2022-11-24 22:17:18 +00:00
|
|
|
* Add details of cookie name and size to `CookieOverflow` exception.
|
|
|
|
|
|
|
|
*Andy Waite*
|
|
|
|
|
2022-12-05 02:57:34 +00:00
|
|
|
* Don't double log the `controller`, `action`, or `namespaced_controller` when using `ActiveRecord::QueryLog`
|
2022-10-19 20:33:51 +00:00
|
|
|
|
|
|
|
Previously if you set `config.active_record.query_log_tags` to an array that included
|
2022-12-05 02:57:34 +00:00
|
|
|
`:controller`, `:namespaced_controller`, or `:action`, that item would get logged twice.
|
|
|
|
This bug has been fixed.
|
2022-10-19 20:33:51 +00:00
|
|
|
|
|
|
|
*Alex Ghiculescu*
|
|
|
|
|
2022-10-10 19:07:22 +00:00
|
|
|
* Add the following permissions policy directives: `hid`, `idle-detection`, `screen-wake-lock`,
|
|
|
|
`serial`, `sync-xhr`, `web-share`.
|
|
|
|
|
|
|
|
*Guillaume Cabanel*
|
|
|
|
|
2022-10-05 16:55:05 +00:00
|
|
|
* The `speaker`, `vibrate`, and `vr` permissions policy directives are now
|
|
|
|
deprecated.
|
|
|
|
|
|
|
|
There is no browser support for these directives, and no plan for browser
|
|
|
|
support in the future. You can just remove these directives from your
|
|
|
|
application.
|
|
|
|
|
|
|
|
*Jonathan Hefner*
|
|
|
|
|
2022-09-17 14:05:53 +00:00
|
|
|
* Added the `:status` option to `assert_redirected_to` to specify the precise
|
|
|
|
HTTP status of the redirect. Defaults to `:redirect` for backwards
|
|
|
|
compatibility.
|
|
|
|
|
|
|
|
*Jon Dufresne*
|
|
|
|
|
2022-09-16 18:11:36 +00:00
|
|
|
* Rescue `JSON::ParserError` in Cookies JSON deserializer to discards marshal dumps:
|
2022-09-07 00:51:21 +00:00
|
|
|
|
2022-09-09 22:13:08 +00:00
|
|
|
Without this change, if `action_dispatch.cookies_serializer` is set to `:json` and
|
|
|
|
the app tries to read a `:marshal` serialized cookie, it would error out which wouldn't
|
|
|
|
clear the cookie and force app users to manually clear it in their browser.
|
2022-09-07 00:51:21 +00:00
|
|
|
|
|
|
|
(See #45127 for original bug discussion)
|
|
|
|
|
|
|
|
*Nathan Bardoux*
|
|
|
|
|
2022-09-09 21:05:13 +00:00
|
|
|
* Add `HTTP_REFERER` when following redirects on integration tests
|
|
|
|
|
|
|
|
This makes `follow_redirect!` a closer simulation of what happens in a real browser
|
|
|
|
|
|
|
|
*Felipe Sateler*
|
|
|
|
|
2022-08-25 17:31:05 +00:00
|
|
|
* Added `exclude?` method to `ActionController::Parameters`.
|
|
|
|
|
|
|
|
*Ian Neubert*
|
|
|
|
|
2022-08-15 22:50:10 +00:00
|
|
|
* Rescue `EOFError` exception from `rack` on a multipart request.
|
|
|
|
|
|
|
|
*Nikita Vasilevsky*
|
|
|
|
|
2021-10-21 10:19:10 +00:00
|
|
|
* Log redirects from routes the same way as redirects from controllers.
|
|
|
|
|
|
|
|
*Dennis Paagman*
|
2022-07-18 14:38:15 +00:00
|
|
|
|
2021-10-21 10:19:10 +00:00
|
|
|
* Prevent `ActionDispatch::ServerTiming` from overwriting existing values in `Server-Timing`.
|
2022-07-18 14:38:15 +00:00
|
|
|
Previously, if another middleware down the chain set `Server-Timing` header,
|
|
|
|
it would overwritten by `ActionDispatch::ServerTiming`.
|
|
|
|
|
|
|
|
*Jakub Malinowski*
|
|
|
|
|
2022-06-30 21:57:53 +00:00
|
|
|
* Allow opting out of the `SameSite` cookie attribute when setting a cookie.
|
|
|
|
|
|
|
|
You can opt out of `SameSite` by passing `same_site: nil`.
|
|
|
|
|
|
|
|
`cookies[:foo] = { value: "bar", same_site: nil }`
|
|
|
|
|
|
|
|
Previously, this incorrectly set the `SameSite` attribute to the value of the `cookies_same_site_protection` setting.
|
|
|
|
|
|
|
|
*Alex Ghiculescu*
|
|
|
|
|
2022-05-17 13:37:23 +00:00
|
|
|
* Allow using `helper_method`s in `content_security_policy` and `permissions_policy`
|
|
|
|
|
|
|
|
Previously you could access basic helpers (defined in helper modules), but not
|
|
|
|
helper methods defined using `helper_method`. Now you can use either.
|
|
|
|
|
|
|
|
```ruby
|
|
|
|
content_security_policy do |p|
|
|
|
|
p.default_src "https://example.com"
|
|
|
|
p.script_src "https://example.com" if helpers.script_csp?
|
|
|
|
end
|
|
|
|
```
|
|
|
|
|
|
|
|
*Alex Ghiculescu*
|
|
|
|
|
2022-04-09 14:48:39 +00:00
|
|
|
* Reimplement `ActionController::Parameters#has_value?` and `#value?` to avoid parameters and hashes comparison.
|
|
|
|
|
|
|
|
Deprecated equality between parameters and hashes is going to be removed in Rails 7.2.
|
|
|
|
The new implementation takes care of conversions.
|
|
|
|
|
|
|
|
*Seva Stefkin*
|
|
|
|
|
2022-04-05 09:23:25 +00:00
|
|
|
* Allow only String and Symbol keys in `ActionController::Parameters`.
|
|
|
|
Raise `ActionController::InvalidParameterKey` when initializing Parameters
|
|
|
|
with keys that aren't strings or symbols.
|
|
|
|
|
|
|
|
*Seva Stefkin*
|
|
|
|
|
2022-03-11 15:53:39 +00:00
|
|
|
* Add the ability to use custom logic for storing and retrieving CSRF tokens.
|
|
|
|
|
|
|
|
By default, the token will be stored in the session. Custom classes can be
|
2022-05-25 23:48:46 +00:00
|
|
|
defined to specify arbitrary behavior, but the ability to store them in
|
2022-03-11 15:53:39 +00:00
|
|
|
encrypted cookies is built in.
|
|
|
|
|
|
|
|
*Andrew Kowpak*
|
|
|
|
|
2022-03-31 22:10:23 +00:00
|
|
|
* Make ActionController::Parameters#values cast nested hashes into parameters.
|
|
|
|
|
|
|
|
*Gannon McGibbon*
|
|
|
|
|
2022-03-18 20:17:10 +00:00
|
|
|
* Introduce `html:` and `screenshot:` kwargs for system test screenshot helper
|
|
|
|
|
|
|
|
Use these as an alternative to the already-available environment variables.
|
|
|
|
|
|
|
|
For example, this will display a screenshot in iTerm, save the HTML, and output
|
|
|
|
its path.
|
|
|
|
|
|
|
|
```ruby
|
|
|
|
take_screenshot(html: true, screenshot: "inline")
|
|
|
|
```
|
|
|
|
|
|
|
|
*Alex Ghiculescu*
|
|
|
|
|
2022-03-23 19:44:53 +00:00
|
|
|
* Allow `ActionController::Parameters#to_h` to receive a block.
|
|
|
|
|
|
|
|
*Bob Farrell*
|
|
|
|
|
2022-03-10 00:37:07 +00:00
|
|
|
* Allow relative redirects when `raise_on_open_redirects` is enabled
|
|
|
|
|
|
|
|
*Tom Hughes*
|
|
|
|
|
2020-06-16 17:54:35 +00:00
|
|
|
* Allow Content Security Policy DSL to generate for API responses.
|
2022-03-08 00:33:00 +00:00
|
|
|
|
2020-06-16 17:54:35 +00:00
|
|
|
*Tim Wade*
|
|
|
|
|
2022-03-04 10:53:20 +00:00
|
|
|
* Fix `authenticate_with_http_basic` to allow for missing password.
|
|
|
|
|
|
|
|
Before Rails 7.0 it was possible to handle basic authentication with only a username.
|
2022-03-31 22:10:23 +00:00
|
|
|
|
2022-03-04 10:53:20 +00:00
|
|
|
```ruby
|
|
|
|
authenticate_with_http_basic do |token, _|
|
|
|
|
ApiClient.authenticate(token)
|
|
|
|
end
|
|
|
|
```
|
|
|
|
|
|
|
|
This ability is restored.
|
|
|
|
|
|
|
|
*Jean Boussier*
|
|
|
|
|
2022-02-28 18:12:45 +00:00
|
|
|
* Fix `content_security_policy` returning invalid directives.
|
|
|
|
|
|
|
|
Directives such as `self`, `unsafe-eval` and few others were not
|
|
|
|
single quoted when the directive was the result of calling a lambda
|
|
|
|
returning an array.
|
|
|
|
|
|
|
|
```ruby
|
|
|
|
content_security_policy do |policy|
|
|
|
|
policy.frame_ancestors lambda { [:self, "https://example.com"] }
|
|
|
|
end
|
|
|
|
```
|
|
|
|
|
|
|
|
With this fix the policy generated from above will now be valid.
|
|
|
|
|
|
|
|
*Edouard Chin*
|
|
|
|
|
2022-02-28 02:58:42 +00:00
|
|
|
* Fix `skip_forgery_protection` to run without raising an error if forgery
|
|
|
|
protection has not been enabled / `verify_authenticity_token` is not a
|
|
|
|
defined callback.
|
|
|
|
|
|
|
|
This fix prevents the Rails 7.0 Welcome Page (`/`) from raising an
|
|
|
|
`ArgumentError` if `default_protect_from_forgery` is false.
|
|
|
|
|
|
|
|
*Brad Trick*
|
|
|
|
|
2022-02-25 14:11:56 +00:00
|
|
|
* Make `redirect_to` return an empty response body.
|
|
|
|
|
|
|
|
Application controllers that wish to add a response body after calling
|
|
|
|
`redirect_to` can continue to do so.
|
|
|
|
|
|
|
|
*Jon Dufresne*
|
|
|
|
|
2022-02-22 16:03:19 +00:00
|
|
|
* Use non-capturing group for subdomain matching in `ActionDispatch::HostAuthorization`
|
|
|
|
|
|
|
|
Since we do nothing with the captured subdomain group, we can use a non-capturing group instead.
|
|
|
|
|
|
|
|
*Sam Bostock*
|
|
|
|
|
2022-02-22 17:53:52 +00:00
|
|
|
* Fix `ActionController::Live` to copy the IsolatedExecutionState in the ephemeral thread.
|
2022-02-21 10:35:22 +00:00
|
|
|
|
2022-02-22 17:53:52 +00:00
|
|
|
Since its inception `ActionController::Live` has been copying thread local variables
|
2022-02-21 10:35:22 +00:00
|
|
|
to keep things such as `CurrentAttributes` set from middlewares working in the controller action.
|
|
|
|
|
|
|
|
With the introduction of `IsolatedExecutionState` in 7.0, some of that global state was lost in
|
2022-02-22 17:53:52 +00:00
|
|
|
`ActionController::Live` controllers.
|
2022-02-21 10:35:22 +00:00
|
|
|
|
|
|
|
*Jean Boussier*
|
|
|
|
|
2022-02-15 09:41:42 +00:00
|
|
|
* Fix setting `trailing_slash: true` in route definition.
|
|
|
|
|
|
|
|
```ruby
|
|
|
|
get '/test' => "test#index", as: :test, trailing_slash: true
|
|
|
|
|
|
|
|
test_path() # => "/test/"
|
|
|
|
```
|
|
|
|
|
|
|
|
*Jean Boussier*
|
|
|
|
|
2022-01-26 14:47:35 +00:00
|
|
|
* Make `Session#merge!` stringify keys.
|
2021-11-10 17:58:18 +00:00
|
|
|
|
2022-01-26 14:47:35 +00:00
|
|
|
Previously `Session#update` would, but `merge!` wouldn't.
|
|
|
|
|
|
|
|
*Drew Bragg*
|
2021-11-10 17:58:18 +00:00
|
|
|
|
2021-12-07 15:52:30 +00:00
|
|
|
Please check [7-0-stable](https://github.com/rails/rails/blob/7-0-stable/actionpack/CHANGELOG.md) for previous changes.
|