Problem description (quoted from @rafaelfranca's excellent explanation in https://github.com/rails/jquery-ujs/issues/318#issuecomment-88129005): > Let say that we requested /tasks/1 using Ajax, and the previous page has the same url. When we click the back button the browser tries to get the response from its cache and it gets the javascript response. With vary we "fix" this behavior because we are telling the browser that the url is the same but it is not from the same type what will skip the cache. And there's a Rails issue discussing about this problem as well https://github.com/rails/rails/issues/25842 Also, according to [RFC 7231 7.1.4](https://tools.ietf.org/html/rfc7231#section-7.1.4) > An origin server SHOULD send a Vary header field when its algorithm > for selecting a representation varies based on aspects of the request > message other than the method and request target we should add `Vary: Accept` header when determining content based on the `Accept` header. Although adding such header by default could cause unnecessary cache invalidation. But this PR only adds the header if: - The format param is not provided - The request is a `xhr` request - The request has accept headers and the headers are valid So if the user - sends request with explicit format, like `/users/1.json` - or sends a normal request (non xhr) - or doesn't specify accept headers then the header won't be added. See the discussion in https://github.com/rails/rails/issues/25842 and https://github.com/rails/rails/pull/36213 for more details.
2.7 KiB
-
Add
Vary: Accept
header when usingAccept
header for responseFor some requests like
/users/1
, Rails uses requests'Accept
header to determine what to return. And if we don't addVary
in the response header, browsers might accidentally cache different types of content, which would cause issues: e.g. javascript got displayed instead of html content. This PR fixes these issues by addingVary: Accept
in these types of requests. For more detailed problem description, please read:https://github.com/rails/rails/pull/36213
Fixes #25842
Stan Lo
-
Fix IntegrationTest
follow_redirect!
to follow redirection using the same HTTP verb when following a 307 redirection.Edouard Chin
-
System tests require Capybara 3.26 or newer.
George Claghorn
-
Reduced log noise handling ActionController::RoutingErrors.
Alberto Fernández-Capel
-
Add DSL for configuring HTTP Feature Policy
This new DSL provides a way to configure a HTTP Feature Policy at a global or per-controller level. Full details of HTTP Feature Policy specification and guidelines can be found at MDN:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy
Example global policy
Rails.application.config.feature_policy do |f| f.camera :none f.gyroscope :none f.microphone :none f.usb :none f.fullscreen :self f.payment :self, "https://secure.example.com" end
Example controller level policy
class PagesController < ApplicationController feature_policy do |p| p.geolocation "https://example.com" end end
Jacob Bednarz
-
Add the ability to set the CSP nonce only to the specified directives.
Fixes #35137.
Yuji Yaginuma
-
Keep part when scope option has value.
When a route was defined within an optional scope, if that route didn't take parameters the scope was lost when using path helpers. This commit ensures scope is kept both when the route takes parameters or when it doesn't.
Fixes #33219.
Alberto Almagro
-
Added
deep_transform_keys
anddeep_transform_keys!
methods to ActionController::Parameters.Gustavo Gutierrez
-
Calling
ActionController::Parameters#transform_keys/!
without a block now returns an enumerator for the parameters instead of the underlying hash.Eugene Kenny
-
Fix strong parameters blocks all attributes even when only some keys are invalid (non-numerical). It should only block invalid key's values instead.
Stan Lo
Please check 6-0-stable for previous changes.