2021-09-20 00:39:49 -04:00
* Add Server-Timing middleware
Server-Timing specification defines how the server can communicate to browsers performance metrics
about the request it is responding to.
The ServerTiming middleware is enabled by default on `development` environment by default using the
`config.server_timing` setting and set the relevant duration metrics in the `Server-Timing` header
The full specification for Server-Timing header can be found in: https://www.w3.org/TR/server-timing/#dfn-server-timing-header-field
*Sebastian Sogamoso* , *Guillermo Iguaran*
2021-09-15 18:22:51 -04:00
## Rails 7.0.0.alpha2 (September 15, 2021) ##
* No changes.
2021-09-15 17:55:08 -04:00
## Rails 7.0.0.alpha1 (September 15, 2021) ##
2021-08-28 12:41:08 -04:00
* Use a static error message when raising `ActionDispatch::Http::Parameters::ParseError`
to avoid inadvertently logging the HTTP request body at the `fatal` level when it contains
malformed JSON.
Fixes #41145
*Aaron Lahey*
2021-07-25 05:55:36 -04:00
* Add `Middleware#delete!` to delete middleware or raise if not found.
`Middleware#delete!` works just like `Middleware#delete` but will
raise an error if the middleware isn't found.
2021-07-25 20:22:36 -04:00
*Alex Ghiculescu* , *Petrik de Heus* , *Junichi Sato*
2021-07-25 05:55:36 -04:00
2021-01-15 19:22:14 -05:00
* Raise error on unpermitted open redirects.
Add `allow_other_host` options to `redirect_to` .
Opt in to this behaviour with `ActionController::Base.raise_on_open_redirects = true` .
*Gannon McGibbon*
2021-07-20 10:10:58 -04:00
* Deprecate `poltergeist` and `webkit` (capybara-webkit) driver registration for system testing (they will be removed in Rails 7.1). Add `cuprite` instead.
2021-07-14 22:40:03 -04:00
[Poltergeist ](https://github.com/teampoltergeist/poltergeist ) and [capybara-webkit ](https://github.com/thoughtbot/capybara-webkit ) are already not maintained. These usage in Rails are removed for avoiding confusing users.
[Cuprite ](https://github.com/rubycdp/cuprite ) is a good alternative to Poltergeist. Some guide descriptions are replaced from Poltergeist to Cuprite.
*Yusuke Iwaki*
2021-07-13 10:04:15 -04:00
* Exclude additional flash types from `ActionController::Base.action_methods` .
Ensures that additional flash types defined on ActionController::Base subclasses
are not listed as actions on that controller.
class MyController < ApplicationController
add_flash_types :hype
end
MyController.action_methods.include?('hype') # => false
*Gavin Morrice*
2021-03-22 05:25:49 -04:00
* OpenSSL constants are now used for Digest computations.
*Dirkjan Bussink*
2021-07-20 21:08:08 -04:00
* Remove IE6-7-8 file download related hack/fix from ActionController::DataStreaming module.
2021-06-24 16:43:36 -04:00
2021-06-26 18:07:18 -04:00
Due to the age of those versions of IE this fix is no longer relevant, more importantly it creates an edge-case for unexpected Cache-Control headers.
2021-06-24 16:43:36 -04:00
*Tadas Sasnauskas*
2018-09-25 03:31:11 -04:00
* Configuration setting to skip logging an uncaught exception backtrace when the exception is
present in `rescued_responses` .
It may be too noisy to get all backtraces logged for applications that manage uncaught
exceptions via `rescued_responses` and `exceptions_app` .
`config.action_dispatch.log_rescued_responses` (defaults to `true` ) can be set to `false` in
this case, so that only exceptions not found in `rescued_responses` will be logged.
*Alexander Azarov* , *Mike Dalessio*
2021-07-20 21:08:08 -04:00
* Ignore file fixtures on `db:fixtures:load` .
2021-05-05 13:59:26 -04:00
*Kevin Sjöberg*
2021-03-03 14:19:52 -05:00
* Fix ActionController::Live controller test deadlocks by removing the body buffer size limit for tests.
*Dylan Thacker-Smith*
2021-06-12 03:58:14 -04:00
* New `ActionController::ConditionalGet#no_store` method to set HTTP cache control `no-store` directive.
*Tadas Sasnauskas*
2021-07-20 21:08:08 -04:00
* Drop support for the `SERVER_ADDR` header.
2021-06-02 01:18:01 -04:00
2021-07-20 21:08:08 -04:00
Following up https://github.com/rack/rack/pull/1573 and https://github.com/rails/rails/pull/42349.
2021-06-02 01:18:01 -04:00
*Ricardo Díaz*
2021-05-12 17:17:06 -04:00
* Set session options when initializing a basic session.
*Gannon McGibbon*
2021-07-20 21:08:08 -04:00
* Add `cache_control: {}` option to `fresh_when` and `stale?` .
2021-05-28 04:22:29 -04:00
Works as a shortcut to set `response.cache_control` with the above methods.
*Jacopo Beschi*
2021-05-15 04:50:37 -04:00
* Writing into a disabled session will now raise an error.
Previously when no session store was set, writing into the session would silently fail.
*Jean Boussier*
2021-05-02 15:31:55 -04:00
* Add support for 'require-trusted-types-for' and 'trusted-types' headers.
2021-07-20 21:08:08 -04:00
Fixes #42034 .
2021-05-02 15:31:55 -04:00
*lfalcao*
2021-04-11 10:18:49 -04:00
* Remove inline styles and address basic accessibility issues on rescue templates.
2021-04-07 23:56:20 -04:00
*Jacob Herrington*
Allow 'private, no-store' Cache-Control header
https://github.com/rails/rails/pull/39461 changed the `no-store`
directive for the `Cache-Control` header to be exclusive, i.e. when
setting `Cache-Control` to `private, no-store`, this is simplified to
just `no-store`. `private` should typically be superfluous there, but
it's not always.
For instance, Fastly "does not currently respect no-store or no-cache
directives" and says that "if you need to prevent caching by both Fastly
and web browsers, we recommend combining the private directive with
max-age=0 or no-store".
https://docs.fastly.com/en/guides/configuring-caching#do-not-cache
Since it's not possible to override this directive reduction behaviour,
the changes in #39461 prevent Fastly users from upgrading Rails.
This changes the behaviour to allow setting a 'private, no-store' header
when private is specified - similar to how 'public' can be specified
when 'no-cache' is, but not as a default.
Fixes https://github.com/rails/rails/issues/40798
2021-03-22 19:38:04 -04:00
* Add support for 'private, no-store' Cache-Control headers.
Previously, 'no-store' was exclusive; no other directives could be specified.
*Alex Smith*
2021-03-31 07:24:36 -04:00
* Expand payload of `unpermitted_parameters.action_controller` instrumentation to allow subscribers to
know which controller action received unpermitted parameters.
*bbuchalter*
2021-02-18 16:35:36 -05:00
* Add `ActionController::Live#send_stream` that makes it more convenient to send generated streams:
```ruby
send_stream(filename: "subscribers.csv") do |stream|
2021-02-20 04:02:49 -05:00
stream.writeln "email_address,updated_at"
2021-04-11 11:44:46 -04:00
2021-02-18 16:35:36 -05:00
@subscribers .find_each do |subscriber|
2021-02-20 04:02:49 -05:00
stream.writeln [ subscriber.email_address, subscriber.updated_at ].join(",")
2021-02-18 16:35:36 -05:00
end
end
```
2021-04-11 11:44:46 -04:00
2021-02-18 16:35:36 -05:00
*DHH*
2021-02-20 04:02:49 -05:00
* Add `ActionController::Live::Buffer#writeln` to write a line to the stream with a newline included.
*DHH*
2021-01-26 18:41:38 -05:00
* `ActionDispatch::Request#content_type` now returned Content-Type header as it is.
Previously, `ActionDispatch::Request#content_type` returned value does NOT contain charset part.
This behavior changed to returned Content-Type header containing charset part as it is.
If you want just MIME type, please use `ActionDispatch::Request#media_type` instead.
Before:
```ruby
request = ActionDispatch::Request.new("CONTENT_TYPE" => "text/csv; header=present; charset=utf-16", "REQUEST_METHOD" => "GET")
request.content_type #=> "text/csv"
```
After:
```ruby
request = ActionDispatch::Request.new("Content-Type" => "text/csv; header=present; charset=utf-16", "REQUEST_METHOD" => "GET")
request.content_type #=> "text/csv; header=present; charset=utf-16"
request.media_type #=> "text/csv"
```
*Rafael Mendonça França*
2021-01-26 18:24:27 -05:00
* Change `ActionDispatch::Request#media_type` to return `nil` when the request don't have a `Content-Type` header.
*Rafael Mendonça França*
2020-11-24 04:17:11 -05:00
2021-01-23 17:48:25 -05:00
* Fix error in `ActionController::LogSubscriber` that would happen when throwing inside a controller action.
*Janko Marohnić*
2021-07-20 21:08:08 -04:00
* Allow anything with `#to_str` (like `Addressable::URI` ) as a `redirect_to` location.
2021-02-08 08:53:16 -05:00
*ojab*
change request method to a `GET` when passing failed requests to `config.exceptions_app`
Similar to #38998 (fixed in #40246), HTTP method validation occurring whenever methods are called on `ActionDispatch::Request` can cause some weird unintended consequences. For example, if `config.exceptions_app = self.routes`, you get an exception raised via the `ActionDispatch::ShowExceptions` middleware failsafe:
```
Started TEST "/" for 127.0.0.1 at 2020-11-05 15:40:31 -0500
(1.0ms) SELECT "schema_migrations"."version" FROM "schema_migrations" ORDER BY "schema_migrations"."version" ASC
TEST, accepted HTTP methods are OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, CONNECT, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK, VERSION-CONTROL, REPORT, CHECKOUT, CHECKIN, UNCHECKOUT, MKWORKSPACE, UPDATE, LABEL, MERGE, BASELINE-CONTROL, MKACTIVITY, ORDERPATCH, ACL, SEARCH, MKCALENDAR, and PATCH excluded from capture: DSN not set
ActionController::UnknownHttpMethod (TEST, accepted HTTP methods are OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, CONNECT, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK, VERSION-CONTROL, REPORT, CHECKOUT, CHECKIN, UNCHECKOUT, MKWORKSPACE, UPDATE, LABEL, MERGE, BASELINE-CONTROL, MKACTIVITY, ORDERPATCH, ACL, SEARCH, MKCALENDAR, and PATCH):
actionpack (6.0.3.4) lib/action_dispatch/http/request.rb:431:in `check_method'
actionpack (6.0.3.4) lib/action_dispatch/http/request.rb:143:in `request_method'
rack (2.2.3) lib/rack/request.rb:187:in `head?'
actionpack (6.0.3.4) lib/action_dispatch/journey/router.rb:113:in `find_routes'
actionpack (6.0.3.4) lib/action_dispatch/journey/router.rb:32:in `serve'
actionpack (6.0.3.4) lib/action_dispatch/routing/route_set.rb:834:in `call'
Error during failsafe response: TEST, accepted HTTP methods are OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, CONNECT, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK, VERSION-CONTROL, REPORT, CHECKOUT, CHECKIN, UNCHECKOUT, MKWORKSPACE, UPDATE, LABEL, MERGE, BASELINE-CONTROL, MKACTIVITY, ORDERPATCH, ACL, SEARCH, MKCALENDAR, and PATCH
/usr/local/var/rbenv/versions/2.7.2/lib/ruby/gems/2.7.0/gems/actionpack-6.0.3.4/lib/action_dispatch/http/request.rb:431:in `check_method'
/usr/local/var/rbenv/versions/2.7.2/lib/ruby/gems/2.7.0/gems/actionpack-6.0.3.4/lib/action_dispatch/http/request.rb:143:in `request_method'
/usr/local/var/rbenv/versions/2.7.2/lib/ruby/gems/2.7.0/gems/rack-2.2.3/lib/rack/request.rb:187:in `head?'
/usr/local/var/rbenv/versions/2.7.2/lib/ruby/gems/2.7.0/gems/actionpack-6.0.3.4/lib/action_dispatch/journey/router.rb:113:in `find_routes'
/usr/local/var/rbenv/versions/2.7.2/lib/ruby/gems/2.7.0/gems/actionpack-6.0.3.4/lib/action_dispatch/journey/router.rb:32:in `serve'
/usr/local/var/rbenv/versions/2.7.2/lib/ruby/gems/2.7.0/gems/actionpack-6.0.3.4/lib/action_dispatch/routing/route_set.rb:834:in `call'
/usr/local/var/rbenv/versions/2.7.2/lib/ruby/gems/2.7.0/gems/actionpack-6.0.3.4/lib/action_dispatch/middleware/show_exceptions.rb:50:in `render_exception'
/usr/local/var/rbenv/versions/2.7.2/lib/ruby/gems/2.7.0/gems/actionpack-6.0.3.4/lib/action_dispatch/middleware/show_exceptions.rb:36:in `rescue in call'
/usr/local/var/rbenv/versions/2.7.2/lib/ruby/gems/2.7.0/gems/actionpack-6.0.3.4/lib/action_dispatch/middleware/show_exceptions.rb:31:in `call'
# ...
```
Now, to prevent the redundant exception, we overwrite `request_method` before passing `env` down to `config.exceptions_app`. `action_dispatch.original_request_method` is set to keep the original request method available for inspection.
2020-12-16 20:48:09 -05:00
* Change the request method to a `GET` when passing failed requests down to `config.exceptions_app` .
*Alex Robbin*
2020-12-10 12:42:52 -05:00
* Deprecate the ability to assign a single value to `config.action_dispatch.trusted_proxies`
as `RemoteIp` middleware behaves inconsistently depending on whether this is configured
with a single value or an enumerable.
2021-07-20 21:08:08 -04:00
Fixes #40772 .
2020-12-10 12:42:52 -05:00
*Christian Sutter*
2020-11-24 05:00:56 -05:00
* Add `redirect_back_or_to(fallback_location, **)` as a more aesthetically pleasing version of `redirect_back fallback_location:, **` .
2020-11-24 04:17:11 -05:00
The old method name is retained without explicit deprecation.
2019-04-20 22:09:50 -04:00
2020-12-02 18:37:26 -05:00
*DHH*
2019-04-20 22:09:50 -04:00
2019-06-04 16:47:33 -04:00
2020-12-02 18:37:26 -05:00
Please check [6-1-stable ](https://github.com/rails/rails/blob/6-1-stable/actionpack/CHANGELOG.md ) for previous changes.