rails--rails/actionpack/CHANGELOG.md

*   Fix IntegrationTest `follow_redirect!` to follow redirection using the same HTTP verb when following
    a 307 redirection.

    *Edouard Chin*

*   System tests require Capybara 3.26 or newer.

    *George Claghorn*

*   Reduced log noise handling ActionController::RoutingErrors.

    *Alberto Fernández-Capel*

*   Add DSL for configuring HTTP Feature Policy

    This new DSL provides a way to configure a HTTP Feature Policy at a
    global or per-controller level. Full details of HTTP Feature Policy
    specification and guidelines can be found at MDN:

    https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy

    Example global policy

    ```
    Rails.application.config.feature_policy do |f|
      f.camera      :none
      f.gyroscope   :none
      f.microphone  :none
      f.usb         :none
      f.fullscreen  :self
      f.payment     :self, "https://secure.example.com"
    end
    ```

    Example controller level policy

    ```
    class PagesController < ApplicationController
      feature_policy do |p|
        p.geolocation "https://example.com"
      end
    end
    ```

    *Jacob Bednarz*

*   Add the ability to set the CSP nonce only to the specified directives.

    Fixes #35137.

    *Yuji Yaginuma*

*   Keep part when scope option has value.

    When a route was defined within an optional scope, if that route didn't
    take parameters the scope was lost when using path helpers. This commit
    ensures scope is kept both when the route takes parameters or when it
    doesn't.

    Fixes #33219.

    *Alberto Almagro*

*   Added `deep_transform_keys` and `deep_transform_keys!` methods to ActionController::Parameters.

    *Gustavo Gutierrez*

*   Calling `ActionController::Parameters#transform_keys/!` without a block now returns
    an enumerator for the parameters instead of the underlying hash.

    *Eugene Kenny*

*   Fix strong parameters blocks all attributes even when only some keys are invalid (non-numerical).
    It should only block invalid key's values instead.

    *Stan Lo*


Please check [6-0-stable](https://github.com/rails/rails/blob/6-0-stable/actionpack/CHANGELOG.md) for previous changes.
fix `follow_redirect!` not using the same HTTP verb on 307 redirection: - According to the HTTP 1.1 spec, the 307 redirection guarantees that the method and the body will not be changed during redirection. This PR fixes that since follow_redirect! would always follow the redirection my making a GET request. Ref https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/307 2018-10-12 02:06:13 -04:00			* Fix IntegrationTest `follow_redirect!` to follow redirection using the same HTTP verb when following
			`a 307 redirection.`

			`Edouard Chin`

Stop setting a default Capybara app host It's intended not to be set if Capybara starts the app server itself. Base Rails-generated URLs off of Capybara.current_session.server_url instead. 2019-07-24 22:19:21 -04:00			`* System tests require Capybara 3.26 or newer.`

			`George Claghorn`

Reduce log noise handling ActionController::RoutingErrors Each time a missing route is hit 32 lines of internal rails traces are written to the log. This is overly verbose and doesn't offer any actionable information to the user. With this change we'll still write an error message showing the route error but the trace will be omitted. 2018-01-04 06:27:14 -05:00			`* Reduced log noise handling ActionController::RoutingErrors.`

			`Alberto Fernández-Capel`

Adds support for configuring HTTP Feature Policy (#33439) A HTTP feature policy is Yet Another HTTP header for instructing the browser about which features the application intends to make use of and to lock down access to others. This is a new security mechanism that ensures that should an application become compromised or a third party attempts an unexpected action, the browser will override it and maintain the intended UX. WICG specification: https://wicg.github.io/feature-policy/ The end result is a HTTP header that looks like the following: ``` Feature-Policy: geolocation 'none'; autoplay https://example.com ``` This will prevent the browser from using geolocation and only allow autoplay on `https://example.com`. Full feature list can be found over in the WICG repository[1]. As of today Chrome and Safari have public support[2] for this functionality with Firefox working on support[3] and Edge still pending acceptance of the suggestion[4]. #### Examples Using an initializer ```rb # config/initializers/feature_policy.rb Rails.application.config.feature_policy do \|f\| f.geolocation :none f.camera :none f.payment "https://secure.example.com" f.fullscreen :self end ``` In a controller ```rb class SampleController < ApplicationController def index feature_policy do \|f\| f.geolocation "https://example.com" end end end ``` Some of you might realise that the HTTP feature policy looks pretty close to that of a Content Security Policy; and you're right. So much so that I used the Content Security Policy DSL from #31162 as the starting point for this change. This change doesn't introduce support for defining a feature policy on an iframe and this has been intentionally done to split the HTTP header and the HTML element (`iframe`) support. If this is successful, I'll look to add that on it's own. Full documentation on HTTP feature policies can be found at https://wicg.github.io/feature-policy/. Google have also published[5] a great in-depth write up of this functionality. [1]: https://github.com/WICG/feature-policy/blob/master/features.md [2]: https://www.chromestatus.com/feature/5694225681219584 [3]: https://bugzilla.mozilla.org/show_bug.cgi?id=1390801 [4]: https://wpdev.uservoice.com/forums/257854-microsoft-edge-developer/suggestions/33507907-support-feature-policy [5]: https://developers.google.com/web/updates/2018/06/feature-policy 2019-07-10 18:33:16 -04:00			`* Add DSL for configuring HTTP Feature Policy`

			`This new DSL provides a way to configure a HTTP Feature Policy at a`
			`global or per-controller level. Full details of HTTP Feature Policy`
			`specification and guidelines can be found at MDN:`

			`https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy`

			`Example global policy`

			```
			`Rails.application.config.feature_policy do \|f\|`
			`f.camera :none`
			`f.gyroscope :none`
			`f.microphone :none`
			`f.usb :none`
			`f.fullscreen :self`
Use reserved domain for example configuration Updates the generator output to use a reserved domain[1] instead of a potentially real world domain. [1]: https://tools.ietf.org/html/rfc2606#section-3 2019-07-14 17:10:22 -04:00			`f.payment :self, "https://secure.example.com"`
Adds support for configuring HTTP Feature Policy (#33439) A HTTP feature policy is Yet Another HTTP header for instructing the browser about which features the application intends to make use of and to lock down access to others. This is a new security mechanism that ensures that should an application become compromised or a third party attempts an unexpected action, the browser will override it and maintain the intended UX. WICG specification: https://wicg.github.io/feature-policy/ The end result is a HTTP header that looks like the following: ``` Feature-Policy: geolocation 'none'; autoplay https://example.com ``` This will prevent the browser from using geolocation and only allow autoplay on `https://example.com`. Full feature list can be found over in the WICG repository[1]. As of today Chrome and Safari have public support[2] for this functionality with Firefox working on support[3] and Edge still pending acceptance of the suggestion[4]. #### Examples Using an initializer ```rb # config/initializers/feature_policy.rb Rails.application.config.feature_policy do \|f\| f.geolocation :none f.camera :none f.payment "https://secure.example.com" f.fullscreen :self end ``` In a controller ```rb class SampleController < ApplicationController def index feature_policy do \|f\| f.geolocation "https://example.com" end end end ``` Some of you might realise that the HTTP feature policy looks pretty close to that of a Content Security Policy; and you're right. So much so that I used the Content Security Policy DSL from #31162 as the starting point for this change. This change doesn't introduce support for defining a feature policy on an iframe and this has been intentionally done to split the HTTP header and the HTML element (`iframe`) support. If this is successful, I'll look to add that on it's own. Full documentation on HTTP feature policies can be found at https://wicg.github.io/feature-policy/. Google have also published[5] a great in-depth write up of this functionality. [1]: https://github.com/WICG/feature-policy/blob/master/features.md [2]: https://www.chromestatus.com/feature/5694225681219584 [3]: https://bugzilla.mozilla.org/show_bug.cgi?id=1390801 [4]: https://wpdev.uservoice.com/forums/257854-microsoft-edge-developer/suggestions/33507907-support-feature-policy [5]: https://developers.google.com/web/updates/2018/06/feature-policy 2019-07-10 18:33:16 -04:00			`end`
			```

			`Example controller level policy`

			```
			`class PagesController < ApplicationController`
			`feature_policy do \|p\|`
			`p.geolocation "https://example.com"`
			`end`
			`end`
			```

			`Jacob Bednarz`

Add the ability to set the CSP nonce only to the specified directives I changed to set CSP nonce to `style-src` directive in #32932. But this causes an issue when `unsafe-inline` is specified to `style-src` (If a nonce is present, a nonce takes precedence over `unsafe-inline`). So, I fixed to nonce directives configurable. By configure this, users can make CSP as before. Fixes #35137. 2019-02-02 21:33:44 -05:00			`* Add the ability to set the CSP nonce only to the specified directives.`

			`Fixes #35137.`

			`Yuji Yaginuma`

Unify to use 4 spaces indentation in CHANGELOGs [ci skip] Especially, somehow `CHANGELOG.md` in actiontext and activestorage in master branch had used 3 spaces indentation. 2019-06-04 16:47:33 -04:00			`* Keep part when scope option has value.`
Keep part when scope option has value When a route was defined within an optional scope, if that route didn't take parameters the scope was lost when using path helpers. This patch ensures scope is kept both when the route takes parameters or when it doesn't. Fixes #33219 2018-12-08 16:42:40 -05:00
			`When a route was defined within an optional scope, if that route didn't`
			`take parameters the scope was lost when using path helpers. This commit`
			`ensures scope is kept both when the route takes parameters or when it`
			`doesn't.`

Unify to use 4 spaces indentation in CHANGELOGs [ci skip] Especially, somehow `CHANGELOG.md` in actiontext and activestorage in master branch had used 3 spaces indentation. 2019-06-04 16:47:33 -04:00			`Fixes #33219.`
Keep part when scope option has value When a route was defined within an optional scope, if that route didn't take parameters the scope was lost when using path helpers. This patch ensures scope is kept both when the route takes parameters or when it doesn't. Fixes #33219 2018-12-08 16:42:40 -05:00
			`Alberto Almagro`

Implemented deep_transform_keys/! for ActionController::Parameters 2019-05-17 09:13:03 -04:00			* Added `deep_transform_keys` and `deep_transform_keys!` methods to ActionController::Parameters.

			`Gustavo Gutierrez`

Return parameters enumerator from transform_keys/! Previously calling `ActionController::Parameters#transform_keys/!` without passing a block would return an enumerator for the underlying hash, which was inconsistent with the behaviour when a block was passed: ActionController::Parameters.new(foo: "bar").transform_keys { \|k\| k } => <ActionController::Parameters {"foo"=>"bar"} permitted: false> ActionController::Parameters.new(foo: "bar").transform_keys.each { \|k\| k } => {"foo"=>"bar"} An enumerator for the parameters is now returned instead, ensuring that evaluating it produces another parameters object instead of a hash: ActionController::Parameters.new(foo: "bar").transform_keys.each { \|k\| k } => <ActionController::Parameters {"foo"=>"bar"} permitted: false> 2019-05-18 17:49:32 -04:00			* Calling `ActionController::Parameters#transform_keys/!` without a block now returns
			`an enumerator for the parameters instead of the underlying hash.`

			`Eugene Kenny`

Unify to use 4 spaces indentation in CHANGELOGs [ci skip] Especially, somehow `CHANGELOG.md` in actiontext and activestorage in master branch had used 3 spaces indentation. 2019-06-04 16:47:33 -04:00			`* Fix strong parameters blocks all attributes even when only some keys are invalid (non-numerical).`
			`It should only block invalid key's values instead.`
Make system tests take failed screenshots in `before_teardown` hook Previously we were calling the `take_failed_screenshot` method in an `after_teardown` hook. However, this means that other teardown hooks have to be executed before we take the screenshot. Since there can be dynamic updates to the page after the assertion fails and before we take a screenshot, it seems desirable to minimize that gap as much as possible. Taking the screenshot in a `before_teardown` rather than an `after_teardown` helps with that, and has a side benefit of allowing us to remove the nested `ensure` commented on here: https://github.com/rails/rails/pull/34411#discussion_r232819478 2019-04-20 22:09:50 -04:00
fixed usage of Parameters when a non-numeric key exists test for non-numeric key in nested attributes test: extra blank line between tests removed test for non-numeric key fixed (by Daniel) Update according to feedback 2017-08-01 14:02:41 -04:00			`Stan Lo`
Make system tests take failed screenshots in `before_teardown` hook Previously we were calling the `take_failed_screenshot` method in an `after_teardown` hook. However, this means that other teardown hooks have to be executed before we take the screenshot. Since there can be dynamic updates to the page after the assertion fails and before we take a screenshot, it seems desirable to minimize that gap as much as possible. Taking the screenshot in a `before_teardown` rather than an `after_teardown` helps with that, and has a side benefit of allowing us to remove the nested `ensure` commented on here: https://github.com/rails/rails/pull/34411#discussion_r232819478 2019-04-20 22:09:50 -04:00
Unify to use 4 spaces indentation in CHANGELOGs [ci skip] Especially, somehow `CHANGELOG.md` in actiontext and activestorage in master branch had used 3 spaces indentation. 2019-06-04 16:47:33 -04:00
Start Rails 6.1 development 2019-04-24 15:57:14 -04:00			`Please check [6-0-stable](https://github.com/rails/rails/blob/6-0-stable/actionpack/CHANGELOG.md) for previous changes.`