actionview 7.2.3 → 8.1.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 773338461dd6a54e8b6efa075c2be80d8f8c975ee46bd2167bc7e2fcd8e78f35
-  data.tar.gz: 22244120a030dfc49034d8d790fa86013b1de42b5ee7acbe75243580c9eec7c1
+  metadata.gz: 96267f5fb9e3f51b3f9532cf10d78e0454480729b75a758b6df1bf6bb903384f
+  data.tar.gz: f7befef7e6c94a2dda6868cd265cbb4009576883d881a9f28195d68649b9511c
 SHA512:
-  metadata.gz: 1c26e2052e3f599c7f28c19892948c6b3f8cdeef005a4dc54762b4e74309ac32ef794115b0e46d2364624b26debb85a6aaebc938813d08e69e9c670c3bf79ae6
-  data.tar.gz: 15bdc1f27280a327a1270ddf794b484d68f88af959c2d49361ef0e33c37e547b81166c8b92ef400f7e9a62c8192820bd58042733335ff4a9c3f1a77b660f775f
+  metadata.gz: bd4eb208e63b468bd0b97bda5b8202a7954e6545e05b6a600fcd0a1d703303e99ff2ffbd929ec63142e118267a61cc1cd7f62f5deed6b47ed05e1e6bed50291b
+  data.tar.gz: 98fcb31d4441433ac6bd216aec193446d4e06c6116e038bf8d6c5166275937b8301879c3b2d454a1cf86fe9ed6a373898d7f808b35ef4881885231762dcba5b4

data/CHANGELOG.md

@@ -1,200 +1,191 @@
-## Rails 7.2.3 (October 28, 2025) ##
+## Rails 8.1.3 (March 24, 2026) ##
 
-*   Fix `javascript_include_tag` `type` option to accept either strings and symbols.
+*   Fix encoding errors for string locals containing non-ASCII characters.
 
-    ```ruby
-    javascript_include_tag "application", type: :module
-    javascript_include_tag "application", type: "module"
-    ```
-
-    Previously, only the string value was recoginized.
-
-    *Jean Boussier*
-
-*   Fix `excerpt` helper with non-whitespace separator.
-
-    *Jonathan Hefner*
-
-*   Respect `html_options[:form]` when `collection_checkboxes` generates the
-    hidden `<input>`.
-
-    *Riccardo Odone*
+    *Kataoka Katsuki*
 
-*   Layouts have access to local variables passed to `render`.
+*   Fix collection caching to only forward `expires_in` argument if explicitly set.
 
-    This fixes #31680 which was a regression in Rails 5.1.
+    *Pieter Visser*
 
-    *Mike Dalessio*
+## Rails 8.1.2.1 (March 23, 2026) ##
 
-*   Argument errors related to strict locals in templates now raise an
-    `ActionView::StrictLocalsError`, and all other argument errors are reraised as-is.
+*   Fix possible XSS in DebugExceptions middleware
 
-    Previously, any `ArgumentError` raised during template rendering was swallowed during strict
-    local error handling, so that an `ArgumentError` unrelated to strict locals (e.g., a helper
-    method invoked with incorrect arguments) would be replaced by a similar `ArgumentError` with an
-    unrelated backtrace, making it difficult to debug templates.
+    [CVE-2026-33167]
 
-    Now, any `ArgumentError` unrelated to strict locals is reraised, preserving the original
-    backtrace for developers.
+    *John Hawthorn*
 
-    Also note that `ActionView::StrictLocalsError` is a subclass of `ArgumentError`, so any existing
-    code that rescues `ArgumentError` will continue to work.
+*   Skip blank attribute names in tag helpers to avoid generating invalid HTML.
 
-    Fixes #52227.
+    [CVE-2026-33168]
 
     *Mike Dalessio*
 
-*   Fix stack overflow error in dependency tracker when dealing with circular dependencies
-
-    *Jean Boussier*
-
-*   Fix a crash in ERB template error highlighting when the error occurs on a
-    line in the compiled template that is past the end of the source template.
-
-    *Martin Emde*
-
-*   Improve reliability of ERB template error highlighting.
-    Fix infinite loops and crashes in highlighting and
-    improve tolerance for alternate ERB handlers.
-
-    *Martin Emde*
 
+## Rails 8.1.2 (January 08, 2026) ##
 
-## Rails 7.2.2.2 (August 13, 2025) ##
+*   Fix `file_field` to join mime types with a comma when provided as Array
 
-*   No changes.
+    ```ruby
+    file_field(:article, :image, accept: ['image/png', 'image/gif', 'image/jpeg'])
+    ```
 
+    Now behaves likes:
 
-## Rails 7.2.2.1 (December 10, 2024) ##
+    ```
+    file_field(:article, :image, accept: 'image/png,image/gif,image/jpeg')
+    ```
 
-*   No changes.
+    *Bogdan Gusiev*
 
+*   Fix strict locals parsing to handle multiline definitions.
 
-## Rails 7.2.2 (October 30, 2024) ##
+    *Said Kaldybaev*
 
-*   No changes.
+*   Fix `content_security_policy_nonce` error in mailers when using `content_security_policy_nonce_auto` setting.
 
+    The `content_security_policy_nonce helper` is provided by `ActionController::ContentSecurityPolicy`, and it relies on `request.content_security_policy_nonc`e. Mailers lack both the module and the request object.
 
-## Rails 7.2.1.2 (October 23, 2024) ##
+    *Jarrett Lusso*
 
-*   No changes.
 
+## Rails 8.1.1 (October 28, 2025) ##
 
-## Rails 7.2.1.1 (October 15, 2024) ##
+*   Respect `remove_hidden_field_autocomplete` config in form builder `hidden_field`.
 
-*   No changes.
+    *Rafael Mendonça França*
 
 
-## Rails 7.2.1 (August 22, 2024) ##
+## Rails 8.1.0 (October 22, 2025) ##
 
-*   No changes.
+*   The BEGIN template annotation/comment was previously printed on the same line as the following element. We now insert a newline inside the comment so it spans two lines without adding visible whitespace to the HTML output to enhance readability.
 
+    Before:
+    ```
+    <!-- BEGIN /Users/siaw23/Desktop/rails/actionview/test/fixtures/actionpack/test/greeting.html.erb --><p>This is grand!</p>
+    ```
 
-## Rails 7.2.0 (August 09, 2024) ##
+    After:
+    ```
+    <!-- BEGIN /Users/siaw23/Desktop/rails/actionview/test/fixtures/actionpack/test/greeting.html.erb
+    --><p>This is grand!</p>
+    ```
+    *Emmanuel Hayford*
 
-*   Fix templates with strict locals to also include `local_assigns`.
+*   Add structured events for Action View:
+    - `action_view.render_template`
+    - `action_view.render_partial`
+    - `action_view.render_layout`
+    - `action_view.render_collection`
+    - `action_view.render_start`
 
-    Previously templates defining strict locals wouldn't receive the `local_assigns`
-    hash.
+    *Gannon McGibbon*
 
-    *Jean Boussier*
+*   Fix label with `for` option not getting prefixed by form `namespace` value
 
-*   Add queries count to template rendering instrumentation.
+    *Abeid Ahmed*, *Hartley McGuire*
 
-    ```
-    # Before
-    Completed 200 OK in 3804ms (Views: 41.0ms | ActiveRecord: 33.5ms | Allocations: 112788)
+*   Add `fetchpriority` to Link headers to match HTML generated by `preload_link_tag`.
 
-    # After
-    Completed 200 OK in 3804ms (Views: 41.0ms | ActiveRecord: 33.5ms (2 queries, 1 cached) | Allocations: 112788)
-    ```
+    *Guillermo Iguaran*
 
-    *fatkodima*
+*   Add CSP `nonce` to Link headers generated by `preload_link_tag`.
 
-*   Raise `ArgumentError` if `:renderable` object does not respond to `#render_in`.
+    *Alexander Gitter*
 
-    *Sean Doyle*
+*   Allow `current_page?` to match against specific HTTP method(s) with a `method:` option.
 
-*   Add the `nonce: true` option for `stylesheet_link_tag` helper to support automatic nonce generation for Content Security Policy.
+    *Ben Sheldon*
 
-    Works the same way as `javascript_include_tag nonce: true` does.
+*   Remove `autocomplete="off"` on hidden inputs generated by the following
+    tags:
 
-    *Akhil G Krishnan*, *AJ Esler*
+    * `form_tag`, `token_tag`, `method_tag`
 
-*   Parse `ActionView::TestCase#rendered` HTML content as `Nokogiri::XML::DocumentFragment` instead of `Nokogiri::XML::Document`.
+    As well as the hidden parameter fields included in `button_to`,
+    `check_box`, `select` (with `multiple`) and `file_field` forms.
 
-    *Sean Doyle*
+    *nkulway*
 
-*   Rename `ActionView::TestCase::Behavior::Content` to `ActionView::TestCase::Behavior::RenderedViewContent`.
+*   Enable configuring the strategy for tracking dependencies between Action
+    View templates.
 
-    Make `RenderedViewContent` inherit from `String`. Make private API with `:nodoc:`
+    The existing `:regex` strategy is kept as the default, but with
+    `load_defaults 8.1` the strategy will be `:ruby` (using a real Ruby parser).
 
-    *Sean Doyle*
+    *Hartley McGuire*
 
-*   Deprecate passing `nil` as value for the `model:` argument to the `form_with` method.
+*   Introduce `relative_time_in_words` helper
 
-    *Collin Jilbert*
+    ```ruby
+    relative_time_in_words(3.minutes.from_now) # => "in 3 minutes"
+    relative_time_in_words(3.minutes.ago) # => "3 minutes ago"
+    relative_time_in_words(10.seconds.ago, include_seconds: true) # => "less than 10 seconds ago"
+    ```
 
-*   Alias `field_set_tag` helper to `fieldset_tag` to match `<fieldset>` element.
+    *Matheus Richard*
 
-    *Sean Doyle*
+*   Make `nonce: false` remove the nonce attribute from `javascript_tag`, `javascript_include_tag`, and `stylesheet_link_tag`.
 
-*   Deprecate passing content to void elements when using `tag.br` type tag builders.
+    *francktrouillez*
 
-    *Hartley McGuire*
+*   Add `dom_target` helper to create `dom_id`-like strings from an unlimited
+    number of objects.
 
-*   Fix the `number_to_human_size` view helper to correctly work with negative numbers.
+    *Ben Sheldon*
 
-    *Earlopain*
+*   Respect `html_options[:form]` when `collection_checkboxes` generates the
+    hidden `<input>`.
 
-*   Automatically discard the implicit locals injected by collection rendering for template that can't accept them.
+    *Riccardo Odone*
 
-    When rendering a collection, two implicit variables are injected, which breaks templates with strict locals.
+*   Layouts have access to local variables passed to `render`.
 
-    Now they are only passed if the template will actually accept them.
+    This fixes #31680 which was a regression in Rails 5.1.
 
-    *Yasha Krasnou*, *Jean Boussier*
+    *Mike Dalessio*
 
-*   Fix `@rails/ujs` calling `start()` an extra time when using bundlers.
+*   Argument errors related to strict locals in templates now raise an
+    `ActionView::StrictLocalsError`, and all other argument errors are reraised as-is.
 
-    *Hartley McGuire*, *Ryunosuke Sato*
+    Previously, any `ArgumentError` raised during template rendering was swallowed during strict
+    local error handling, so that an `ArgumentError` unrelated to strict locals (e.g., a helper
+    method invoked with incorrect arguments) would be replaced by a similar `ArgumentError` with an
+    unrelated backtrace, making it difficult to debug templates.
 
-*   Fix the `capture` view helper compatibility with HAML and Slim.
+    Now, any `ArgumentError` unrelated to strict locals is reraised, preserving the original
+    backtrace for developers.
 
-    When a blank string was captured in HAML or Slim (and possibly other template engines)
-    it would instead return the entire buffer.
+    Also note that `ActionView::StrictLocalsError` is a subclass of `ArgumentError`, so any existing
+    code that rescues `ArgumentError` will continue to work.
 
-    *Jean Boussier*
+    Fixes #52227.
 
-*   Updated `@rails/ujs` files to ignore certain data-* attributes when element is contenteditable.
+    *Mike Dalessio*
 
-    This fix was already landed in >= 7.0.4.3, < 7.1.0.
-    [[CVE-2023-23913](https://github.com/advisories/GHSA-xp5h-f8jf-rc8q)]
+*   Improve error highlighting of multi-line methods in ERB templates or
+    templates where the error occurs within a do-end block.
 
-    *Ryunosuke Sato*
+    *Martin Emde*
 
-*   Added validation for HTML tag names in the `tag` and `content_tag` helper method.
+*   Fix a crash in ERB template error highlighting when the error occurs on a
+    line in the compiled template that is past the end of the source template.
 
-    The `tag` and `content_tag` method now checks that the provided tag name adheres to the HTML
-    specification. If an invalid HTML tag name is provided, the method raises an `ArgumentError`
-    with an appropriate error message.
+    *Martin Emde*
 
-    Examples:
+*   Improve reliability of ERB template error highlighting.
+    Fix infinite loops and crashes in highlighting and
+    improve tolerance for alternate ERB handlers.
 
-    ```ruby
-    # Raises ArgumentError: Invalid HTML5 tag name: 12p
-    content_tag("12p") # Starting with a number
+    *Martin Emde*
 
-    # Raises ArgumentError: Invalid HTML5 tag name: ""
-    content_tag("") # Empty tag name
+*   Allow `hidden_field` and `hidden_field_tag` to accept a custom autocomplete value.
 
-    # Raises ArgumentError: Invalid HTML5 tag name: div/
-    tag("div/") # Contains a solidus
+    *brendon*
 
-    # Raises ArgumentError: Invalid HTML5 tag name: "image file"
-    tag("image file") # Contains a space
-    ```
+*   Add a new configuration `content_security_policy_nonce_auto` for automatically adding a nonce to the tags affected by the directives specified by the `content_security_policy_nonce_directives` configuration option.
 
-    *Akhil G Krishnan*
+    *francktrouillez*
 
-Please check [7-1-stable](https://github.com/rails/rails/blob/7-1-stable/actionview/CHANGELOG.md) for previous changes.
+Please check [8-0-stable](https://github.com/rails/rails/blob/8-0-stable/actionview/CHANGELOG.md) for previous changes.

data/lib/action_view/base.rb

@@ -4,6 +4,7 @@ require "active_support/core_ext/module/attr_internal"
 require "active_support/core_ext/module/attribute_accessors"
 require "active_support/ordered_options"
 require "action_view/log_subscriber"
+require "action_view/structured_event_subscriber"
 require "action_view/helpers"
 require "action_view/context"
 require "action_view/template"
@@ -181,6 +182,10 @@ module ActionView # :nodoc:
     class_attribute :_routes
     class_attribute :logger
 
+    # Specify whether to omit autocomplete="off" on hidden inputs generated by helpers.
+    # Configured via `config.action_view.remove_hidden_field_autocomplete`
+    cattr_accessor :remove_hidden_field_autocomplete, default: false
+
     class << self
       delegate :erb_trim_mode=, to: "ActionView::Template::Handlers::ERB"
 
@@ -242,8 +247,6 @@ module ActionView # :nodoc:
     # :startdoc:
 
     def initialize(lookup_context, assigns, controller) # :nodoc:
-      @_config = ActiveSupport::InheritableOptions.new
-
       @lookup_context = lookup_context
 
       @view_renderer = ActionView::Renderer.new @lookup_context

data/lib/action_view/buffers.rb

@@ -45,7 +45,7 @@ module ActionView
         @raw_buffer << if value.html_safe?
           value
         else
-          CGI.escapeHTML(value)
+          ERB::Util.unwrapped_html_escape(value)
         end
       end
       self

data/lib/action_view/dependency_tracker/erb_tracker.rb

@@ -74,7 +74,7 @@ module ActionView
       end
 
       def dependencies
-        render_dependencies + explicit_dependencies
+        WildcardResolver.new(@view_paths, render_dependencies + explicit_dependencies).resolve
       end
 
       attr_reader :name, :template
@@ -90,15 +90,15 @@ module ActionView
         end
 
         def render_dependencies
-          render_dependencies = []
-          render_calls = source.split(/\brender\b/).drop(1)
+          dependencies = []
+          render_calls = source.scan(/<%(?:(?:(?!<%).)*?\brender\b((?:(?!%>).)*?))%>/m).flatten
 
           render_calls.each do |arguments|
-            add_dependencies(render_dependencies, arguments, LAYOUT_DEPENDENCY)
-            add_dependencies(render_dependencies, arguments, RENDER_ARGUMENTS)
+            add_dependencies(dependencies, arguments, LAYOUT_DEPENDENCY)
+            add_dependencies(dependencies, arguments, RENDER_ARGUMENTS)
           end
 
-          render_dependencies.uniq
+          dependencies
         end
 
         def add_dependencies(render_dependencies, arguments, pattern)
@@ -116,12 +116,37 @@ module ActionView
         end
 
         def add_static_dependency(dependencies, dependency, quote_type)
-          if quote_type == '"'
-            # Ignore if there is interpolation
-            return if dependency.include?('#{')
-          end
+          if quote_type == '"' && dependency.include?('#{')
+            scanner = StringScanner.new(dependency)
+
+            wildcard_dependency = +""
+
+            while !scanner.eos?
+              if scanner.scan_until(/\#{/)
+                unmatched_brackets = 1
+                wildcard_dependency << scanner.pre_match
+
+                while unmatched_brackets > 0 && !scanner.eos?
+                  found = scanner.scan_until(/[{}]/)
+                  return unless found
+
+                  case scanner.matched
+                  when "{"
+                    unmatched_brackets += 1
+                  when "}"
+                    unmatched_brackets -= 1
+                  end
+                end
+
+                wildcard_dependency << "*"
+              else
+                wildcard_dependency << scanner.rest
+                scanner.terminate
+              end
+            end
 
-          if dependency
+            dependencies << wildcard_dependency
+          elsif dependency
             if dependency.include?("/")
               dependencies << dependency
             else
@@ -130,24 +155,8 @@ module ActionView
           end
         end
 
-        def resolve_directories(wildcard_dependencies)
-          return [] unless @view_paths
-          return [] if wildcard_dependencies.empty?
-
-          # Remove trailing "/*"
-          prefixes = wildcard_dependencies.map { |query| query[0..-3] }
-
-          @view_paths.flat_map(&:all_template_paths).uniq.filter_map { |path|
-            path.to_s if prefixes.include?(path.prefix)
-          }.sort
-        end
-
         def explicit_dependencies
-          dependencies = source.scan(EXPLICIT_DEPENDENCY).flatten.uniq
-
-          wildcards, explicits = dependencies.partition { |dependency| dependency.end_with?("/*") }
-
-          (explicits + resolve_directories(wildcards)).uniq
+          source.scan(EXPLICIT_DEPENDENCY).flatten.uniq
         end
     end
   end

data/lib/action_view/dependency_tracker/ruby_tracker.rb

@@ -10,7 +10,7 @@ module ActionView
       end
 
       def dependencies
-        render_dependencies + explicit_dependencies
+        WildcardResolver.new(view_paths, render_dependencies + explicit_dependencies).resolve
       end
 
       def self.supports_view_paths? # :nodoc:
@@ -31,29 +31,12 @@ module ActionView
           compiled_source = template.handler.call(template, template.source)
 
           @parser_class.new(@name, compiled_source).render_calls.filter_map do |render_call|
-            next if render_call.end_with?("/_")
             render_call.gsub(%r|/_|, "/")
           end
         end
 
         def explicit_dependencies
-          dependencies = template.source.scan(EXPLICIT_DEPENDENCY).flatten.uniq
-
-          wildcards, explicits = dependencies.partition { |dependency| dependency.end_with?("/*") }
-
-          (explicits + resolve_directories(wildcards)).uniq
-        end
-
-        def resolve_directories(wildcard_dependencies)
-          return [] unless view_paths
-          return [] if wildcard_dependencies.empty?
-
-          # Remove trailing "/*"
-          prefixes = wildcard_dependencies.map { |query| query[0..-3] }
-
-          view_paths.flat_map(&:all_template_paths).uniq.filter_map { |path|
-            path.to_s if prefixes.include?(path.prefix)
-          }.sort
+          template.source.scan(EXPLICIT_DEPENDENCY).flatten.uniq
         end
     end
   end

data/lib/action_view/dependency_tracker/wildcard_resolver.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+module ActionView
+  class DependencyTracker # :nodoc:
+    class WildcardResolver # :nodoc:
+      def initialize(view_paths, dependencies)
+        @view_paths = view_paths
+
+        @wildcard_dependencies, @explicit_dependencies =
+          dependencies.partition { |dependency| dependency.end_with?("/*") }
+      end
+
+      def resolve
+        return explicit_dependencies.uniq if !view_paths || wildcard_dependencies.empty?
+
+        (explicit_dependencies + resolved_wildcard_dependencies).uniq
+      end
+
+      private
+        attr_reader :explicit_dependencies, :wildcard_dependencies, :view_paths
+
+        def resolved_wildcard_dependencies
+          # Remove trailing "/*"
+          prefixes = wildcard_dependencies.map { |query| query[0..-3] }
+
+          view_paths.flat_map(&:all_template_paths).uniq.filter_map { |path|
+            path.to_s if prefixes.include?(path.prefix)
+          }.sort
+        end
+    end
+  end
+end

data/lib/action_view/dependency_tracker.rb

@@ -10,6 +10,7 @@ module ActionView
 
     autoload :ERBTracker
     autoload :RubyTracker
+    autoload :WildcardResolver
 
     @trackers = Concurrent::Map.new
 
@@ -35,6 +36,11 @@ module ActionView
       @trackers.delete(handler)
     end
 
-    register_tracker :erb, ERBTracker
+    case ActionView.render_tracker
+    when :ruby
+      register_tracker :erb, RubyTracker
+    else
+      register_tracker :erb, ERBTracker
+    end
   end
 end

data/lib/action_view/gem_version.rb

@@ -7,8 +7,8 @@ module ActionView
   end
 
   module VERSION
-    MAJOR = 7
-    MINOR = 2
+    MAJOR = 8
+    MINOR = 1
     TINY  = 3
     PRE   = nil
 

data/lib/action_view/helpers/asset_tag_helper.rb

@@ -26,6 +26,8 @@ module ActionView
       mattr_accessor :image_decoding
       mattr_accessor :preload_links_header
       mattr_accessor :apply_stylesheet_media_default
+      mattr_accessor :auto_include_nonce_for_scripts
+      mattr_accessor :auto_include_nonce_for_styles
 
       # Returns an HTML script tag for each of the +sources+ provided.
       #
@@ -127,6 +129,7 @@ module ActionView
             preload_link = "<#{href}>; rel=#{rel}; as=script"
             preload_link += "; crossorigin=#{crossorigin}" unless crossorigin.nil?
             preload_link += "; integrity=#{integrity}" unless integrity.nil?
+            preload_link += "; nonce=#{content_security_policy_nonce}" if options["nonce"] == true
             preload_link += "; nopush" if nopush
             preload_links << preload_link
           end
@@ -134,8 +137,10 @@ module ActionView
             "src" => href,
             "crossorigin" => crossorigin
           }.merge!(options)
-          if tag_options["nonce"] == true
+          if tag_options["nonce"] == true || (!tag_options.key?("nonce") && auto_include_nonce_for_scripts)
             tag_options["nonce"] = content_security_policy_nonce
+          elsif tag_options["nonce"] == false
+            tag_options.delete("nonce")
           end
           content_tag("script", "", tag_options)
         }.join("\n").html_safe
@@ -215,6 +220,7 @@ module ActionView
             preload_link = "<#{href}>; rel=preload; as=style"
             preload_link += "; crossorigin=#{crossorigin}" unless crossorigin.nil?
             preload_link += "; integrity=#{integrity}" unless integrity.nil?
+            preload_link += "; nonce=#{content_security_policy_nonce}" if options["nonce"] == true
             preload_link += "; nopush" if nopush
             preload_links << preload_link
           end
@@ -223,8 +229,10 @@ module ActionView
             "crossorigin" => crossorigin,
             "href" => href
           }.merge!(options)
-          if tag_options["nonce"] == true
+          if tag_options["nonce"] == true || (!tag_options.key?("nonce") && auto_include_nonce_for_styles && respond_to?(:content_security_policy_nonce))
             tag_options["nonce"] = content_security_policy_nonce
+          elsif tag_options["nonce"] == false
+            tag_options.delete("nonce")
           end
 
           if apply_stylesheet_media_default && tag_options["media"].blank?
@@ -360,8 +368,16 @@ module ActionView
         crossorigin = options.delete(:crossorigin)
         crossorigin = "anonymous" if crossorigin == true || (crossorigin.blank? && as_type == "font")
         integrity = options[:integrity]
+        fetchpriority = options.delete(:fetchpriority)
         nopush = options.delete(:nopush) || false
         rel = mime_type == "module" || mime_type == :module ? "modulepreload" : "preload"
+        add_nonce = content_security_policy_nonce &&
+          respond_to?(:request) &&
+          request.content_security_policy_nonce_directives&.include?("#{as_type}-src")
+
+        if add_nonce
+          options[:nonce] = content_security_policy_nonce
+        end
 
         link_tag = tag.link(
           rel: rel,
@@ -369,12 +385,15 @@ module ActionView
           as: as_type,
           type: mime_type,
           crossorigin: crossorigin,
+          fetchpriority: fetchpriority,
           **options.symbolize_keys)
 
         preload_link = "<#{href}>; rel=#{rel}; as=#{as_type}"
         preload_link += "; type=#{mime_type}" if mime_type
         preload_link += "; crossorigin=#{crossorigin}" if crossorigin
+        preload_link += "; fetchpriority=#{fetchpriority}" if fetchpriority
         preload_link += "; integrity=#{integrity}" if integrity
+        preload_link += "; nonce=#{content_security_policy_nonce}" if add_nonce
         preload_link += "; nopush" if nopush
 
         send_preload_links_header([preload_link])

data/lib/action_view/helpers/atom_feed_helper.rb

@@ -1,7 +1,5 @@
 # frozen_string_literal: true
 
-require "set"
-
 module ActionView
   module Helpers # :nodoc:
     # = Action View Atom Feed \Helpers