    207a254.
 
-## Rails 7.1.3.2 (February 21, 2024) ##
+    Fixes #55985.
 
-*   Fix `raise_on_missing_translations` not working correctly with the
-    `translate` method in controllers after the patch for CVE-2024-26143.
+    *Rafael Mendonça França*
 
-    *John Hawthorn*
 
-## Rails 7.1.3.1 (February 21, 2024) ##
+## Rails 8.1.0 (October 22, 2025) ##
 
-*   Fix possible XSS vulnerability with the `translate` method in controllers
+*   Submit test requests using `as: :html` with `Content-Type: x-www-form-urlencoded`
 
-    CVE-2024-26143
+    *Sean Doyle*
 
-    *ooooooo-q + Aaron Patterson*
+*   Add link-local IP ranges to `ActionDispatch::RemoteIp` default proxies.
 
-*   Fix ReDoS in Accept header parsing
+    Link-local addresses (`169.254.0.0/16` for IPv4 and `fe80::/10` for IPv6)
+    are now included in the default trusted proxy list, similar to private IP ranges.
 
-    CVE-2024-26142
+    *Adam Daniels*
 
-    *Aaron Patterson*
+*   `remote_ip` will no longer ignore IPs in X-Forwarded-For headers if they
+    are accompanied by port information.
 
-## Rails 7.1.3 (January 16, 2024) ##
+    *Duncan Brown*, *Prevenios Marinos*, *Masafumi Koba*, *Adam Daniels*
 
-*   Fix including `Rails.application.routes.url_helpers` directly in an
-    `ActiveSupport::Concern.`
+*   Add `action_dispatch.verbose_redirect_logs` setting that logs where redirects were called from.
 
-    *Jonathan Hefner*
+    Similar to `active_record.verbose_query_logs` and `active_job.verbose_enqueue_logs`, this adds a line in your logs that shows where a redirect was called from.
 
-*   Fix system tests when using a Chrome binary that has been downloaded by
-    Selenium.
+    Example:
 
-    *Jonathan Hefner*
+    ```
+    Redirected to http://localhost:3000/posts/1
+    ↳ app/controllers/posts_controller.rb:32:in `block (2 levels) in create'
+    ```
 
+    *Dennis Paagman*
 
-## Rails 7.1.2 (November 10, 2023) ##
+*   Add engine route filtering and better formatting in `bin/rails routes`.
 
-*   Fix a race condition that could cause a `Text file busy - chromedriver`
-    error with parallel system tests
+    Allow engine routes to be filterable in the routing inspector, and
+    improve formatting of engine routing output.
 
-    *Matt Brictson*
+    Before:
+    ```
+    > bin/rails routes -e engine_only
+    No routes were found for this grep pattern.
+    For more information about routes, see the Rails guide: https://guides.rubyonrails.org/routing.html.
+    ```
 
-*   Fix `StrongParameters#extract_value` to include blank values
+    After:
+    ```
+    > bin/rails routes -e engine_only
+    Routes for application:
+    No routes were found for this grep pattern.
+    For more information about routes, see the Rails guide: https://guides.rubyonrails.org/routing.html.
+
+    Routes for Test::Engine:
+    Prefix Verb URI Pattern       Controller#Action
+    engine GET  /engine_only(.:format) a#b
+    ```
 
-    Otherwise composite parameters may not be parsed correctly when one of the
-    component is blank.
+    *Dennis Paagman*, *Gannon McGibbon*
 
-    *fatkodima*, *Yasha Krasnou*, *Matthias Eiglsperger*
+*   Add structured events for Action Pack and Action Dispatch:
+    - `action_dispatch.redirect`
+    - `action_controller.request_started`
+    - `action_controller.request_completed`
+    - `action_controller.callback_halted`
+    - `action_controller.rescue_from_handled`
+    - `action_controller.file_sent`
+    - `action_controller.redirected`
+    - `action_controller.data_sent`
+    - `action_controller.unpermitted_parameters`
+    - `action_controller.fragment_cache`
 
-*   Add `racc` as a dependency since it will become a bundled gem in Ruby 3.4.0
+    *Adrianna Chang*
 
-    *Hartley McGuire*
+*   URL helpers for engines mounted at the application root handle `SCRIPT_NAME` correctly.
 
-*   Support handling Enumerator for non-buffered responses.
+    Fixed an issue where `SCRIPT_NAME` is not applied to paths generated for routes in an engine
+    mounted at "/".
 
-    *Zachary Scott*
+    *Mike Dalessio*
 
+*   Update `ActionController::Metal::RateLimiting` to support passing method names to `:by` and `:with`
 
-## Rails 7.1.1 (October 11, 2023) ##
+    ```ruby
+    class SignupsController < ApplicationController
+      rate_limit to: 10, within: 1.minute, with: :redirect_with_flash
 
-*   No changes.
+      private
+        def redirect_with_flash
+          redirect_to root_url, alert: "Too many requests!"
+        end
+    end
+    ```
 
+    *Sean Doyle*
 
-## Rails 7.1.0 (October 05, 2023) ##
+*   Optimize `ActionDispatch::Http::URL.build_host_url` when protocol is included in host.
 
-*   No changes.
+    When using URL helpers with a host that includes the protocol (e.g., `{ host: "https://example.com" }`),
+    skip unnecessary protocol normalization and string duplication since the extracted protocol is already
+    in the correct format. This eliminates 2 string allocations per URL generation and provides a ~10%
+    performance improvement for this case.
 
+    *Joshua Young*, *Hartley McGuire*
 
-## Rails 7.1.0.rc2 (October 01, 2023) ##
+*   Allow `action_controller.logger` to be disabled by setting it to `nil` or `false` instead of always defaulting to `Rails.logger`.
 
-*   No changes.
+    *Roberto Miranda*
 
+*   Remove deprecated support to a route to multiple paths.
 
-## Rails 7.1.0.rc1 (September 27, 2023) ##
+    *Rafael Mendonça França*
 
-*   Add support for `#deep_merge` and `#deep_merge!` to
-    `ActionController::Parameters`.
+*   Remove deprecated support for using semicolons as a query string separator.
 
-    *Sean Doyle*
+    Before:
 
+    ```ruby
+    ActionDispatch::QueryParser.each_pair("foo=bar;baz=quux").to_a
+    # => [["foo", "bar"], ["baz", "quux"]]
+    ```
 
-## Rails 7.1.0.beta1 (September 13, 2023) ##
+    After:
 
-*   `AbstractController::Translation.raise_on_missing_translations` removed
+    ```ruby
+    ActionDispatch::QueryParser.each_pair("foo=bar;baz=quux").to_a
+    # => [["foo", "bar;baz=quux"]]
+    ```
 
-    This was a private API, and has been removed in favour of a more broadly applicable
-    `config.i18n.raise_on_missing_translations`. See the upgrading guide for more information.
+    *Rafael Mendonça França*
 
-    *Alex Ghiculescu*
+*   Remove deprecated support to skipping over leading brackets in parameter names in the parameter parser.
 
-*   Add `ActionController::Parameters#extract_value` method to allow extracting serialized values from params
+    Before:
 
     ```ruby
-    params = ActionController::Parameters.new(id: "1_123", tags: "ruby,rails")
-    params.extract_value(:id) # => ["1", "123"]
-    params.extract_value(:tags, delimiter: ",") # => ["ruby", "rails"]
+    ActionDispatch::ParamBuilder.from_query_string("[foo]=bar") # => { "foo" => "bar" }
+    ActionDispatch::ParamBuilder.from_query_string("[foo][bar]=baz") # => { "foo" => { "bar" => "baz" } }
     ```
 
-    *Nikita Vasilevsky*
-
-*   Parse JSON `response.parsed_body` with `ActiveSupport::HashWithIndifferentAccess`
-
-    Integrate with Minitest's new `assert_pattern` by parsing the JSON contents
-    of `response.parsed_body` with `ActiveSupport::HashWithIndifferentAccess`, so
-    that it's pattern-matching compatible.
-
-    *Sean Doyle*
+    After:
 
-*   Add support for Playwright as a driver for system tests.
+    ```ruby
+    ActionDispatch::ParamBuilder.from_query_string("[foo]=bar") # => { "[foo]" => "bar" }
+    ActionDispatch::ParamBuilder.from_query_string("[foo][bar]=baz") # => { "[foo]" => { "bar" => "baz" } }
+    ```
 
-    *Yuki Nishijima*
+    *Rafael Mendonça França*
 
-*   Fix `HostAuthorization` potentially displaying the value of the
-    X_FORWARDED_HOST header when the HTTP_HOST header is being blocked.
+*   Deprecate `Rails.application.config.action_dispatch.ignore_leading_brackets`.
 
-    *Hartley McGuire*, *Daniel Schlosser*
+    *Rafael Mendonça França*
 
-*   Rename `fixture_file_upload` method to `file_fixture_upload`
+*   Raise `ActionController::TooManyRequests` error from `ActionController::RateLimiting`
 
-    Declare an alias to preserve the backwards compatibility of `fixture_file_upload`
+    Requests that exceed the rate limit raise an `ActionController::TooManyRequests` error.
+    By default, Action Dispatch rescues the error and responds with a `429 Too Many Requests` status.
 
     *Sean Doyle*
 
-*   `ActionDispatch::SystemTesting::TestHelpers::ScreenshotHelper` saves the screenshot path in test metadata on failure.
-
-    *Matija Čupić*
-
-*   `config.dom_testing_default_html_version` controls the HTML parser used by
-    `ActionDispatch::Assertions#html_document`.
-
-    The Rails 7.1 default configuration opts into the HTML5 parser when it is supported, to better
-    represent what the DOM would be in a browser user agent. Previously this test helper always used
-    Nokogiri's HTML4 parser.
-
-    *Mike Dalessio*
-
-*   Ensure an uncaught exception when rendering a Turbo Frame properly breaks
-    out of the Frame and shows the `DebugView` error page in development.
-
-    *Joé Dupuis*
-
-*   The `with_routing` helper can now be called at the class level. When called at the class level, the routes will
-    be setup before each test, and reset after every test. For example:
+*   Add .md/.markdown as Markdown extensions and add a default `markdown:` renderer:
 
     ```ruby
-    class RoutingTest < ActionController::TestCase
-      with_routing do |routes|
-        routes.draw do
-          resources :articles
-          resources :authors
-        end
+    class Page
+      def to_markdown
+        body
       end
+    end
 
-      def test_articles_route
-        assert_routing("/articles", controller: "articles", action: "index")
-      end
+    class PagesController < ActionController::Base
+      def show
+        @page = Page.find(params[:id])
 
-       def test_authors_route
-        assert_routing("/authors", controller: "authors", action: "index")
+        respond_to do |format|
+          format.html
+          format.md { render markdown: @page }
+        end
       end
     end
     ```
 
-    *Andrew Novoselac*
+    *DHH*
 
-*   The `Mime::Type` now supports handling types with parameters and correctly handles quotes.
-    When parsing the accept header, the parameters before the q-parameter are kept and if a matching mime-type exists it is used.
-    To keep the current functionality, a fallback is created to look for the media-type without the parameters.
+*   Add headers to engine routes inspection command
 
-    This change allows for custom MIME-types that are more complex like `application/vnd.api+json; profile="https://jsonapi.org/profiles/ethanresnick/cursor-pagination/" ext="https://jsonapi.org/ext/atomic"` for the [JSON API](https://jsonapi.org/).
+    *Petrik de Heus*
 
-    *Nicolas Erni*
+*   Add "Copy as text" button to error pages
 
-*   The url_for helpers now support a new option called `path_params`.
-    This is very useful in situations where you only want to add a required param that is part of the route's URL but for other route not append an extraneous query param.
+    *Mikkel Malmberg*
 
-    Given the following router...
+*   Add `scope:` option to `rate_limit` method.
 
-    ```ruby
-    Rails.application.routes.draw do
-      scope ":account_id" do
-        get "dashboard" => "pages#dashboard", as: :dashboard
-        get "search/:term" => "search#search", as: :search
-      end
-      delete "signout" => "sessions#destroy", as: :signout
-    end
-    ```
+    Previously, it was not possible to share a rate limit count between several controllers, since the count was by
+    default separate for each controller.
 
-    And given the following `ApplicationController`
+    Now, the `scope:` option solves this problem.
 
     ```ruby
-    class ApplicationController < ActionController::Base
-      def default_url_options
-        { path_params: { account_id: "foo" } }
-      end
+    class APIController < ActionController::API
+      rate_limit to: 2, within: 2.seconds, scope: "api"
     end
-    ```
 
-    The standard url_for helper and friends will now behave as follows:
-
-    ```ruby
-    dashboard_path # => /foo/dashboard
-    dashboard_path(account_id: "bar") # => /bar/dashboard
+    class API::PostsController < APIController
+      # ...
+    end
 
-    signout_path # => /signout
-    signout_path(account_id: "bar") # => /signout?account_id=bar
-    signout_path(account_id: "bar", path_params: { account_id: "baz" }) # => /signout?account_id=bar
-    search_path("quin") # => /foo/search/quin
+    class API::UsersController < APIController
+      # ...
+    end
     ```
 
-    *Jason Meller, Jeremy Beker*
+    *ArthurPV*, *Kamil Hanus*
 
-*   Change `action_dispatch.show_exceptions` to one of `:all`, `:rescuable`, or
-    `:none`. `:all` and `:none` behave the same as the previous `true` and
-    `false` respectively. The new `:rescuable` option will only show exceptions
-    that can be rescued (e.g. `ActiveRecord::RecordNotFound`). `:rescuable` is
-    now the default for the test environment.
+*   Add support for `rack.response_finished` callbacks in ActionDispatch::Executor.
 
-    *Jon Dufresne*
+    The executor middleware now supports deferring completion callbacks to later
+    in the request lifecycle by utilizing Rack's `rack.response_finished` mechanism,
+    when available. This enables applications to define `rack.response_finished` callbacks
+    that may rely on state that would be cleaned up by the executor's completion callbacks.
 
-*   `config.action_dispatch.cookies_serializer` now accepts `:message_pack` and
-    `:message_pack_allow_marshal` as serializers. These serializers require the
-    [`msgpack` gem](https://rubygems.org/gems/msgpack) (>= 1.7.0).
+    *Adrianna Chang*, *Hartley McGuire*
 
-    The Message Pack format can provide improved performance and smaller payload
-    sizes. It also supports roundtripping some Ruby types that are not supported
-    by JSON. For example:
+*   Produce a log when `rescue_from` is invoked.
 
-      ```ruby
-      cookies.encrypted[:foo] = [{ a: 1 }, { b: 2 }.with_indifferent_access, 1.to_d, Time.at(0, 123)]
+    *Steven Webb*, *Jean Boussier*
 
-      # BEFORE with config.action_dispatch.cookies_serializer = :json
-      cookies.encrypted[:foo]
-      # => [{"a"=>1}, {"b"=>2}, "1.0", "1969-12-31T18:00:00.000-06:00"]
-      cookies.encrypted[:foo].map(&:class)
-      # => [Hash, Hash, String, String]
+*   Allow hosts redirects from `hosts` Rails configuration
 
-      # AFTER with config.action_dispatch.cookies_serializer = :message_pack
-      cookies.encrypted[:foo]
-      # => [{:a=>1}, {"b"=>2}, 0.1e1, 1969-12-31 18:00:00.000123 -0600]
-      cookies.encrypted[:foo].map(&:class)
-      # => [Hash, ActiveSupport::HashWithIndifferentAccess, BigDecimal, Time]
-      ```
+    ```ruby
+    config.action_controller.allowed_redirect_hosts << "example.com"
+    ```
 
-    The `:message_pack` serializer can fall back to deserializing with
-    `ActiveSupport::JSON` when necessary, and the `:message_pack_allow_marshal`
-    serializer can fall back to deserializing with `Marshal` as well as
-    `ActiveSupport::JSON`. Additionally, the `:marshal`, `:json`, and
-    `:json_allow_marshal` (AKA `:hybrid`) serializers can now fall back to
-    deserializing with `ActiveSupport::MessagePack` when necessary. These
-    behaviors ensure old cookies can still be read so that migration is easier.
+    *Kevin Robatel*
 
-    *Jonathan Hefner*
+*   `rate_limit.action_controller` notification has additional payload
 
-*   Remove leading dot from domains on cookies set with `domain: :all`, to meet RFC6265 requirements
+    additional values: count, to, within, by, name, cache_key
 
-    *Gareth Adams*
+    *Jonathan Rochkind*
 
-*   Include source location in routes extended view.
+*   Add JSON support to the built-in health controller.
 
-    ```bash
-    $ bin/rails routes --expanded
+    The health controller now responds to JSON requests with a structured response
+    containing status and timestamp information. This makes it easier for monitoring
+    tools and load balancers to consume health check data programmatically.
 
-    ...
-    --[ Route 14 ]----------
-    Prefix            | new_gist
-    Verb              | GET
-    URI               | /gist(.:format)
-    Controller#Action | gists/gists#new
-    Source Location   | config/routes/gist.rb:3
+    ```ruby
+    # /up.json
+    {
+      "status": "up",
+      "timestamp": "2025-09-19T12:00:00Z"
+    }
     ```
 
-    *Luan Vieira, John Hawthorn and Daniel Colson*
+    *Francesco Loreti*, *Juan Vásquez*
 
-*   Add `without` as an alias of `except` on `ActiveController::Parameters`.
+*   Allow to open source file with a crash from the browser.
 
-    *Hidde-Jan Jongsma*
+    *Igor Kasyanchuk*
 
-*   Expand search field on `rails/info/routes` to also search **route name**, **http verb** and **controller#action**.
+*   Always check query string keys for valid encoding just like values are checked.
 
-    *Jason Kotchoff*
+    *Casper Smits*
 
-*   Remove deprecated `poltergeist` and `webkit` (capybara-webkit) driver registration for system testing.
+*   Always return empty body for HEAD requests in `PublicExceptions` and
+    `DebugExceptions`.
 
-    *Rafael Mendonça França*
-
-*   Remove deprecated ability to assign a single value to `config.action_dispatch.trusted_proxies`.
+    This is required by `Rack::Lint` (per RFC9110).
 
-    *Rafael Mendonça França*
-
-*   Deprecate `config.action_dispatch.return_only_request_media_type_on_content_type`.
-
-    *Rafael Mendonça França*
-
-*   Remove deprecated behavior on `Request#content_type`.
+    *Hartley McGuire*
 
-    *Rafael Mendonça França*
+*   Add comprehensive support for HTTP Cache-Control request directives according to RFC 9111.
 
-*   Change `ActionController::Instrumentation` to pass `filtered_path` instead of `fullpath` in the event payload to filter sensitive query params
+    Provides a `request.cache_control_directives` object that gives access to request cache directives:
 
     ```ruby
-    get "/posts?password=test"
-    request.fullpath         # => "/posts?password=test"
-    request.filtered_path    # => "/posts?password=[FILTERED]"
+    # Boolean directives
+    request.cache_control_directives.only_if_cached?  # => true/false
+    request.cache_control_directives.no_cache?        # => true/false
+    request.cache_control_directives.no_store?        # => true/false
+    request.cache_control_directives.no_transform?    # => true/false
+
+    # Value directives
+    request.cache_control_directives.max_age          # => integer or nil
+    request.cache_control_directives.max_stale        # => integer or nil (or true for valueless max-stale)
+    request.cache_control_directives.min_fresh        # => integer or nil
+    request.cache_control_directives.stale_if_error   # => integer or nil
+
+    # Special helpers for max-stale
+    request.cache_control_directives.max_stale?         # => true if max-stale present (with or without value)
+    request.cache_control_directives.max_stale_unlimited? # => true only for valueless max-stale
     ```
 
-    *Ritikesh G*
-
-*   Deprecate `AbstractController::Helpers::MissingHelperError`
-
-    *Hartley McGuire*
-
-*   Change `ActionDispatch::Testing::TestResponse#parsed_body` to parse HTML as
-    a Nokogiri document
+    Example usage:
 
     ```ruby
-    get "/posts"
-    response.content_type         # => "text/html; charset=utf-8"
-    response.parsed_body.class    # => Nokogiri::HTML5::Document
-    response.parsed_body.to_html  # => "<!DOCTYPE html>\n<html>\n..."
-    ```
-
-    *Sean Doyle*
-
-*   Deprecate `ActionDispatch::IllegalStateError`.
-
-    *Samuel Williams*
+    def show
+      if request.cache_control_directives.only_if_cached?
+        @article = Article.find_cached(params[:id])
+        return head(:gateway_timeout) if @article.nil?
+      else
+        @article = Article.find(params[:id])
+      end
 
-*   Add HTTP::Request#route_uri_pattern that returns URI pattern of matched route.
+      render :show
+    end
+    ```
 
-    *Joel Hawksley*, *Kate Higa*
+    *egg528*
 
-*   Add `ActionDispatch::AssumeSSL` middleware that can be turned on via `config.assume_ssl`.
-    It makes the application believe that all requests are arriving over SSL. This is useful
-    when proxying through a load balancer that terminates SSL, the forwarded request will appear
-    as though its HTTP instead of HTTPS to the application. This makes redirects and cookie
-    security target HTTP instead of HTTPS. This middleware makes the server assume that the
-    proxy already terminated SSL, and that the request really is HTTPS.
+*   Add assert_in_body/assert_not_in_body as the simplest way to check if a piece of text is in the response body.
 
     *DHH*
 
-*   Only use HostAuthorization middleware if `config.hosts` is not empty
+*   Include cookie name when calculating maximum allowed size.
 
     *Hartley McGuire*
 
-*   Allow raising an error when a callback's only/unless symbols aren't existing methods.
-
-    When `before_action :callback, only: :action_name` is declared on a controller that doesn't respond to `action_name`, raise an exception at request time. This is a safety measure to ensure that typos or forgetfulness don't prevent a crucial callback from being run when it should.
-
-    For new applications, raising an error for undefined actions is turned on by default. If you do not want to opt-in to this behavior set `config.action_controller.raise_on_missing_callback_actions` to `false` in your application configuration. See #43487 for more details.
-
-    *Jess Bees*
-
-*   Allow cookie options[:domain] to accept a proc to set the cookie domain on a more flexible per-request basis
-
-    *RobL*
-
-*   When a host is not specified for an `ActionController::Renderer`'s env,
-    the host and related options will now be derived from the routes'
-    `default_url_options` and `ActionDispatch::Http::URL.secure_protocol`.
-
-    This means that for an application with a configuration like:
-
-      ```ruby
-      Rails.application.default_url_options = { host: "rubyonrails.org" }
-      Rails.application.config.force_ssl = true
-      ```
-
-    rendering a URL like:
-
-      ```ruby
-      ApplicationController.renderer.render inline: "<%= blog_url %>"
-      ```
-
-    will now return `"https://rubyonrails.org/blog"` instead of
-    `"http://example.org/blog"`.
-
-    *Jonathan Hefner*
-
-*   Add details of cookie name and size to `CookieOverflow` exception.
-
-    *Andy Waite*
-
-*   Don't double log the `controller`, `action`, or `namespaced_controller` when using `ActiveRecord::QueryLog`
-
-    Previously if you set `config.active_record.query_log_tags` to an array that included
-    `:controller`, `:namespaced_controller`, or `:action`, that item would get logged twice.
-    This bug has been fixed.
-
-    *Alex Ghiculescu*
-
-*   Add the following permissions policy directives: `hid`, `idle-detection`, `screen-wake-lock`,
-    `serial`, `sync-xhr`, `web-share`.
-
-    *Guillaume Cabanel*
-
-*   The `speaker`, `vibrate`, and `vr` permissions policy directives are now
-    deprecated.
-
-    There is no browser support for these directives, and no plan for browser
-    support in the future. You can just remove these directives from your
-    application.
-
-    *Jonathan Hefner*
-
-*   Added the `:status` option to `assert_redirected_to` to specify the precise
-    HTTP status of the redirect. Defaults to `:redirect` for backwards
-    compatibility.
-
-    *Jon Dufresne*
-
-*   Rescue `JSON::ParserError` in Cookies JSON deserializer to discards marshal dumps:
-
-    Without this change, if `action_dispatch.cookies_serializer` is set to `:json` and
-    the app tries to read a `:marshal` serialized cookie, it would error out which wouldn't
-    clear the cookie and force app users to manually clear it in their browser.
-
-    (See #45127 for original bug discussion)
+*   Implement `must-understand` directive according to RFC 9111.
 
-    *Nathan Bardoux*
-
-*   Add `HTTP_REFERER` when following redirects on integration tests
-
-    This makes `follow_redirect!` a closer simulation of what happens in a real browser
-
-    *Felipe Sateler*
-
-*   Added `exclude?` method to `ActionController::Parameters`.
-
-    *Ian Neubert*
-
-*   Rescue `EOFError` exception from `rack` on a multipart request.
-
-    *Nikita Vasilevsky*
-
-*   Log redirects from routes the same way as redirects from controllers.
-
-    *Dennis Paagman*
-
-*   Prevent `ActionDispatch::ServerTiming` from overwriting existing values in `Server-Timing`.
-    Previously, if another middleware down the chain set `Server-Timing` header,
-    it would overwritten by `ActionDispatch::ServerTiming`.
-
-    *Jakub Malinowski*
-
-*   Allow opting out of the `SameSite` cookie attribute when setting a cookie.
-
-    You can opt out of `SameSite` by passing `same_site: nil`.
-
-    `cookies[:foo] = { value: "bar", same_site: nil }`
-
-    Previously, this incorrectly set the `SameSite` attribute to the value of the `cookies_same_site_protection` setting.
-
-    *Alex Ghiculescu*
-
-*   Allow using `helper_method`s in `content_security_policy` and `permissions_policy`
-
-    Previously you could access basic helpers (defined in helper modules), but not
-    helper methods defined using `helper_method`. Now you can use either.
+    The `must-understand` directive indicates that a cache must understand the semantics of the response status code, or discard the response. This directive is enforced to be used only with `no-store` to ensure proper cache behavior.
 
     ```ruby
-    content_security_policy do |p|
-      p.default_src "https://example.com"
-      p.script_src "https://example.com" if helpers.script_csp?
+    class ArticlesController < ApplicationController
+      def show
+        @article = Article.find(params[:id])
+
+        if @article.special_format?
+          must_understand
+          render status: 203 # Non-Authoritative Information
+        else
+          fresh_when @article
+        end
+      end
     end
     ```
 
-    *Alex Ghiculescu*
-
-*   Reimplement `ActionController::Parameters#has_value?` and `#value?` to avoid parameters and hashes comparison.
-
-    Deprecated equality between parameters and hashes is going to be removed in Rails 7.2.
-    The new implementation takes care of conversions.
-
-    *Seva Stefkin*
-
-*   Allow only String and Symbol keys in `ActionController::Parameters`.
-    Raise `ActionController::InvalidParameterKey` when initializing Parameters
-    with keys that aren't strings or symbols.
-
-    *Seva Stefkin*
+    *heka1024*
 
-*   Add the ability to use custom logic for storing and retrieving CSRF tokens.
+*   The JSON renderer doesn't escape HTML entities or Unicode line separators anymore.
 
-    By default, the token will be stored in the session.  Custom classes can be
-    defined to specify arbitrary behavior, but the ability to store them in
-    encrypted cookies is built in.
+    Using `render json:` will no longer escape `<`, `>`, `&`, `U+2028` and `U+2029` characters that can cause errors
+    when the resulting JSON is embedded in JavaScript, or vulnerabilities when the resulting JSON is embedded in HTML.
 
-    *Andrew Kowpak*
+    Since the renderer is used to return a JSON document as `application/json`, it's typically not necessary to escape
+    those characters, and it improves performance.
 
-*   Make ActionController::Parameters#values cast nested hashes into parameters.
+    Escaping will still occur when the `:callback` option is set, since the JSON is used as JavaScript code in this
+    situation (JSONP).
 
-    *Gannon McGibbon*
-
-*   Introduce `html:` and `screenshot:` kwargs for system test screenshot helper
-
-    Use these as an alternative to the already-available environment variables.
-
-    For example, this will display a screenshot in iTerm, save the HTML, and output
-    its path.
+    You can use the `:escape` option or set `config.action_controller.escape_json_responses` to `true` to restore the
+    escaping behavior.
 
     ```ruby
-    take_screenshot(html: true, screenshot: "inline")
+    class PostsController < ApplicationController
+      def index
+        render json: Post.last(30), escape: true
+      end
+    end
     ```
 
-    *Alex Ghiculescu*
-
-*   Allow `ActionController::Parameters#to_h` to receive a block.
+    *Étienne Barrié*, *Jean Boussier*
 
-    *Bob Farrell*
+*   Load lazy route sets before inserting test routes
 
-*   Allow relative redirects when `raise_on_open_redirects` is enabled
+    Without loading lazy route sets early, we miss `after_routes_loaded` callbacks, or risk
+    invoking them with the test routes instead of the real ones if another load is triggered by an engine.
 
-    *Tom Hughes*
-
-*   Allow Content Security Policy DSL to generate for API responses.
-
-    *Tim Wade*
+    *Gannon McGibbon*
 
-*   Fix `authenticate_with_http_basic` to allow for missing password.
+*   Raise `AbstractController::DoubleRenderError` if `head` is called after rendering.
 
-    Before Rails 7.0 it was possible to handle basic authentication with only a username.
+    After this change, invoking `head` will lead to an error if response body is already set:
 
     ```ruby
-    authenticate_with_http_basic do |token, _|
-      ApiClient.authenticate(token)
+    class PostController < ApplicationController
+      def index
+        render locals: {}
+        head :ok
+      end
     end
     ```
 
-    This ability is restored.
-
-    *Jean Boussier*
+    *Iaroslav Kurbatov*
 
-*   Fix `content_security_policy` returning invalid directives.
+*   The Cookie Serializer can now serialize an Active Support SafeBuffer when using message pack.
 
-    Directives such as `self`, `unsafe-eval` and few others were not
-    single quoted when the directive was the result of calling a lambda
-    returning an array.
+    Such code would previously produce an error if an application was using messagepack as its cookie serializer.
 
     ```ruby
-    content_security_policy do |policy|
-      policy.frame_ancestors lambda { [:self, "https://example.com"] }
+    class PostController < ApplicationController
+      def index
+        flash.notice = t(:hello_html) # This would try to serialize a SafeBuffer, which was not possible.
+      end
     end
     ```
 
-    With this fix the policy generated from above will now be valid.
-
     *Edouard Chin*
 
-*   Fix `skip_forgery_protection` to run without raising an error if forgery
-    protection has not been enabled / `verify_authenticity_token` is not a
-    defined callback.
+*   Fix `Rails.application.reload_routes!` from clearing almost all routes.
 
-    This fix prevents the Rails 7.0 Welcome Page (`/`) from raising an
-    `ArgumentError` if `default_protect_from_forgery` is false.
+    When calling `Rails.application.reload_routes!` inside a middleware of
+    a Rake task, it was possible under certain conditions that all routes would be cleared.
+    If ran inside a middleware, this would result in getting a 404 on most page you visit.
+    This issue was only happening in development.
 
-    *Brad Trick*
-
-*   Make `redirect_to` return an empty response body.
+    *Edouard Chin*
 
-    Application controllers that wish to add a response body after calling
-    `redirect_to` can continue to do so.
+*   Add resource name to the `ArgumentError` that's raised when invalid `:only` or `:except` options are given to `#resource` or `#resources`
 
-    *Jon Dufresne*
+    This makes it easier to locate the source of the problem, especially for routes drawn by gems.
 
-*   Use non-capturing group for subdomain matching in `ActionDispatch::HostAuthorization`
+    Before:
+    ```
+    :only and :except must include only [:index, :create, :new, :show, :update, :destroy, :edit], but also included [:foo, :bar]
+    ```
 
-    Since we do nothing with the captured subdomain group, we can use a non-capturing group instead.
+    After:
+    ```
+    Route `resources :products` - :only and :except must include only [:index, :create, :new, :show, :update, :destroy, :edit], but also included [:foo, :bar]
+    ```
 
-    *Sam Bostock*
+    *Jeremy Green*
 
-*   Fix `ActionController::Live` to copy the IsolatedExecutionState in the ephemeral thread.
+*   A route pointing to a non-existing controller now returns a 500 instead of a 404.
 
-    Since its inception `ActionController::Live` has been copying thread local variables
-    to keep things such as `CurrentAttributes` set from middlewares working in the controller action.
+    A controller not existing isn't a routing error that should result
+    in a 404, but a programming error that should result in a 500 and
+    be reported.
 
-    With the introduction of `IsolatedExecutionState` in 7.0, some of that global state was lost in
-    `ActionController::Live` controllers.
+    Until recently, this was hard to untangle because of the support
+    for dynamic `:controller` segment in routes, but since this is
+    deprecated and will be removed in Rails 8.1, we can now easily
+    not consider missing controllers as routing errors.
 
     *Jean Boussier*
 
-*   Fix setting `trailing_slash: true` in route definition.
-
-    ```ruby
-    get '/test' => "test#index", as: :test, trailing_slash: true
-
-    test_path() # => "/test/"
-    ```
+*   Add `check_collisions` option to `ActionDispatch::Session::CacheStore`.
 
-    *Jean Boussier*
+    Newly generated session ids use 128 bits of randomness, which is more than
+    enough to ensure collisions can't happen, but if you need to harden sessions
+    even more, you can enable this option to check in the session store that the id
+    is indeed free you can enable that option. This however incurs an extra write
+    on session creation.
 
-*   Make `Session#merge!` stringify keys.
+    *Shia*
 
-    Previously `Session#update` would, but `merge!` wouldn't.
+*   In ExceptionWrapper, match backtrace lines with built templates more often,
+    allowing improved highlighting of errors within do-end blocks in templates.
+    Fix for Ruby 3.4 to match new method labels in backtrace.
 
-    *Drew Bragg*
+    *Martin Emde*
 
-*   Add `:unsafe_hashes` mapping for `content_security_policy`
+*   Allow setting content type with a symbol of the Mime type.
 
     ```ruby
     # Before
-    policy.script_src  :strict_dynamic, "'unsafe-hashes'", "'sha256-rRMdkshZyJlCmDX27XnL7g3zXaxv7ei6Sg+yt4R3svU='"
+    response.content_type = "text/html"
 
     # After
-    policy.script_src  :strict_dynamic, :unsafe_hashes, "'sha256-rRMdkshZyJlCmDX27XnL7g3zXaxv7ei6Sg+yt4R3svU='"
+    response.content_type = :html
     ```
 
-    *Igor Morozov*
+    *Petrik de Heus*
 
-Please check [7-0-stable](https://github.com/rails/rails/blob/7-0-stable/actionpack/CHANGELOG.md) for previous changes.
+Please check [8-0-stable](https://github.com/rails/rails/blob/8-0-stable/actionpack/CHANGELOG.md) for previous changes.