rails--rails/actionpack/CHANGELOG.md

*   Allow relative redirects when `raise_on_open_redirects` is enabled

    *Tom Hughes*

*   Allow Content Security Policy DSL to generate for API responses.

    *Tim Wade*

*   Fix `authenticate_with_http_basic` to allow for missing password.

    Before Rails 7.0 it was possible to handle basic authentication with only a username.
    
    ```ruby
    authenticate_with_http_basic do |token, _|
      ApiClient.authenticate(token)
    end
    ```

    This ability is restored.

    *Jean Boussier*

*   Fix `content_security_policy` returning invalid directives.

    Directives such as `self`, `unsafe-eval` and few others were not
    single quoted when the directive was the result of calling a lambda
    returning an array.

    ```ruby
    content_security_policy do |policy|
      policy.frame_ancestors lambda { [:self, "https://example.com"] }
    end
    ```

    With this fix the policy generated from above will now be valid.

    *Edouard Chin*

*   Fix `skip_forgery_protection` to run without raising an error if forgery
    protection has not been enabled / `verify_authenticity_token` is not a
    defined callback.

    This fix prevents the Rails 7.0 Welcome Page (`/`) from raising an
    `ArgumentError` if `default_protect_from_forgery` is false.

    *Brad Trick*

*   Make `redirect_to` return an empty response body.

    Application controllers that wish to add a response body after calling
    `redirect_to` can continue to do so.

    *Jon Dufresne*

*   Use non-capturing group for subdomain matching in `ActionDispatch::HostAuthorization`

    Since we do nothing with the captured subdomain group, we can use a non-capturing group instead.

    *Sam Bostock*

*   Fix `ActionController::Live` to copy the IsolatedExecutionState in the ephemeral thread.

    Since its inception `ActionController::Live` has been copying thread local variables
    to keep things such as `CurrentAttributes` set from middlewares working in the controller action.

    With the introduction of `IsolatedExecutionState` in 7.0, some of that global state was lost in
    `ActionController::Live` controllers.

    *Jean Boussier*

*   Fix setting `trailing_slash: true` in route definition.

    ```ruby
    get '/test' => "test#index", as: :test, trailing_slash: true

    test_path() # => "/test/"
    ```

    *Jean Boussier*

*   Make `Session#merge!` stringify keys.

    Previously `Session#update` would, but `merge!` wouldn't.

    *Drew Bragg*

Please check [7-0-stable](https://github.com/rails/rails/blob/7-0-stable/actionpack/CHANGELOG.md) for previous changes.
Allow relative redirects when `raise_on_open_redirects` is enabled 2022-03-10 00:37:07 +00:00			* Allow relative redirects when `raise_on_open_redirects` is enabled

			`Tom Hughes`

Generate content security policy for non-HTML responses One feature of the content security policy DSL, though undocumented, is that it will not generate headers for non-HTML responses, even if a configuration is explicitly provided. While it may not seem obvious that anyone would want to send this header in an API response, Mozilla Observatory, for instance, recommends the following for API responses: `Content-Security-Policy: default-src 'none'; frame-ancestors 'none'` (source: https://observatory.mozilla.org/faq/) The Secure Headers gem also makes recommendations about the content security policy for API responses: https://github.com/github/secure_headers#api-configurations As such, this removes the HTML guard clause from the `ContentSecurityPolicy` middleware. 2020-06-16 17:54:35 +00:00			`* Allow Content Security Policy DSL to generate for API responses.`
Update actionpack/CHANGELOG.md Co-authored-by: Alex Ghiculescu <alex@tanda.co> 2022-03-08 00:33:00 +00:00
Generate content security policy for non-HTML responses One feature of the content security policy DSL, though undocumented, is that it will not generate headers for non-HTML responses, even if a configuration is explicitly provided. While it may not seem obvious that anyone would want to send this header in an API response, Mozilla Observatory, for instance, recommends the following for API responses: `Content-Security-Policy: default-src 'none'; frame-ancestors 'none'` (source: https://observatory.mozilla.org/faq/) The Secure Headers gem also makes recommendations about the content security policy for API responses: https://github.com/github/secure_headers#api-configurations As such, this removes the HTML guard clause from the `ContentSecurityPolicy` middleware. 2020-06-16 17:54:35 +00:00			`Tim Wade`

Better handle basic authentication without a password https://github.com/rails/rails/pull/43209 immediately rejects the request if no password is passed, but there are legitimate uses for accepting authentication without a password. 2022-03-04 10:53:20 +00:00			* Fix `authenticate_with_http_basic` to allow for missing password.

			`Before Rails 7.0 it was possible to handle basic authentication with only a username.`

			```ruby
			`authenticate_with_http_basic do \|token, _\|`
			`ApiClient.authenticate(token)`
			`end`
			```

			`This ability is restored.`

			`Jean Boussier`

Apply content security policy mapping when generated dynamically: - Fix #44536 2022-02-28 18:12:45 +00:00			* Fix `content_security_policy` returning invalid directives.

			Directives such as `self`, `unsafe-eval` and few others were not
			`single quoted when the directive was the result of calling a lambda`
			`returning an array.`

			```ruby
			`content_security_policy do \|policy\|`
			`policy.frame_ancestors lambda { [:self, "https://example.com"] }`
			`end`
			```

			`With this fix the policy generated from above will now be valid.`

			`Edouard Chin`

Allow skip_forgery_protection if no protection set Calling `skip_forgery_protection` without first calling `protect_from_forgery`--either manually or through default settings--raises an `ArgumentError` because `verify_authenticity_token` has not been defined as a callback. Since Rails 7.0 adds `skip_forgery_protection` to the `Rails::WelcomeController` (PR #42864), this behavior means that setting `default_protect_from_forgery` to false and visiting the Rails Welcome page (`/`) raises an error. This behavior also created an issue for `ActionMailbox` that was previously fixed in the Mailbox controller by running `skip_forgery_protection` only if `default_protect_from_forgery` was true (PR #35935). This PR addresses the underlying issue by setting the `raise` option for `skip_before_action` to default to false inside `skip_forgery_protection`. The fix is implemented in `request_forgery_protection.rb`. The change to `ActionMailbox`'s `base_controller.rb` removes the now-unnecessary check of `default_protect_from_forgery`. The tests added in `request_forgery_protection_test.rb` and `routing_test.rb` both raise an error when run against the current codebase and pass with the changes noted above. 2022-02-28 02:58:42 +00:00			* Fix `skip_forgery_protection` to run without raising an error if forgery
			protection has not been enabled / `verify_authenticity_token` is not a
			`defined callback.`

			This fix prevents the Rails 7.0 Welcome Page (`/`) from raising an
			`ArgumentError` if `default_protect_from_forgery` is false.

			`Brad Trick`

Remove body content from redirect responses Modern browsers don't render this HTML so it goes unused in practice. The delivered bytes are therefore a small waste (although very small) and unnecessary and could be optimized away. Additionally, the HTML fails validation. Using the W3C v.Nu, we see the following errors: Warning: Consider adding a lang attribute to the html start tag to declare the language of this document. Error: Start tag seen without seeing a doctype first. Expected <!DOCTYPE html>. Error: Element head is missing a required instance of child element title. These errors may surface in site-wide compliance tests (either internal tests or external contractual tests). Avoid the false positives by removing the HTML. While these warnings and errors could be resolved, it would be simpler on future maintenance to remove the body altogether (especially as it isn't rendered by the browser). As the same string is copied around a few places, this removes multiple touch points to resolve the current validation errors as well as new ones. Many other frameworks and web servers don't include an HTML body on redirect, so there isn't a reason for Rails to do so. By removing the custom Rails HTML, there are fewing "fingerprints" that a malicious bot could use to identify the backend technologies. Application controllers that wish to add a response body after calling redirect_to can continue to do so. 2022-02-25 14:11:56 +00:00			* Make `redirect_to` return an empty response body.

			`Application controllers that wish to add a response body after calling`
			`redirect_to` can continue to do so.

			`Jon Dufresne`

Stop capturing subdomain in HostAuthorization This also extracts a constant, giving a name to a "magic regex". 2022-02-22 16:03:19 +00:00			* Use non-capturing group for subdomain matching in `ActionDispatch::HostAuthorization`

			`Since we do nothing with the captured subdomain group, we can use a non-capturing group instead.`

			`Sam Bostock`

Fix CHANGELOG typos 2022-02-22 17:53:52 +00:00			* Fix `ActionController::Live` to copy the IsolatedExecutionState in the ephemeral thread.
Copy over the IsolatedExecutionState in AC::Live Fix: https://github.com/rails/rails/issues/44496 It's really unfortunate, but since thread locals were copied since a decade and we moved most of them into IsolatedExecutionState we now need to copy it too to keep backward compatibility. However I think it's one more sign that AC::Live should be rethought. 2022-02-21 10:35:22 +00:00
Fix CHANGELOG typos 2022-02-22 17:53:52 +00:00			Since its inception `ActionController::Live` has been copying thread local variables
Copy over the IsolatedExecutionState in AC::Live Fix: https://github.com/rails/rails/issues/44496 It's really unfortunate, but since thread locals were copied since a decade and we moved most of them into IsolatedExecutionState we now need to copy it too to keep backward compatibility. However I think it's one more sign that AC::Live should be rethought. 2022-02-21 10:35:22 +00:00			to keep things such as `CurrentAttributes` set from middlewares working in the controller action.

			With the introduction of `IsolatedExecutionState` in 7.0, some of that global state was lost in
Fix CHANGELOG typos 2022-02-22 17:53:52 +00:00			`ActionController::Live` controllers.
Copy over the IsolatedExecutionState in AC::Live Fix: https://github.com/rails/rails/issues/44496 It's really unfortunate, but since thread locals were copied since a decade and we moved most of them into IsolatedExecutionState we now need to copy it too to keep backward compatibility. However I think it's one more sign that AC::Live should be rethought. 2022-02-21 10:35:22 +00:00
			`Jean Boussier`

Fix setting `trailing_slash: true` in route definition Ref: https://github.com/rails/rails/pull/43287 Fix: https://github.com/rails/rails/issues/44373 The `OptimizedUrlHelper` wasn't considering this option. 2022-02-15 09:41:42 +00:00			* Fix setting `trailing_slash: true` in route definition.

			```ruby
			`get '/test' => "test#index", as: :test, trailing_slash: true`

			`test_path() # => "/test/"`
			```

			`Jean Boussier`

Stringify keys in session.merge! 2022-01-26 14:47:35 +00:00			* Make `Session#merge!` stringify keys.
Wrap ActionController::TestCase with Rails executor Update actionpack/lib/action_controller/test_case.rb Co-authored-by: Jean Boussier <jean.boussier@gmail.com> 2021-11-10 17:58:18 +00:00
Stringify keys in session.merge! 2022-01-26 14:47:35 +00:00			Previously `Session#update` would, but `merge!` wouldn't.

			`Drew Bragg`
Wrap ActionController::TestCase with Rails executor Update actionpack/lib/action_controller/test_case.rb Co-authored-by: Jean Boussier <jean.boussier@gmail.com> 2021-11-10 17:58:18 +00:00
Start Rails 7.1 development 2021-12-07 15:52:30 +00:00			`Please check [7-0-stable](https://github.com/rails/rails/blob/7-0-stable/actionpack/CHANGELOG.md) for previous changes.`