2018-01-08 22:14:22 -05:00
|
|
|
* Add `Referrer-Policy` header to default headers set.
|
|
|
|
|
|
|
|
*Guillermo Iguaran*
|
|
|
|
|
2017-12-09 16:46:31 -05:00
|
|
|
* Changed the system tests to set Puma as default server only when the
|
|
|
|
user haven't specified manually another server.
|
|
|
|
|
|
|
|
*Guillermo Iguaran*
|
|
|
|
|
2017-12-09 15:41:55 -05:00
|
|
|
* Add secure `X-Download-Options` and `X-Permitted-Cross-Domain-Policies` to
|
|
|
|
default headers set.
|
|
|
|
|
|
|
|
*Guillermo Iguaran*
|
|
|
|
|
2017-12-07 13:02:34 -05:00
|
|
|
* Add headless firefox support to System Tests.
|
|
|
|
|
|
|
|
*bogdanvlviv*
|
|
|
|
|
2017-11-30 12:26:33 -05:00
|
|
|
* Changed the default system test screenshot output from `inline` to `simple`.
|
|
|
|
|
|
|
|
`inline` works well for iTerm2 but not everyone uses iTerm2. Some terminals like
|
|
|
|
Terminal.app ignore the `inline` and output the path to the file since it can't
|
|
|
|
render the image. Other terminals, like those on Ubuntu, cannot handle the image
|
|
|
|
inline, but also don't handle it gracefully and instead of outputting the file
|
|
|
|
path, it dumps binary into the terminal.
|
|
|
|
|
|
|
|
Commit 9d6e28 fixes this by changing the default for screenshot to be `simple`.
|
|
|
|
|
|
|
|
*Eileen M. Uchitelle*
|
|
|
|
|
2017-11-28 01:09:06 -05:00
|
|
|
* Register most popular audio/video/font mime types supported by modern browsers.
|
|
|
|
|
|
|
|
*Guillermo Iguaran*
|
|
|
|
|
2017-11-28 10:58:18 -05:00
|
|
|
* Fix optimized url helpers when using relative url root
|
|
|
|
|
|
|
|
Fixes #31220.
|
|
|
|
|
|
|
|
*Andrew White*
|
|
|
|
|
|
|
|
|
2017-11-28 00:01:45 -05:00
|
|
|
## Rails 5.2.0.beta2 (November 28, 2017) ##
|
|
|
|
|
|
|
|
* No changes.
|
|
|
|
|
|
|
|
|
2017-11-27 13:01:15 -05:00
|
|
|
## Rails 5.2.0.beta1 (November 27, 2017) ##
|
|
|
|
|
2017-11-27 03:35:40 -05:00
|
|
|
* Add DSL for configuring Content-Security-Policy header
|
|
|
|
|
|
|
|
The DSL allows you to configure a global Content-Security-Policy
|
|
|
|
header and then override within a controller. For more information
|
|
|
|
about the Content-Security-Policy header see MDN:
|
|
|
|
|
|
|
|
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
|
2017-11-27 05:16:18 -05:00
|
|
|
|
2017-11-27 03:35:40 -05:00
|
|
|
Example global policy:
|
2017-11-27 05:16:18 -05:00
|
|
|
|
2017-11-27 03:35:40 -05:00
|
|
|
# config/initializers/content_security_policy.rb
|
2017-11-27 05:16:18 -05:00
|
|
|
Rails.application.config.content_security_policy do |p|
|
2017-11-27 03:35:40 -05:00
|
|
|
p.default_src :self, :https
|
|
|
|
p.font_src :self, :https, :data
|
|
|
|
p.img_src :self, :https, :data
|
|
|
|
p.object_src :none
|
|
|
|
p.script_src :self, :https
|
|
|
|
p.style_src :self, :https, :unsafe_inline
|
|
|
|
end
|
2017-11-27 05:16:18 -05:00
|
|
|
|
2017-11-27 03:35:40 -05:00
|
|
|
Example controller overrides:
|
2017-11-27 05:16:18 -05:00
|
|
|
|
2017-11-27 03:35:40 -05:00
|
|
|
# Override policy inline
|
|
|
|
class PostsController < ApplicationController
|
|
|
|
content_security_policy do |p|
|
|
|
|
p.upgrade_insecure_requests true
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
# Using literal values
|
|
|
|
class PostsController < ApplicationController
|
|
|
|
content_security_policy do |p|
|
|
|
|
p.base_uri "https://www.example.com"
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
# Using mixed static and dynamic values
|
|
|
|
class PostsController < ApplicationController
|
|
|
|
content_security_policy do |p|
|
|
|
|
p.base_uri :self, -> { "https://#{current_user.domain}.example.com" }
|
|
|
|
end
|
|
|
|
end
|
2017-11-27 05:16:18 -05:00
|
|
|
|
2017-11-27 03:35:40 -05:00
|
|
|
Allows you to also only report content violations for migrating
|
|
|
|
legacy content using the `content_security_policy_report_only`
|
|
|
|
configuration attribute, e.g;
|
2017-11-27 05:16:18 -05:00
|
|
|
|
2017-11-27 03:35:40 -05:00
|
|
|
# config/initializers/content_security_policy.rb
|
|
|
|
Rails.application.config.content_security_policy_report_only = true
|
2017-11-27 05:16:18 -05:00
|
|
|
|
2017-11-27 03:35:40 -05:00
|
|
|
# controller override
|
|
|
|
class PostsController < ApplicationController
|
|
|
|
self.content_security_policy_report_only = true
|
|
|
|
end
|
2017-11-27 05:16:18 -05:00
|
|
|
|
2017-11-27 03:35:40 -05:00
|
|
|
Note that this feature does not validate the header for performance
|
|
|
|
reasons since the header is calculated at runtime.
|
2017-11-27 05:16:18 -05:00
|
|
|
|
2017-11-27 03:35:40 -05:00
|
|
|
*Andrew White*
|
|
|
|
|
2015-11-28 02:32:24 -05:00
|
|
|
* Make `assert_recognizes` to traverse mounted engines
|
|
|
|
|
|
|
|
*Yuichiro Kaneko*
|
|
|
|
|
2017-07-17 16:51:51 -04:00
|
|
|
* Remove deprecated `ActionController::ParamsParser::ParseError`.
|
|
|
|
|
|
|
|
*Rafael Mendonça França*
|
|
|
|
|
2017-10-21 11:01:57 -04:00
|
|
|
* Add `:allow_other_host` option to `redirect_back` method.
|
2017-12-17 02:30:37 -05:00
|
|
|
|
|
|
|
When `allow_other_host` is set to `false`, the `redirect_back` will not allow redirecting from a
|
|
|
|
different host. `allow_other_host` is `true` by default.
|
2017-10-21 11:01:57 -04:00
|
|
|
|
|
|
|
*Tim Masliuchenko*
|
|
|
|
|
2017-10-13 02:17:17 -04:00
|
|
|
* Add headless chrome support to System Tests.
|
|
|
|
|
|
|
|
*Yuji Yaginuma*
|
|
|
|
|
2017-09-26 13:27:53 -04:00
|
|
|
* Add ability to enable Early Hints for HTTP/2
|
|
|
|
|
|
|
|
If supported by the server, and enabled in Puma this allows H2 Early Hints to be used.
|
|
|
|
|
|
|
|
The `javascript_include_tag` and the `stylesheet_link_tag` automatically add Early Hints if requested.
|
|
|
|
|
|
|
|
*Eileen M. Uchitelle*, *Aaron Patterson*
|
|
|
|
|
2017-09-23 17:18:01 -04:00
|
|
|
* Simplify cookies middleware with key rotation support
|
|
|
|
|
|
|
|
Use the `rotate` method for both `MessageEncryptor` and
|
|
|
|
`MessageVerifier` to add key rotation support for encrypted and
|
|
|
|
signed cookies. This also helps simplify support for legacy cookie
|
|
|
|
security.
|
|
|
|
|
|
|
|
*Michael J Coyne*
|
|
|
|
|
2017-09-26 01:54:22 -04:00
|
|
|
* Use Capybara registered `:puma` server config.
|
2017-09-17 18:04:20 -04:00
|
|
|
|
|
|
|
The Capybara registered `:puma` server ensures the puma server is run in process so
|
|
|
|
connection sharing and open request detection work correctly by default.
|
|
|
|
|
|
|
|
*Thomas Walpole*
|
|
|
|
|
2017-09-26 01:54:22 -04:00
|
|
|
* Cookies `:expires` option supports `ActiveSupport::Duration` object.
|
2017-09-06 12:01:32 -04:00
|
|
|
|
2017-08-25 08:48:16 -04:00
|
|
|
cookies[:user_name] = { value: "assain", expires: 1.hour }
|
|
|
|
cookies[:key] = { value: "a yummy cookie", expires: 6.months }
|
|
|
|
|
|
|
|
Pull Request: #30121
|
|
|
|
|
|
|
|
*Assain Jaleel*
|
|
|
|
|
2017-09-26 01:54:22 -04:00
|
|
|
* Enforce signed/encrypted cookie expiry server side.
|
2017-08-25 08:48:16 -04:00
|
|
|
|
|
|
|
Rails can thwart attacks by malicious clients that don't honor a cookie's expiry.
|
|
|
|
|
|
|
|
It does so by stashing the expiry within the written cookie and relying on the
|
|
|
|
signing/encrypting to vouch that it hasn't been tampered with. Then on a
|
|
|
|
server-side read, the expiry is verified and any expired cookie is discarded.
|
|
|
|
|
|
|
|
Pull Request: #30121
|
|
|
|
|
|
|
|
*Assain Jaleel*
|
|
|
|
|
2017-08-26 05:39:40 -04:00
|
|
|
* Make `take_failed_screenshot` work within engine.
|
|
|
|
|
|
|
|
Fixes #30405.
|
|
|
|
|
|
|
|
*Yuji Yaginuma*
|
|
|
|
|
2018-01-07 11:21:51 -05:00
|
|
|
* Deprecate `ActionDispatch::TestResponse` response aliases.
|
2017-08-06 23:35:11 -04:00
|
|
|
|
|
|
|
`#success?`, `#missing?` & `#error?` are not supported by the actual
|
|
|
|
`ActionDispatch::Response` object and can produce false-positives. Instead,
|
|
|
|
use the response helpers provided by `Rack::Response`.
|
|
|
|
|
|
|
|
*Trevor Wistaff*
|
|
|
|
|
2017-07-10 11:12:45 -04:00
|
|
|
* Protect from forgery by default
|
|
|
|
|
2017-07-10 17:45:53 -04:00
|
|
|
Rather than protecting from forgery in the generated `ApplicationController`,
|
|
|
|
add it to `ActionController::Base` depending on
|
2017-07-10 11:12:45 -04:00
|
|
|
`config.action_controller.default_protect_from_forgery`. This configuration
|
|
|
|
defaults to false to support older versions which have removed it from their
|
2017-07-10 17:45:53 -04:00
|
|
|
`ApplicationController`, but is set to true for Rails 5.2.
|
2017-07-10 11:12:45 -04:00
|
|
|
|
|
|
|
*Lisa Ugray*
|
|
|
|
|
2017-06-30 16:08:10 -04:00
|
|
|
* Fallback `ActionController::Parameters#to_s` to `Hash#to_s`.
|
|
|
|
|
|
|
|
*Kir Shatrov*
|
|
|
|
|
2017-07-17 16:51:51 -04:00
|
|
|
* `driven_by` now registers poltergeist and capybara-webkit.
|
2017-06-01 15:58:42 -04:00
|
|
|
|
2017-08-06 22:17:35 -04:00
|
|
|
If poltergeist or capybara-webkit are set as drivers is set for System Tests,
|
2017-06-01 15:58:42 -04:00
|
|
|
`driven_by` will register the driver and set additional options passed via
|
2017-08-06 22:17:35 -04:00
|
|
|
the `:options` parameter.
|
2017-06-01 15:58:42 -04:00
|
|
|
|
2017-08-06 22:17:35 -04:00
|
|
|
Refer to the respective driver's documentation to see what options can be passed.
|
2017-06-01 15:58:42 -04:00
|
|
|
|
|
|
|
*Mario Chavez*
|
|
|
|
|
2017-07-17 16:51:51 -04:00
|
|
|
* AEAD encrypted cookies and sessions with GCM.
|
2017-02-23 13:54:17 -05:00
|
|
|
|
|
|
|
Encrypted cookies now use AES-GCM which couples authentication and
|
|
|
|
encryption in one faster step and produces shorter ciphertexts. Cookies
|
|
|
|
encrypted using AES in CBC HMAC mode will be seamlessly upgraded when
|
|
|
|
this new mode is enabled via the
|
|
|
|
`action_dispatch.use_authenticated_cookie_encryption` configuration value.
|
|
|
|
|
|
|
|
*Michael J Coyne*
|
|
|
|
|
2017-05-18 19:28:15 -04:00
|
|
|
* Change the cache key format for fragments to make it easier to debug key churn. The new format is:
|
2017-05-18 12:12:32 -04:00
|
|
|
|
2017-05-18 19:28:15 -04:00
|
|
|
views/template/action.html.erb:7a1156131a6928cb0026877f8b749ac9/projects/123
|
|
|
|
^template path ^template tree digest ^class ^id
|
2017-05-18 12:12:32 -04:00
|
|
|
|
2017-05-18 19:28:15 -04:00
|
|
|
*DHH*
|
2017-05-18 12:12:32 -04:00
|
|
|
|
2017-05-18 19:28:15 -04:00
|
|
|
* Add support for recyclable cache keys with fragment caching. This uses the new versioned entries in the
|
|
|
|
`ActiveSupport::Cache` stores and relies on the fact that Active Record has split `#cache_key` and `#cache_version`
|
|
|
|
to support it.
|
2017-05-18 12:12:32 -04:00
|
|
|
|
2017-05-18 19:28:15 -04:00
|
|
|
*DHH*
|
|
|
|
|
|
|
|
* Add `action_controller_api` and `action_controller_base` load hooks to be called in `ActiveSupport.on_load`
|
2017-04-11 18:52:02 -04:00
|
|
|
|
|
|
|
`ActionController::Base` and `ActionController::API` have differing implementations. This means that
|
|
|
|
the one umbrella hook `action_controller` is not able to address certain situations where a method
|
|
|
|
may not exist in a certain implementation.
|
|
|
|
|
|
|
|
This is fixed by adding two new hooks so you can target `ActionController::Base` vs `ActionController::API`
|
|
|
|
|
|
|
|
Fixes #27013.
|
|
|
|
|
|
|
|
*Julian Nadeau*
|
|
|
|
|
2017-04-29 13:41:44 -04:00
|
|
|
|
2017-03-21 19:41:39 -04:00
|
|
|
Please check [5-1-stable](https://github.com/rails/rails/blob/5-1-stable/actionpack/CHANGELOG.md) for previous changes.
|