rails--rails/actionpack/CHANGELOG.md

*   Fix `skip_forgery_protection` to run without raising an error if forgery
    protection has not been enabled / `verify_authenticity_token` is not a
    defined callback.

    This fix prevents the Rails 7.0 Welcome Page (`/`) from raising an
    `ArgumentError` if `default_protect_from_forgery` is false.

    *Brad Trick*

*   Make `redirect_to` return an empty response body.

    Application controllers that wish to add a response body after calling
    `redirect_to` can continue to do so.

    *Jon Dufresne*

*   Use non-capturing group for subdomain matching in `ActionDispatch::HostAuthorization`

    Since we do nothing with the captured subdomain group, we can use a non-capturing group instead.

    *Sam Bostock*

*   Fix `ActionController::Live` to copy the IsolatedExecutionState in the ephemeral thread.

    Since its inception `ActionController::Live` has been copying thread local variables
    to keep things such as `CurrentAttributes` set from middlewares working in the controller action.

    With the introduction of `IsolatedExecutionState` in 7.0, some of that global state was lost in
    `ActionController::Live` controllers.

    *Jean Boussier*

*   Fix setting `trailing_slash: true` in route definition.

    ```ruby
    get '/test' => "test#index", as: :test, trailing_slash: true

    test_path() # => "/test/"
    ```

    *Jean Boussier*

*   Make `Session#merge!` stringify keys.

    Previously `Session#update` would, but `merge!` wouldn't.

    *Drew Bragg*

Please check [7-0-stable](https://github.com/rails/rails/blob/7-0-stable/actionpack/CHANGELOG.md) for previous changes.
Allow skip_forgery_protection if no protection set Calling `skip_forgery_protection` without first calling `protect_from_forgery`--either manually or through default settings--raises an `ArgumentError` because `verify_authenticity_token` has not been defined as a callback. Since Rails 7.0 adds `skip_forgery_protection` to the `Rails::WelcomeController` (PR #42864), this behavior means that setting `default_protect_from_forgery` to false and visiting the Rails Welcome page (`/`) raises an error. This behavior also created an issue for `ActionMailbox` that was previously fixed in the Mailbox controller by running `skip_forgery_protection` only if `default_protect_from_forgery` was true (PR #35935). This PR addresses the underlying issue by setting the `raise` option for `skip_before_action` to default to false inside `skip_forgery_protection`. The fix is implemented in `request_forgery_protection.rb`. The change to `ActionMailbox`'s `base_controller.rb` removes the now-unnecessary check of `default_protect_from_forgery`. The tests added in `request_forgery_protection_test.rb` and `routing_test.rb` both raise an error when run against the current codebase and pass with the changes noted above. 2022-02-27 21:58:42 -05:00			* Fix `skip_forgery_protection` to run without raising an error if forgery
			protection has not been enabled / `verify_authenticity_token` is not a
			`defined callback.`

			This fix prevents the Rails 7.0 Welcome Page (`/`) from raising an
			`ArgumentError` if `default_protect_from_forgery` is false.

			`Brad Trick`

Remove body content from redirect responses Modern browsers don't render this HTML so it goes unused in practice. The delivered bytes are therefore a small waste (although very small) and unnecessary and could be optimized away. Additionally, the HTML fails validation. Using the W3C v.Nu, we see the following errors: Warning: Consider adding a lang attribute to the html start tag to declare the language of this document. Error: Start tag seen without seeing a doctype first. Expected <!DOCTYPE html>. Error: Element head is missing a required instance of child element title. These errors may surface in site-wide compliance tests (either internal tests or external contractual tests). Avoid the false positives by removing the HTML. While these warnings and errors could be resolved, it would be simpler on future maintenance to remove the body altogether (especially as it isn't rendered by the browser). As the same string is copied around a few places, this removes multiple touch points to resolve the current validation errors as well as new ones. Many other frameworks and web servers don't include an HTML body on redirect, so there isn't a reason for Rails to do so. By removing the custom Rails HTML, there are fewing "fingerprints" that a malicious bot could use to identify the backend technologies. Application controllers that wish to add a response body after calling redirect_to can continue to do so. 2022-02-25 09:11:56 -05:00			* Make `redirect_to` return an empty response body.

			`Application controllers that wish to add a response body after calling`
			`redirect_to` can continue to do so.

			`Jon Dufresne`

Stop capturing subdomain in HostAuthorization This also extracts a constant, giving a name to a "magic regex". 2022-02-22 11:03:19 -05:00			* Use non-capturing group for subdomain matching in `ActionDispatch::HostAuthorization`

			`Since we do nothing with the captured subdomain group, we can use a non-capturing group instead.`

			`Sam Bostock`

Fix CHANGELOG typos 2022-02-22 12:53:52 -05:00			* Fix `ActionController::Live` to copy the IsolatedExecutionState in the ephemeral thread.
Copy over the IsolatedExecutionState in AC::Live Fix: https://github.com/rails/rails/issues/44496 It's really unfortunate, but since thread locals were copied since a decade and we moved most of them into IsolatedExecutionState we now need to copy it too to keep backward compatibility. However I think it's one more sign that AC::Live should be rethought. 2022-02-21 05:35:22 -05:00
Fix CHANGELOG typos 2022-02-22 12:53:52 -05:00			Since its inception `ActionController::Live` has been copying thread local variables
Copy over the IsolatedExecutionState in AC::Live Fix: https://github.com/rails/rails/issues/44496 It's really unfortunate, but since thread locals were copied since a decade and we moved most of them into IsolatedExecutionState we now need to copy it too to keep backward compatibility. However I think it's one more sign that AC::Live should be rethought. 2022-02-21 05:35:22 -05:00			to keep things such as `CurrentAttributes` set from middlewares working in the controller action.

			With the introduction of `IsolatedExecutionState` in 7.0, some of that global state was lost in
Fix CHANGELOG typos 2022-02-22 12:53:52 -05:00			`ActionController::Live` controllers.
Copy over the IsolatedExecutionState in AC::Live Fix: https://github.com/rails/rails/issues/44496 It's really unfortunate, but since thread locals were copied since a decade and we moved most of them into IsolatedExecutionState we now need to copy it too to keep backward compatibility. However I think it's one more sign that AC::Live should be rethought. 2022-02-21 05:35:22 -05:00
			`Jean Boussier`

Fix setting `trailing_slash: true` in route definition Ref: https://github.com/rails/rails/pull/43287 Fix: https://github.com/rails/rails/issues/44373 The `OptimizedUrlHelper` wasn't considering this option. 2022-02-15 04:41:42 -05:00			* Fix setting `trailing_slash: true` in route definition.

			```ruby
			`get '/test' => "test#index", as: :test, trailing_slash: true`

			`test_path() # => "/test/"`
			```

			`Jean Boussier`

Stringify keys in session.merge! 2022-01-26 09:47:35 -05:00			* Make `Session#merge!` stringify keys.
Wrap ActionController::TestCase with Rails executor Update actionpack/lib/action_controller/test_case.rb Co-authored-by: Jean Boussier <jean.boussier@gmail.com> 2021-11-10 12:58:18 -05:00
Stringify keys in session.merge! 2022-01-26 09:47:35 -05:00			Previously `Session#update` would, but `merge!` wouldn't.

			`Drew Bragg`
Wrap ActionController::TestCase with Rails executor Update actionpack/lib/action_controller/test_case.rb Co-authored-by: Jean Boussier <jean.boussier@gmail.com> 2021-11-10 12:58:18 -05:00
Start Rails 7.1 development 2021-12-07 10:52:30 -05:00			`Please check [7-0-stable](https://github.com/rails/rails/blob/7-0-stable/actionpack/CHANGELOG.md) for previous changes.`