actionview 7.2.2.1 → 8.1.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 129f00c083e1a4443010be161169e51eea090543c6618289968ed2cdb1c65c76
-  data.tar.gz: 568d88d12f7fc363958af2f8bf45308199dc0c221a05fafb9415a96b3eaddc8a
+  metadata.gz: 5744f9f03363cee6bb6119e05f065b891143193967773bb6c9798ba08f5cf913
+  data.tar.gz: 5290a6f008203823f1b6a4aca07916475fc80ca02de83ea5a16e7ebeab02102c
 SHA512:
-  metadata.gz: de08bd40788b58e9ba6be2169a5ebbc39c6b4f1122d1564b64cf0a6af066f855d4a1ad2d1721ab849fde78ee87c496c61579afd59d1a3062dba6135b6652bee4
-  data.tar.gz: cf2f5461be068f0d96d287bbdabe2daf9b3d76a4e80c9db31041d9242f77986b1d5d6774d6db95f5f2b068cbce2161b13335891bfd86d271994d49321bc88733
+  metadata.gz: 56c52dfb00b9d4b7b1785efac2d74a334a65140ef93bf24ace09a2653f8c717a50990ed1b37662bdec4e1af2a2e4624001a5da4276a9610d709b559d541a59de
+  data.tar.gz: eb0953de4b065cc23aea27da97268891cb4656dbe2439762a1fa4b9a26436dbd27dd89c4d1f365df5a2525b70fc09ff8eb6a8602da3ffe90acaac7f8687e4bbc

data/CHANGELOG.md

@@ -1,133 +1,166 @@
-## Rails 7.2.2.1 (December 10, 2024) ##
+## Rails 8.1.2 (January 08, 2026) ##
 
-*   No changes.
+*   Fix `file_field` to join mime types with a comma when provided as Array
 
+    ```ruby
+    file_field(:article, :image, accept: ['image/png', 'image/gif', 'image/jpeg'])
+    ```
 
-## Rails 7.2.2 (October 30, 2024) ##
-
-*   No changes.
-
+    Now behaves likes:
 
-## Rails 7.2.1.2 (October 23, 2024) ##
+    ```
+    file_field(:article, :image, accept: 'image/png,image/gif,image/jpeg')
+    ```
 
-*   No changes.
+    *Bogdan Gusiev*
 
+*   Fix strict locals parsing to handle multiline definitions.
 
-## Rails 7.2.1.1 (October 15, 2024) ##
+    *Said Kaldybaev*
 
-*   No changes.
+*   Fix `content_security_policy_nonce` error in mailers when using `content_security_policy_nonce_auto` setting.
 
+    The `content_security_policy_nonce helper` is provided by `ActionController::ContentSecurityPolicy`, and it relies on `request.content_security_policy_nonc`e. Mailers lack both the module and the request object.
 
-## Rails 7.2.1 (August 22, 2024) ##
+    *Jarrett Lusso*
 
-*   No changes.
 
+## Rails 8.1.1 (October 28, 2025) ##
 
-## Rails 7.2.0 (August 09, 2024) ##
+*   Respect `remove_hidden_field_autocomplete` config in form builder `hidden_field`.
 
-*   Fix templates with strict locals to also include `local_assigns`.
+    *Rafael Mendonça França*
 
-    Previously templates defining strict locals wouldn't receive the `local_assigns`
-    hash.
 
-    *Jean Boussier*
+## Rails 8.1.0 (October 22, 2025) ##
 
-*   Add queries count to template rendering instrumentation.
+*   The BEGIN template annotation/comment was previously printed on the same line as the following element. We now insert a newline inside the comment so it spans two lines without adding visible whitespace to the HTML output to enhance readability.
 
+    Before:
+    ```
+    <!-- BEGIN /Users/siaw23/Desktop/rails/actionview/test/fixtures/actionpack/test/greeting.html.erb --><p>This is grand!</p>
     ```
-    # Before
-    Completed 200 OK in 3804ms (Views: 41.0ms | ActiveRecord: 33.5ms | Allocations: 112788)
 
-    # After
-    Completed 200 OK in 3804ms (Views: 41.0ms | ActiveRecord: 33.5ms (2 queries, 1 cached) | Allocations: 112788)
+    After:
     ```
+    <!-- BEGIN /Users/siaw23/Desktop/rails/actionview/test/fixtures/actionpack/test/greeting.html.erb
+    --><p>This is grand!</p>
+    ```
+    *Emmanuel Hayford*
 
-    *fatkodima*
+*   Add structured events for Action View:
+    - `action_view.render_template`
+    - `action_view.render_partial`
+    - `action_view.render_layout`
+    - `action_view.render_collection`
+    - `action_view.render_start`
 
-*   Raise `ArgumentError` if `:renderable` object does not respond to `#render_in`.
+    *Gannon McGibbon*
 
-    *Sean Doyle*
+*   Fix label with `for` option not getting prefixed by form `namespace` value
 
-*   Add the `nonce: true` option for `stylesheet_link_tag` helper to support automatic nonce generation for Content Security Policy.
+    *Abeid Ahmed*, *Hartley McGuire*
 
-    Works the same way as `javascript_include_tag nonce: true` does.
+*   Add `fetchpriority` to Link headers to match HTML generated by `preload_link_tag`.
 
-    *Akhil G Krishnan*, *AJ Esler*
+    *Guillermo Iguaran*
 
-*   Parse `ActionView::TestCase#rendered` HTML content as `Nokogiri::XML::DocumentFragment` instead of `Nokogiri::XML::Document`.
+*   Add CSP `nonce` to Link headers generated by `preload_link_tag`.
 
-    *Sean Doyle*
+    *Alexander Gitter*
 
-*   Rename `ActionView::TestCase::Behavior::Content` to `ActionView::TestCase::Behavior::RenderedViewContent`.
+*   Allow `current_page?` to match against specific HTTP method(s) with a `method:` option.
 
-    Make `RenderedViewContent` inherit from `String`. Make private API with `:nodoc:`
+    *Ben Sheldon*
 
-    *Sean Doyle*
+*   Remove `autocomplete="off"` on hidden inputs generated by the following
+    tags:
 
-*   Deprecate passing `nil` as value for the `model:` argument to the `form_with` method.
+    * `form_tag`, `token_tag`, `method_tag`
 
-    *Collin Jilbert*
+    As well as the hidden parameter fields included in `button_to`,
+    `check_box`, `select` (with `multiple`) and `file_field` forms.
 
-*   Alias `field_set_tag` helper to `fieldset_tag` to match `<fieldset>` element.
+    *nkulway*
 
-    *Sean Doyle*
+*   Enable configuring the strategy for tracking dependencies between Action
+    View templates.
 
-*   Deprecate passing content to void elements when using `tag.br` type tag builders.
+    The existing `:regex` strategy is kept as the default, but with
+    `load_defaults 8.1` the strategy will be `:ruby` (using a real Ruby parser).
 
     *Hartley McGuire*
 
-*   Fix the `number_to_human_size` view helper to correctly work with negative numbers.
+*   Introduce `relative_time_in_words` helper
+
+    ```ruby
+    relative_time_in_words(3.minutes.from_now) # => "in 3 minutes"
+    relative_time_in_words(3.minutes.ago) # => "3 minutes ago"
+    relative_time_in_words(10.seconds.ago, include_seconds: true) # => "less than 10 seconds ago"
+    ```
 
-    *Earlopain*
+    *Matheus Richard*
 
-*   Automatically discard the implicit locals injected by collection rendering for template that can't accept them.
+*   Make `nonce: false` remove the nonce attribute from `javascript_tag`, `javascript_include_tag`, and `stylesheet_link_tag`.
 
-    When rendering a collection, two implicit variables are injected, which breaks templates with strict locals.
+    *francktrouillez*
 
-    Now they are only passed if the template will actually accept them.
+*   Add `dom_target` helper to create `dom_id`-like strings from an unlimited
+    number of objects.
 
-    *Yasha Krasnou*, *Jean Boussier*
+    *Ben Sheldon*
 
-*   Fix `@rails/ujs` calling `start()` an extra time when using bundlers.
+*   Respect `html_options[:form]` when `collection_checkboxes` generates the
+    hidden `<input>`.
 
-    *Hartley McGuire*, *Ryunosuke Sato*
+    *Riccardo Odone*
 
-*   Fix the `capture` view helper compatibility with HAML and Slim.
+*   Layouts have access to local variables passed to `render`.
 
-    When a blank string was captured in HAML or Slim (and possibly other template engines)
-    it would instead return the entire buffer.
+    This fixes #31680 which was a regression in Rails 5.1.
 
-    *Jean Boussier*
+    *Mike Dalessio*
 
-*   Updated `@rails/ujs` files to ignore certain data-* attributes when element is contenteditable.
+*   Argument errors related to strict locals in templates now raise an
+    `ActionView::StrictLocalsError`, and all other argument errors are reraised as-is.
 
-    This fix was already landed in >= 7.0.4.3, < 7.1.0.
-    [[CVE-2023-23913](https://github.com/advisories/GHSA-xp5h-f8jf-rc8q)]
+    Previously, any `ArgumentError` raised during template rendering was swallowed during strict
+    local error handling, so that an `ArgumentError` unrelated to strict locals (e.g., a helper
+    method invoked with incorrect arguments) would be replaced by a similar `ArgumentError` with an
+    unrelated backtrace, making it difficult to debug templates.
 
-    *Ryunosuke Sato*
+    Now, any `ArgumentError` unrelated to strict locals is reraised, preserving the original
+    backtrace for developers.
 
-*   Added validation for HTML tag names in the `tag` and `content_tag` helper method.
+    Also note that `ActionView::StrictLocalsError` is a subclass of `ArgumentError`, so any existing
+    code that rescues `ArgumentError` will continue to work.
 
-    The `tag` and `content_tag` method now checks that the provided tag name adheres to the HTML
-    specification. If an invalid HTML tag name is provided, the method raises an `ArgumentError`
-    with an appropriate error message.
+    Fixes #52227.
 
-    Examples:
+    *Mike Dalessio*
 
-    ```ruby
-    # Raises ArgumentError: Invalid HTML5 tag name: 12p
-    content_tag("12p") # Starting with a number
+*   Improve error highlighting of multi-line methods in ERB templates or
+    templates where the error occurs within a do-end block.
 
-    # Raises ArgumentError: Invalid HTML5 tag name: ""
-    content_tag("") # Empty tag name
+    *Martin Emde*
 
-    # Raises ArgumentError: Invalid HTML5 tag name: div/
-    tag("div/") # Contains a solidus
+*   Fix a crash in ERB template error highlighting when the error occurs on a
+    line in the compiled template that is past the end of the source template.
 
-    # Raises ArgumentError: Invalid HTML5 tag name: "image file"
-    tag("image file") # Contains a space
-    ```
+    *Martin Emde*
+
+*   Improve reliability of ERB template error highlighting.
+    Fix infinite loops and crashes in highlighting and
+    improve tolerance for alternate ERB handlers.
+
+    *Martin Emde*
+
+*   Allow `hidden_field` and `hidden_field_tag` to accept a custom autocomplete value.
+
+    *brendon*
+
+*   Add a new configuration `content_security_policy_nonce_auto` for automatically adding a nonce to the tags affected by the directives specified by the `content_security_policy_nonce_directives` configuration option.
 
-    *Akhil G Krishnan*
+    *francktrouillez*
 
-Please check [7-1-stable](https://github.com/rails/rails/blob/7-1-stable/actionview/CHANGELOG.md) for previous changes.
+Please check [8-0-stable](https://github.com/rails/rails/blob/8-0-stable/actionview/CHANGELOG.md) for previous changes.

data/README.rdoc

@@ -35,6 +35,6 @@ Bug reports for the Ruby on \Rails project can be filed here:
 
 * https://github.com/rails/rails/issues
 
-Feature requests should be discussed on the rails-core mailing list here:
+Feature requests should be discussed on the rubyonrails-core forum here:
 
 * https://discuss.rubyonrails.org/c/rubyonrails-core

data/lib/action_view/base.rb

@@ -4,6 +4,7 @@ require "active_support/core_ext/module/attr_internal"
 require "active_support/core_ext/module/attribute_accessors"
 require "active_support/ordered_options"
 require "action_view/log_subscriber"
+require "action_view/structured_event_subscriber"
 require "action_view/helpers"
 require "action_view/context"
 require "action_view/template"
@@ -181,6 +182,10 @@ module ActionView # :nodoc:
     class_attribute :_routes
     class_attribute :logger
 
+    # Specify whether to omit autocomplete="off" on hidden inputs generated by helpers.
+    # Configured via `config.action_view.remove_hidden_field_autocomplete`
+    cattr_accessor :remove_hidden_field_autocomplete, default: false
+
     class << self
       delegate :erb_trim_mode=, to: "ActionView::Template::Handlers::ERB"
 
@@ -242,8 +247,6 @@ module ActionView # :nodoc:
     # :startdoc:
 
     def initialize(lookup_context, assigns, controller) # :nodoc:
-      @_config = ActiveSupport::InheritableOptions.new
-
       @lookup_context = lookup_context
 
       @view_renderer = ActionView::Renderer.new @lookup_context
@@ -267,15 +270,12 @@ module ActionView # :nodoc:
         begin
           public_send(method, locals, buffer, **locals, &block)
         rescue ArgumentError => argument_error
-          raise(
-            ArgumentError,
-            argument_error.
-              message.
-                gsub("unknown keyword:", "unknown local:").
-                gsub("missing keyword:", "missing local:").
-                gsub("no keywords accepted", "no locals accepted").
-                concat(" for #{@current_template.short_identifier}")
-          )
+          public_send_line = __LINE__ - 2
+          frame = argument_error.backtrace_locations[1]
+          if frame.path == __FILE__ && frame.lineno == public_send_line
+            raise StrictLocalsError.new(argument_error, @current_template)
+          end
+          raise
         end
       else
         public_send(method, locals, buffer, &block)

data/lib/action_view/buffers.rb

@@ -45,7 +45,7 @@ module ActionView
         @raw_buffer << if value.html_safe?
           value
         else
-          CGI.escapeHTML(value)
+          ERB::Util.unwrapped_html_escape(value)
         end
       end
       self

data/lib/action_view/dependency_tracker/erb_tracker.rb

@@ -74,7 +74,7 @@ module ActionView
       end
 
       def dependencies
-        render_dependencies + explicit_dependencies
+        WildcardResolver.new(@view_paths, render_dependencies + explicit_dependencies).resolve
       end
 
       attr_reader :name, :template
@@ -90,15 +90,15 @@ module ActionView
         end
 
         def render_dependencies
-          render_dependencies = []
-          render_calls = source.split(/\brender\b/).drop(1)
+          dependencies = []
+          render_calls = source.scan(/<%(?:(?:(?!<%).)*?\brender\b((?:(?!%>).)*?))%>/m).flatten
 
           render_calls.each do |arguments|
-            add_dependencies(render_dependencies, arguments, LAYOUT_DEPENDENCY)
-            add_dependencies(render_dependencies, arguments, RENDER_ARGUMENTS)
+            add_dependencies(dependencies, arguments, LAYOUT_DEPENDENCY)
+            add_dependencies(dependencies, arguments, RENDER_ARGUMENTS)
           end
 
-          render_dependencies.uniq
+          dependencies
         end
 
         def add_dependencies(render_dependencies, arguments, pattern)
@@ -116,12 +116,37 @@ module ActionView
         end
 
         def add_static_dependency(dependencies, dependency, quote_type)
-          if quote_type == '"'
-            # Ignore if there is interpolation
-            return if dependency.include?('#{')
-          end
+          if quote_type == '"' && dependency.include?('#{')
+            scanner = StringScanner.new(dependency)
+
+            wildcard_dependency = +""
+
+            while !scanner.eos?
+              if scanner.scan_until(/\#{/)
+                unmatched_brackets = 1
+                wildcard_dependency << scanner.pre_match
+
+                while unmatched_brackets > 0 && !scanner.eos?
+                  found = scanner.scan_until(/[{}]/)
+                  return unless found
+
+                  case scanner.matched
+                  when "{"
+                    unmatched_brackets += 1
+                  when "}"
+                    unmatched_brackets -= 1
+                  end
+                end
+
+                wildcard_dependency << "*"
+              else
+                wildcard_dependency << scanner.rest
+                scanner.terminate
+              end
+            end
 
-          if dependency
+            dependencies << wildcard_dependency
+          elsif dependency
             if dependency.include?("/")
               dependencies << dependency
             else
@@ -130,24 +155,8 @@ module ActionView
           end
         end
 
-        def resolve_directories(wildcard_dependencies)
-          return [] unless @view_paths
-          return [] if wildcard_dependencies.empty?
-
-          # Remove trailing "/*"
-          prefixes = wildcard_dependencies.map { |query| query[0..-3] }
-
-          @view_paths.flat_map(&:all_template_paths).uniq.filter_map { |path|
-            path.to_s if prefixes.include?(path.prefix)
-          }.sort
-        end
-
         def explicit_dependencies
-          dependencies = source.scan(EXPLICIT_DEPENDENCY).flatten.uniq
-
-          wildcards, explicits = dependencies.partition { |dependency| dependency.end_with?("/*") }
-
-          (explicits + resolve_directories(wildcards)).uniq
+          source.scan(EXPLICIT_DEPENDENCY).flatten.uniq
         end
     end
   end

data/lib/action_view/dependency_tracker/ruby_tracker.rb

@@ -10,7 +10,7 @@ module ActionView
       end
 
       def dependencies
-        render_dependencies + explicit_dependencies
+        WildcardResolver.new(view_paths, render_dependencies + explicit_dependencies).resolve
       end
 
       def self.supports_view_paths? # :nodoc:
@@ -31,29 +31,12 @@ module ActionView
           compiled_source = template.handler.call(template, template.source)
 
           @parser_class.new(@name, compiled_source).render_calls.filter_map do |render_call|
-            next if render_call.end_with?("/_")
             render_call.gsub(%r|/_|, "/")
           end
         end
 
         def explicit_dependencies
-          dependencies = template.source.scan(EXPLICIT_DEPENDENCY).flatten.uniq
-
-          wildcards, explicits = dependencies.partition { |dependency| dependency.end_with?("/*") }
-
-          (explicits + resolve_directories(wildcards)).uniq
-        end
-
-        def resolve_directories(wildcard_dependencies)
-          return [] unless view_paths
-          return [] if wildcard_dependencies.empty?
-
-          # Remove trailing "/*"
-          prefixes = wildcard_dependencies.map { |query| query[0..-3] }
-
-          view_paths.flat_map(&:all_template_paths).uniq.filter_map { |path|
-            path.to_s if prefixes.include?(path.prefix)
-          }.sort
+          template.source.scan(EXPLICIT_DEPENDENCY).flatten.uniq
         end
     end
   end

data/lib/action_view/dependency_tracker/wildcard_resolver.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+module ActionView
+  class DependencyTracker # :nodoc:
+    class WildcardResolver # :nodoc:
+      def initialize(view_paths, dependencies)
+        @view_paths = view_paths
+
+        @wildcard_dependencies, @explicit_dependencies =
+          dependencies.partition { |dependency| dependency.end_with?("/*") }
+      end
+
+      def resolve
+        return explicit_dependencies.uniq if !view_paths || wildcard_dependencies.empty?
+
+        (explicit_dependencies + resolved_wildcard_dependencies).uniq
+      end
+
+      private
+        attr_reader :explicit_dependencies, :wildcard_dependencies, :view_paths
+
+        def resolved_wildcard_dependencies
+          # Remove trailing "/*"
+          prefixes = wildcard_dependencies.map { |query| query[0..-3] }
+
+          view_paths.flat_map(&:all_template_paths).uniq.filter_map { |path|
+            path.to_s if prefixes.include?(path.prefix)
+          }.sort
+        end
+    end
+  end
+end

data/lib/action_view/dependency_tracker.rb

@@ -10,6 +10,7 @@ module ActionView
 
     autoload :ERBTracker
     autoload :RubyTracker
+    autoload :WildcardResolver
 
     @trackers = Concurrent::Map.new
 
@@ -35,6 +36,11 @@ module ActionView
       @trackers.delete(handler)
     end
 
-    register_tracker :erb, ERBTracker
+    case ActionView.render_tracker
+    when :ruby
+      register_tracker :erb, RubyTracker
+    else
+      register_tracker :erb, ERBTracker
+    end
   end
 end

data/lib/action_view/digestor.rb

@@ -107,8 +107,12 @@ module ActionView
         end.join("-")
       end
 
-      def to_dep_map
-        children.any? ? { name => children.map(&:to_dep_map) } : name
+      def to_dep_map(seen = Set.new.compare_by_identity)
+        if seen.add?(self)
+          children.any? ? { name => children.map { |c| c.to_dep_map(seen) } } : name
+        else # the tree has a cycle
+          name
+        end
       end
     end
 

data/lib/action_view/gem_version.rb

@@ -7,10 +7,10 @@ module ActionView
   end
 
   module VERSION
-    MAJOR = 7
-    MINOR = 2
+    MAJOR = 8
+    MINOR = 1
     TINY  = 2
-    PRE   = "1"
+    PRE   = nil
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

data/lib/action_view/helpers/asset_tag_helper.rb

@@ -26,6 +26,8 @@ module ActionView
       mattr_accessor :image_decoding
       mattr_accessor :preload_links_header
       mattr_accessor :apply_stylesheet_media_default
+      mattr_accessor :auto_include_nonce_for_scripts
+      mattr_accessor :auto_include_nonce_for_styles
 
       # Returns an HTML script tag for each of the +sources+ provided.
       #
@@ -115,11 +117,11 @@ module ActionView
         path_options = options.extract!("protocol", "extname", "host", "skip_pipeline").symbolize_keys
         preload_links = []
         use_preload_links_header = options["preload_links_header"].nil? ? preload_links_header : options.delete("preload_links_header")
-        nopush = options["nopush"].nil? ? true : options.delete("nopush")
+        nopush = options["nopush"].nil? || options.delete("nopush")
         crossorigin = options.delete("crossorigin")
         crossorigin = "anonymous" if crossorigin == true
         integrity = options["integrity"]
-        rel = options["type"] == "module" ? "modulepreload" : "preload"
+        rel = options["type"] == "module" || options["type"] == :module ? "modulepreload" : "preload"
 
         sources_tags = sources.uniq.map { |source|
           href = path_to_javascript(source, path_options)
@@ -127,6 +129,7 @@ module ActionView
             preload_link = "<#{href}>; rel=#{rel}; as=script"
             preload_link += "; crossorigin=#{crossorigin}" unless crossorigin.nil?
             preload_link += "; integrity=#{integrity}" unless integrity.nil?
+            preload_link += "; nonce=#{content_security_policy_nonce}" if options["nonce"] == true
             preload_link += "; nopush" if nopush
             preload_links << preload_link
           end
@@ -134,8 +137,10 @@ module ActionView
             "src" => href,
             "crossorigin" => crossorigin
           }.merge!(options)
-          if tag_options["nonce"] == true
+          if tag_options["nonce"] == true || (!tag_options.key?("nonce") && auto_include_nonce_for_scripts)
             tag_options["nonce"] = content_security_policy_nonce
+          elsif tag_options["nonce"] == false
+            tag_options.delete("nonce")
           end
           content_tag("script", "", tag_options)
         }.join("\n").html_safe
@@ -206,7 +211,7 @@ module ActionView
         preload_links = []
         crossorigin = options.delete("crossorigin")
         crossorigin = "anonymous" if crossorigin == true
-        nopush = options["nopush"].nil? ? true : options.delete("nopush")
+        nopush = options["nopush"].nil? || options.delete("nopush")
         integrity = options["integrity"]
 
         sources_tags = sources.uniq.map { |source|
@@ -215,6 +220,7 @@ module ActionView
             preload_link = "<#{href}>; rel=preload; as=style"
             preload_link += "; crossorigin=#{crossorigin}" unless crossorigin.nil?
             preload_link += "; integrity=#{integrity}" unless integrity.nil?
+            preload_link += "; nonce=#{content_security_policy_nonce}" if options["nonce"] == true
             preload_link += "; nopush" if nopush
             preload_links << preload_link
           end
@@ -223,8 +229,10 @@ module ActionView
             "crossorigin" => crossorigin,
             "href" => href
           }.merge!(options)
-          if tag_options["nonce"] == true
+          if tag_options["nonce"] == true || (!tag_options.key?("nonce") && auto_include_nonce_for_styles && respond_to?(:content_security_policy_nonce))
             tag_options["nonce"] = content_security_policy_nonce
+          elsif tag_options["nonce"] == false
+            tag_options.delete("nonce")
           end
 
           if apply_stylesheet_media_default && tag_options["media"].blank?
@@ -360,8 +368,16 @@ module ActionView
         crossorigin = options.delete(:crossorigin)
         crossorigin = "anonymous" if crossorigin == true || (crossorigin.blank? && as_type == "font")
         integrity = options[:integrity]
+        fetchpriority = options.delete(:fetchpriority)
         nopush = options.delete(:nopush) || false
-        rel = mime_type == "module" ? "modulepreload" : "preload"
+        rel = mime_type == "module" || mime_type == :module ? "modulepreload" : "preload"
+        add_nonce = content_security_policy_nonce &&
+          respond_to?(:request) &&
+          request.content_security_policy_nonce_directives&.include?("#{as_type}-src")
+
+        if add_nonce
+          options[:nonce] = content_security_policy_nonce
+        end
 
         link_tag = tag.link(
           rel: rel,
@@ -369,12 +385,15 @@ module ActionView
           as: as_type,
           type: mime_type,
           crossorigin: crossorigin,
+          fetchpriority: fetchpriority,
           **options.symbolize_keys)
 
         preload_link = "<#{href}>; rel=#{rel}; as=#{as_type}"
         preload_link += "; type=#{mime_type}" if mime_type
         preload_link += "; crossorigin=#{crossorigin}" if crossorigin
+        preload_link += "; fetchpriority=#{fetchpriority}" if fetchpriority
         preload_link += "; integrity=#{integrity}" if integrity
+        preload_link += "; nonce=#{content_security_policy_nonce}" if add_nonce
         preload_link += "; nopush" if nopush
 
         send_preload_links_header([preload_link])