2018-04-20 16:36:34 -04:00
|
|
|
* Introduce a new error page to when the implict render page is accessed in the browser.
|
2018-02-01 09:47:42 -05:00
|
|
|
|
2018-04-20 16:36:34 -04:00
|
|
|
Now instead of showing an error page that with exception and backtraces we now show only
|
|
|
|
|
one informative page.
|
|
|
|
|
|
|
|
|
|
*Vinicius Stock*
|
|
|
|
|
|
2016-02-24 16:19:57 -05:00
|
|
|
* Introduce ActionDispatch::DebugExceptions.register_interceptor
|
|
|
|
|
|
|
|
|
|
Exception aware plugin authors can use the newly introduced
|
|
|
|
|
`.register_interceptor` method to get the processed exception, instead of
|
|
|
|
|
monkey patching DebugExceptions.
|
|
|
|
|
|
|
|
|
|
ActionDispatch::DebugExceptions.register_interceptor do |request, exception|
|
|
|
|
|
HypoteticalPlugin.capture_exception(request, exception)
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
*Genadi Samokovarov*
|
|
|
|
|
|
2018-04-17 05:48:29 -04:00
|
|
|
* Output only one Content-Security-Policy nonce header value per request.
|
|
|
|
|
|
2018-04-19 04:50:09 -04:00
|
|
|
Fixes #32597.
|
2018-04-17 05:48:29 -04:00
|
|
|
|
2018-04-18 03:44:48 -04:00
|
|
|
*Andrey Novikov*, *Andrew White*
|
2018-04-17 05:48:29 -04:00
|
|
|
|
2018-04-06 15:13:28 -04:00
|
|
|
* Move default headers configuration into their own module that can be included in controllers.
|
|
|
|
|
|
|
|
|
|
*Kevin Deisz*
|
|
|
|
|
|
2018-04-06 08:02:44 -04:00
|
|
|
* Add method `dig` to `session`.
|
|
|
|
|
|
|
|
|
|
*claudiob*, *Takumi Shotoku*
|
|
|
|
|
|
Deprecate controller level force_ssl
Today there are two common ways for Rails developers to force their
applications to communicate over HTTPS:
* `config.force_ssl` is a setting in environment configurations that
enables the `ActionDispatch::SSL` middleware. With this middleware
enabled, all HTTP communication to your application will be redirected
to HTTPS. The middleware also takes care of other best practices by
setting HSTS headers, upgrading all cookies to secure only, etc.
* The `force_ssl` controller method redirects HTTP requests to certain
controllers to HTTPS.
As a consultant, I've seen many applications with misconfigured HTTPS
setups due to developers adding `force_ssl` to `ApplicationController`
and not enabling `config.force_ssl`. With this configuration, many
application requests can be served over HTTP such as assets, requests
that hit mounted engines, etc. In addition, because cookies are not
upgraded to secure only in this configuration and HSTS headers are not
set, it's possible for cookies that are meant to be secure to be sent
over HTTP.
The confusion between these two methods of forcing HTTPS is compounded
by the fact that they share an identical name. This makes finding
documentation on the "right" method confusing.
HTTPS throughout is quickly becomming table stakes for all web sites.
Sites are expected to operate over HTTPS for all communication,
sensitive or otherwise. Let's encourage use of the broader-reaching
`ActionDispatch::SSL` middleware and elminate this source of user
confusion. If, for some reason, applications need to expose certain
endpoints over HTTP they can do so by properly configuring
`config.ssl_options`.
2018-03-17 12:04:52 -04:00
|
|
|
* Controller level `force_ssl` has been deprecated in favor of
|
|
|
|
|
`config.force_ssl`.
|
|
|
|
|
|
|
|
|
|
*Derek Prior*
|
|
|
|
|
|
2018-02-17 16:02:18 -05:00
|
|
|
* Rails 6 requires Ruby 2.4.1 or newer.
|
|
|
|
|
|
|
|
|
|
*Jeremy Daer*
|
|
|
|
|
|
2018-01-08 22:14:22 -05:00
|
|
|
|
2018-01-30 18:51:17 -05:00
|
|
|
Please check [5-2-stable](https://github.com/rails/rails/blob/5-2-stable/actionpack/CHANGELOG.md) for previous changes.
|