rails--rails/actionpack/lib/action_dispatch/railtie.rb

# frozen_string_literal: true

require "action_dispatch"
require "active_support/messages/rotation_configuration"

module ActionDispatch
  class Railtie < Rails::Railtie # :nodoc:
    config.action_dispatch = ActiveSupport::OrderedOptions.new
    config.action_dispatch.x_sendfile_header = nil
    config.action_dispatch.ip_spoofing_check = true
    config.action_dispatch.show_exceptions = true
    config.action_dispatch.tld_length = 1
    config.action_dispatch.ignore_accept_header = false
    config.action_dispatch.rescue_templates = {}
    config.action_dispatch.rescue_responses = {}
    config.action_dispatch.default_charset = nil
    config.action_dispatch.rack_cache = false
    config.action_dispatch.http_auth_salt = "http authentication"
    config.action_dispatch.signed_cookie_salt = "signed cookie"
    config.action_dispatch.encrypted_cookie_salt = "encrypted cookie"
    config.action_dispatch.encrypted_signed_cookie_salt = "signed encrypted cookie"
    config.action_dispatch.authenticated_encrypted_cookie_salt = "authenticated encrypted cookie"
    config.action_dispatch.use_authenticated_cookie_encryption = false
    config.action_dispatch.perform_deep_munge = true

    config.action_dispatch.default_headers = {
      "X-Frame-Options" => "SAMEORIGIN",
      "X-XSS-Protection" => "1; mode=block",
      "X-Content-Type-Options" => "nosniff",
      "X-Download-Options" => "noopen",
      "X-Permitted-Cross-Domain-Policies" => "none",
      "Referrer-Policy" => "strict-origin-when-cross-origin"
    }

    config.action_dispatch.cookies_rotations = ActiveSupport::Messages::RotationConfiguration.new

    config.eager_load_namespaces << ActionDispatch

    initializer "action_dispatch.configure" do |app|
      ActionDispatch::Http::URL.tld_length = app.config.action_dispatch.tld_length
      ActionDispatch::Request.ignore_accept_header = app.config.action_dispatch.ignore_accept_header
      ActionDispatch::Request::Utils.perform_deep_munge = app.config.action_dispatch.perform_deep_munge
      ActionDispatch::Response.default_charset = app.config.action_dispatch.default_charset || app.config.encoding
      ActionDispatch::Response.default_headers = app.config.action_dispatch.default_headers

      ActionDispatch::ExceptionWrapper.rescue_responses.merge!(config.action_dispatch.rescue_responses)
      ActionDispatch::ExceptionWrapper.rescue_templates.merge!(config.action_dispatch.rescue_templates)

      config.action_dispatch.always_write_cookie = Rails.env.development? if config.action_dispatch.always_write_cookie.nil?
      ActionDispatch::Cookies::CookieJar.always_write_cookie = config.action_dispatch.always_write_cookie

      ActionDispatch.test_app = app
    end
  end
end
Use frozen string literal in actionpack/ 2017-07-24 16:20:53 -04:00			`# frozen_string_literal: true`

Add ActionDispatch::Railties::Subscriber and finish tidying up the logging. 2010-01-17 06:41:55 -05:00			`require "action_dispatch"`
Add key rotation cookies middleware Using the action_dispatch.cookies_rotations interface, key rotation is now possible with cookies. Thus the secret_key_base as well as salts, ciphers, and digests, can be rotated without expiring sessions. 2017-09-23 17:18:01 -04:00			`require "active_support/messages/rotation_configuration"`
Add ActionDispatch::Railties::Subscriber and finish tidying up the logging. 2010-01-17 06:41:55 -05:00
			`module ActionDispatch`
nodoc AD & AV railties classes 2012-12-01 13:10:08 -05:00			`class Railtie < Rails::Railtie # :nodoc:`
Move application configuration to the application configuration object, remove railtie_name and engine_name and allow to set the configuration object. 2010-03-26 13:47:55 -04:00			`config.action_dispatch = ActiveSupport::OrderedOptions.new`
x_sendfile_header now defaults to nil and production.rb env file doesn't set a particular value for it. This allows servers to set it through X-Sendfile-Type, read https://github.com/rack/rack/blob/master/lib/rack/sendfile.rb for more info. Anyways you can force this value in your production.rb 2011-08-07 11:34:49 -04:00			`config.action_dispatch.x_sendfile_header = nil`
Move remote_ip to a middleware: * ActionController::Base.ip_spoofing_check deprecated => config.action_dispatch.ip_spoofing_check * ActionController::Base.trusted_proxies deprecated => config.action_dispatch.trusted_proxies 2010-03-03 19:22:30 -05:00			`config.action_dispatch.ip_spoofing_check = true`
Raise exceptions instead of rendering error templates in test environment [#4315 state:resolved] Signed-off-by: José Valim <jose.valim@gmail.com> 2010-04-02 14:00:29 -04:00			`config.action_dispatch.show_exceptions = true`
Add configuration option for tld length 2010-07-27 10:39:28 -04:00			`config.action_dispatch.tld_length = 1`
Allow ignore_accept_header through configuration option. 2011-05-02 17:38:39 -04:00			`config.action_dispatch.ignore_accept_header = false`
Add three new rubocop rules Style/SpaceBeforeBlockBraces Style/SpaceInsideBlockBraces Style/SpaceInsideHashLiteralBraces Fix all violations in the repository. 2016-08-16 03:30:11 -04:00			`config.action_dispatch.rescue_templates = {}`
			`config.action_dispatch.rescue_responses = {}`
Remove deprecated default_charset= from AC::Base This should be set globally as a configuration, using `config.action_dispatch.default_charset` instead 2012-01-17 05:56:50 -05:00			`config.action_dispatch.default_charset = nil`
config.action_dispatch.rack_cache should set explicitly to enable Rack::Cache 2012-10-03 17:43:39 -04:00			`config.action_dispatch.rack_cache = false`
applies new string literal convention in actionpack/lib The current code base is not uniform. After some discussion, we have chosen to go with double quotes by default. 2016-08-06 12:51:43 -04:00			`config.action_dispatch.http_auth_salt = "http authentication"`
			`config.action_dispatch.signed_cookie_salt = "signed cookie"`
			`config.action_dispatch.encrypted_cookie_salt = "encrypted cookie"`
			`config.action_dispatch.encrypted_signed_cookie_salt = "signed encrypted cookie"`
Add key rotation cookies middleware Using the action_dispatch.cookies_rotations interface, key rotation is now possible with cookies. Thus the secret_key_base as well as salts, ciphers, and digests, can be rotated without expiring sessions. 2017-09-23 17:18:01 -04:00			`config.action_dispatch.authenticated_encrypted_cookie_salt = "authenticated encrypted cookie"`
AEAD encrypted cookies and sessions This commit changes encrypted cookies from AES in CBC HMAC mode to Authenticated Encryption using AES-GCM. It also provides a cookie jar to transparently upgrade encrypted cookies to this new scheme. Some other notable changes include: - There is a new application configuration value: +use_authenticated_cookie_encryption+. When enabled, AEAD encrypted cookies will be used. - +cookies.signed+ does not raise a +TypeError+ now if the name of an encrypted cookie is used. Encrypted cookies using the same key as signed cookies would be verified and serialization would then fail due the message still be encrypted. 2017-02-23 13:54:17 -05:00			`config.action_dispatch.use_authenticated_cookie_encryption = false`
Add configuration option to optionally disable deep_munge 2013-12-05 06:08:34 -05:00			`config.action_dispatch.perform_deep_munge = true`
Allow rescue responses to be configured through a railtie. 2011-12-01 13:16:19 -05:00
Move AD default_headers configurations to railtie ActionDispatch railtie is a better place for config.action_dispatch.default_headers settings, users can continue overriding those settings in their configuration files if needed. 2012-08-10 22:11:56 -04:00			`config.action_dispatch.default_headers = {`
applies new string literal convention in actionpack/lib The current code base is not uniform. After some discussion, we have chosen to go with double quotes by default. 2016-08-06 12:51:43 -04:00			`"X-Frame-Options" => "SAMEORIGIN",`
			`"X-XSS-Protection" => "1; mode=block",`
Add secure `X-Download-Options` and `X-Permitted-Cross-Domain-Policies` to default headers set. 2017-12-09 15:41:55 -05:00			`"X-Content-Type-Options" => "nosniff",`
			`"X-Download-Options" => "noopen",`
Add 'Referrer-Policy' header to default headers set 2018-01-08 22:14:22 -05:00			`"X-Permitted-Cross-Domain-Policies" => "none",`
			`"Referrer-Policy" => "strict-origin-when-cross-origin"`
Move AD default_headers configurations to railtie ActionDispatch railtie is a better place for config.action_dispatch.default_headers settings, users can continue overriding those settings in their configuration files if needed. 2012-08-10 22:11:56 -04:00			`}`

Add key rotation cookies middleware Using the action_dispatch.cookies_rotations interface, key rotation is now possible with cookies. Thus the secret_key_base as well as salts, ciphers, and digests, can be rotated without expiring sessions. 2017-09-23 17:18:01 -04:00			`config.action_dispatch.cookies_rotations = ActiveSupport::Messages::RotationConfiguration.new`

Get rid of config.preload_frameworks in favor of config.eager_load_namespaces The new option allows any Ruby namespace to be registered and set up for eager load. We are effectively exposing the structure existing in Rails since v3.0 for all developers in order to make their applications thread-safe and CoW friendly. 2012-08-01 14:54:22 -04:00			`config.eager_load_namespaces << ActionDispatch`

Add configuration option for tld length 2010-07-27 10:39:28 -04:00			`initializer "action_dispatch.configure" do \|app\|`
			`ActionDispatch::Http::URL.tld_length = app.config.action_dispatch.tld_length`
Allow ignore_accept_header through configuration option. 2011-05-02 17:38:39 -04:00			`ActionDispatch::Request.ignore_accept_header = app.config.action_dispatch.ignore_accept_header`
Add configuration option to optionally disable deep_munge 2013-12-05 06:08:34 -05:00			`ActionDispatch::Request::Utils.perform_deep_munge = app.config.action_dispatch.perform_deep_munge`
Remove deprecated default_charset= from AC::Base This should be set globally as a configuration, using `config.action_dispatch.default_charset` instead 2012-01-17 05:56:50 -05:00			`ActionDispatch::Response.default_charset = app.config.action_dispatch.default_charset \|\| app.config.encoding`
introduce default_headers config 2012-08-09 09:45:30 -04:00			`ActionDispatch::Response.default_headers = app.config.action_dispatch.default_headers`
configuration option to always write cookie 2011-11-23 15:36:56 -05:00
Add an ExceptionWrapper that wraps an exception and provide convenience helpers. 2011-12-01 14:02:00 -05:00			`ActionDispatch::ExceptionWrapper.rescue_responses.merge!(config.action_dispatch.rescue_responses)`
			`ActionDispatch::ExceptionWrapper.rescue_templates.merge!(config.action_dispatch.rescue_templates)`
Allow rescue responses to be configured through a railtie. 2011-12-01 13:16:19 -05:00
configuration option to always write cookie 2011-11-23 15:36:56 -05:00			`config.action_dispatch.always_write_cookie = Rails.env.development? if config.action_dispatch.always_write_cookie.nil?`
			`ActionDispatch::Cookies::CookieJar.always_write_cookie = config.action_dispatch.always_write_cookie`
remove Rails application fallback from AD::IntegrationTest set AD::IntegrationTest.app in railtie initializer 2011-12-23 11:56:49 -05:00
			`ActionDispatch.test_app = app`
Add configuration option for tld length 2010-07-27 10:39:28 -04:00			`end`
Add ActionDispatch::Railties::Subscriber and finish tidying up the logging. 2010-01-17 06:41:55 -05:00			`end`
Add a header that tells Internet Explorer (all versions) to use the best available standards support. This ensures that IE doesn't go into quirks mode because it has been blacklisted by too many users pressing the incompatible button. It also tells IE to use the ChromeFrame renderer, if the user has installed the plugin. This guarantees that the best available standards support will be used on the client. 2010-07-27 22:24:56 -04:00			`end`