actionview 7.1.4 → 7.2.0.beta1

data/lib/action_view/helpers/asset_tag_helper.rb

@@ -68,6 +68,8 @@ module ActionView
       #   attribute, which indicates to the browser that the script is meant to
       #   be executed after the document has been parsed. Additionally, prevents
       #   sending the Preload Links header.
+      # * <tt>:nopush</tt>  - Specify if the use of server push is not desired
+      #   for the script. Defaults to +true+.
       #
       # Any other specified options will be treated as HTML attributes for the
       # +script+ tag.
@@ -166,6 +168,10 @@ module ActionView
       #   that path.
       # * <tt>:skip_pipeline</tt>  - This option is used to bypass the asset pipeline
       #   when it is set to true.
+      # * <tt>:nonce</tt>  - When set to true, adds an automatic nonce value if
+      #   you have Content Security Policy enabled.
+      # * <tt>:nopush</tt>  - Specify if the use of server push is not desired
+      #   for the stylesheet. Defaults to +true+.
       #
       # ==== Examples
       #
@@ -190,6 +196,9 @@ module ActionView
       #   stylesheet_link_tag "random.styles", "/css/stylish"
       #   # => <link href="/assets/random.styles" rel="stylesheet" />
       #   #    <link href="/css/stylish.css" rel="stylesheet" />
+      #
+      #   stylesheet_link_tag "style", nonce: true
+      #   # => <link href="/assets/style.css" rel="stylesheet" nonce="..." />
       def stylesheet_link_tag(*sources)
         options = sources.extract_options!.stringify_keys
         path_options = options.extract!("protocol", "extname", "host", "skip_pipeline").symbolize_keys
@@ -214,6 +223,9 @@ module ActionView
             "crossorigin" => crossorigin,
             "href" => href
           }.merge!(options)
+          if tag_options["nonce"] == true
+            tag_options["nonce"] = content_security_policy_nonce
+          end
 
           if apply_stylesheet_media_default && tag_options["media"].blank?
             tag_options["media"] = "screen"
@@ -351,13 +363,13 @@ module ActionView
         nopush = options.delete(:nopush) || false
         rel = mime_type == "module" ? "modulepreload" : "preload"
 
-        link_tag = tag.link(**{
+        link_tag = tag.link(
           rel: rel,
           href: href,
           as: as_type,
           type: mime_type,
-          crossorigin: crossorigin
-        }.merge!(options.symbolize_keys))
+          crossorigin: crossorigin,
+          **options.symbolize_keys)
 
         preload_link = "<#{href}>; rel=#{rel}; as=#{as_type}"
         preload_link += "; type=#{mime_type}" if mime_type
@@ -645,11 +657,11 @@ module ActionView
           return if response_present && response.sending?
 
           if respond_to?(:request) && request
-            request.send_early_hints("link" => preload_links.join(","))
+            request.send_early_hints("Link" => preload_links.join("\n"))
           end
 
           if response_present
-            header = +response.headers["link"].to_s
+            header = +response.headers["Link"].to_s
             preload_links.each do |link|
               break if header.bytesize + link.bytesize > max_header_size
 
@@ -660,7 +672,7 @@ module ActionView
               end
             end
 
-            response.headers["link"] = header
+            response.headers["Link"] = header
           end
         end
     end

data/lib/action_view/helpers/csrf_helper.rb

@@ -17,7 +17,7 @@ module ActionView
       # You don't need to use these tags for regular forms as they generate their own hidden fields.
       #
       # For Ajax requests other than GETs, extract the "csrf-token" from the meta-tag and send as the
-      # +X-CSRF-Token+ HTTP header. If you are using rails-ujs, this happens automatically.
+      # +X-CSRF-Token+ HTTP header.
       #
       def csrf_meta_tags
         if defined?(protect_against_forgery?) && protect_against_forgery?