8f3c6a1005
Rails has incorrectly been adding leading dots to cookie domain values when the `domain: :all` option is present. This leading dot was required in cookies based on [RFC 2965][rfc2965] (October 2000), but [RFC 6265][rfc6265] (April 2011) changed that behaviour, making a leading dot strictly incorrect. Todays browsers aim to confirm to RFC6265 with repect to cookies. The new behaviour is that *any* cookie with an explicitly passed domain is sent to all matching subdomains[[ref][mdn]]. For a server to indicate that only the exact origin server should receive the cookie, it should instead pass *no* domain attribute. Despite the change in behaviour, browser devtools often display a cookie domain with a leading dot to indicate that it is valid for subdomains - this prefixed domain is *not* necessarily the raw value that was passed in the Set-Cookie header. This explains why it's a common belief among developers that the leading dot is required. RFC6265 standard gives UAs an algorithm to handle old-style cookie domain parameters (they can drop a leading dot if present), so it's unlikely that this error would ever have had any effect on web browsers. However, cookies generated this way can't be processed by Ruby's own CGI::Cookie class: > CGI::Cookie.new "domain" => ".foo.bar", "name" => "foo" ArgumentError: invalid domain: ".foo.bar" Newer versions of the Ruby CGI library accomodate the same fallback behaviour (dropping the extra dot) but this isn't a justification for it being the right way to set a cookie. [mdn]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#domain_attribute [rfc2965]: https://www.rfc-editor.org/rfc/rfc2965#section-3.2 [rfc6265]: https://www.rfc-editor.org/rfc/rfc6265#section-4.1.1 |
||
---|---|---|
.. | ||
bin | ||
lib | ||
test | ||
actionpack.gemspec | ||
CHANGELOG.md | ||
MIT-LICENSE | ||
Rakefile | ||
README.rdoc |
= Action Pack -- From request to response Action Pack is a framework for handling and responding to web requests. It provides mechanisms for *routing* (mapping request URLs to actions), defining *controllers* that implement actions, and generating responses. In short, Action Pack provides the controller layer in the MVC paradigm. It consists of several modules: * Action Dispatch, which parses information about the web request, handles routing as defined by the user, and does advanced processing related to HTTP such as MIME-type negotiation, decoding parameters in POST, PATCH, or PUT bodies, handling HTTP caching logic, cookies and sessions. * Action Controller, which provides a base controller class that can be subclassed to implement filters and actions to handle requests. The result of an action is typically content generated from views. With the Ruby on Rails framework, users only directly interface with the Action Controller module. Necessary Action Dispatch functionality is activated by default and Action View rendering is implicitly triggered by Action Controller. However, these modules are designed to function on their own and can be used outside of Rails. You can read more about Action Pack in the {Action Controller Overview}[https://guides.rubyonrails.org/action_controller_overview.html] guide. == Download and installation The latest version of Action Pack can be installed with RubyGems: $ gem install actionpack Source code can be downloaded as part of the Rails project on GitHub: * https://github.com/rails/rails/tree/main/actionpack == License Action Pack is released under the MIT license: * https://opensource.org/licenses/MIT == Support API documentation is at: * https://api.rubyonrails.org Bug reports for the Ruby on Rails project can be filed here: * https://github.com/rails/rails/issues Feature requests should be discussed on the rails-core mailing list here: * https://discuss.rubyonrails.org/c/rubyonrails-core