rails--rails/actionpack/lib/action_dispatch/railtie.rb

# frozen_string_literal: true

require "action_dispatch"
require "active_support/messages/rotation_configuration"

module ActionDispatch
  class Railtie < Rails::Railtie # :nodoc:
    config.action_dispatch = ActiveSupport::OrderedOptions.new
    config.action_dispatch.x_sendfile_header = nil
    config.action_dispatch.ip_spoofing_check = true
    config.action_dispatch.show_exceptions = true
    config.action_dispatch.tld_length = 1
    config.action_dispatch.ignore_accept_header = false
    config.action_dispatch.rescue_templates = {}
    config.action_dispatch.rescue_responses = {}
    config.action_dispatch.default_charset = nil
    config.action_dispatch.rack_cache = false
    config.action_dispatch.http_auth_salt = "http authentication"
    config.action_dispatch.signed_cookie_salt = "signed cookie"
    config.action_dispatch.encrypted_cookie_salt = "encrypted cookie"
    config.action_dispatch.encrypted_signed_cookie_salt = "signed encrypted cookie"
    config.action_dispatch.authenticated_encrypted_cookie_salt = "authenticated encrypted cookie"
    config.action_dispatch.use_authenticated_cookie_encryption = false
    config.action_dispatch.use_cookies_with_metadata = false
    config.action_dispatch.perform_deep_munge = true
    config.action_dispatch.request_id_header = "X-Request-Id"
    config.action_dispatch.return_only_request_media_type_on_content_type = true
    config.action_dispatch.log_rescued_responses = true

    config.action_dispatch.default_headers = {
      "X-Frame-Options" => "SAMEORIGIN",
      "X-XSS-Protection" => "1; mode=block",
      "X-Content-Type-Options" => "nosniff",
      "X-Download-Options" => "noopen",
      "X-Permitted-Cross-Domain-Policies" => "none",
      "Referrer-Policy" => "strict-origin-when-cross-origin"
    }

    config.action_dispatch.cookies_rotations = ActiveSupport::Messages::RotationConfiguration.new

    config.eager_load_namespaces << ActionDispatch

    initializer "action_dispatch.configure" do |app|
      ActionDispatch::Http::URL.secure_protocol = app.config.force_ssl
      ActionDispatch::Http::URL.tld_length = app.config.action_dispatch.tld_length

      ActiveSupport.on_load(:action_dispatch_request) do
        self.ignore_accept_header = app.config.action_dispatch.ignore_accept_header
        self.return_only_media_type_on_content_type = app.config.action_dispatch.return_only_request_media_type_on_content_type
        ActionDispatch::Request::Utils.perform_deep_munge = app.config.action_dispatch.perform_deep_munge
      end

      ActiveSupport.on_load(:action_dispatch_response) do
        self.default_charset = app.config.action_dispatch.default_charset || app.config.encoding
        self.default_headers = app.config.action_dispatch.default_headers
      end

      ActionDispatch::ExceptionWrapper.rescue_responses.merge!(config.action_dispatch.rescue_responses)
      ActionDispatch::ExceptionWrapper.rescue_templates.merge!(config.action_dispatch.rescue_templates)

      config.action_dispatch.always_write_cookie = Rails.env.development? if config.action_dispatch.always_write_cookie.nil?
      ActionDispatch::Cookies::CookieJar.always_write_cookie = config.action_dispatch.always_write_cookie

      ActionDispatch.test_app = app
    end
  end
end
Use frozen string literal in actionpack/ 2017-07-24 16:20:53 -04:00			`# frozen_string_literal: true`

Add ActionDispatch::Railties::Subscriber and finish tidying up the logging. 2010-01-17 06:41:55 -05:00			`require "action_dispatch"`
Add key rotation cookies middleware Using the action_dispatch.cookies_rotations interface, key rotation is now possible with cookies. Thus the secret_key_base as well as salts, ciphers, and digests, can be rotated without expiring sessions. 2017-09-23 17:18:01 -04:00			`require "active_support/messages/rotation_configuration"`
Add ActionDispatch::Railties::Subscriber and finish tidying up the logging. 2010-01-17 06:41:55 -05:00
			`module ActionDispatch`
nodoc AD & AV railties classes 2012-12-01 13:10:08 -05:00			`class Railtie < Rails::Railtie # :nodoc:`
Move application configuration to the application configuration object, remove railtie_name and engine_name and allow to set the configuration object. 2010-03-26 13:47:55 -04:00			`config.action_dispatch = ActiveSupport::OrderedOptions.new`
x_sendfile_header now defaults to nil and production.rb env file doesn't set a particular value for it. This allows servers to set it through X-Sendfile-Type, read https://github.com/rack/rack/blob/master/lib/rack/sendfile.rb for more info. Anyways you can force this value in your production.rb 2011-08-07 11:34:49 -04:00			`config.action_dispatch.x_sendfile_header = nil`
Move remote_ip to a middleware: * ActionController::Base.ip_spoofing_check deprecated => config.action_dispatch.ip_spoofing_check * ActionController::Base.trusted_proxies deprecated => config.action_dispatch.trusted_proxies 2010-03-03 19:22:30 -05:00			`config.action_dispatch.ip_spoofing_check = true`
Raise exceptions instead of rendering error templates in test environment [#4315 state:resolved] Signed-off-by: José Valim <jose.valim@gmail.com> 2010-04-02 14:00:29 -04:00			`config.action_dispatch.show_exceptions = true`
Add configuration option for tld length 2010-07-27 10:39:28 -04:00			`config.action_dispatch.tld_length = 1`
Allow ignore_accept_header through configuration option. 2011-05-02 17:38:39 -04:00			`config.action_dispatch.ignore_accept_header = false`
Add three new rubocop rules Style/SpaceBeforeBlockBraces Style/SpaceInsideBlockBraces Style/SpaceInsideHashLiteralBraces Fix all violations in the repository. 2016-08-16 03:30:11 -04:00			`config.action_dispatch.rescue_templates = {}`
			`config.action_dispatch.rescue_responses = {}`
Remove deprecated default_charset= from AC::Base This should be set globally as a configuration, using `config.action_dispatch.default_charset` instead 2012-01-17 05:56:50 -05:00			`config.action_dispatch.default_charset = nil`
config.action_dispatch.rack_cache should set explicitly to enable Rack::Cache 2012-10-03 17:43:39 -04:00			`config.action_dispatch.rack_cache = false`
applies new string literal convention in actionpack/lib The current code base is not uniform. After some discussion, we have chosen to go with double quotes by default. 2016-08-06 12:51:43 -04:00			`config.action_dispatch.http_auth_salt = "http authentication"`
			`config.action_dispatch.signed_cookie_salt = "signed cookie"`
			`config.action_dispatch.encrypted_cookie_salt = "encrypted cookie"`
			`config.action_dispatch.encrypted_signed_cookie_salt = "signed encrypted cookie"`
Add key rotation cookies middleware Using the action_dispatch.cookies_rotations interface, key rotation is now possible with cookies. Thus the secret_key_base as well as salts, ciphers, and digests, can be rotated without expiring sessions. 2017-09-23 17:18:01 -04:00			`config.action_dispatch.authenticated_encrypted_cookie_salt = "authenticated encrypted cookie"`
AEAD encrypted cookies and sessions This commit changes encrypted cookies from AES in CBC HMAC mode to Authenticated Encryption using AES-GCM. It also provides a cookie jar to transparently upgrade encrypted cookies to this new scheme. Some other notable changes include: - There is a new application configuration value: +use_authenticated_cookie_encryption+. When enabled, AEAD encrypted cookies will be used. - +cookies.signed+ does not raise a +TypeError+ now if the name of an encrypted cookie is used. Encrypted cookies using the same key as signed cookies would be verified and serialization would then fail due the message still be encrypted. 2017-02-23 13:54:17 -05:00			`config.action_dispatch.use_authenticated_cookie_encryption = false`
Purpose Metadata For Signed And Encrypted Cookies Purpose metadata prevents cookie values from being copy-pasted and ensures that the cookie is used only for its originally intended purpose. The Purpose and Expiry metadata are embedded inside signed/encrypted cookies and will not be readable on previous versions of Rails. We can switch off purpose and expiry metadata embedded in signed and encrypted cookies using config.action_dispatch.use_cookies_with_metadata = false if you want your cookies to be readable on older versions of Rails. 2018-05-19 04:01:57 -04:00			`config.action_dispatch.use_cookies_with_metadata = false`
Add configuration option to optionally disable deep_munge 2013-12-05 06:08:34 -05:00			`config.action_dispatch.perform_deep_munge = true`
Always ask for a header argument in ResquestId middleware 2020-10-29 20:41:59 -04:00			`config.action_dispatch.request_id_header = "X-Request-Id"`
`ActionDispatch::Request#content_type` now returned Content-Type header as it is 2021-01-26 18:41:38 -05:00			`config.action_dispatch.return_only_request_media_type_on_content_type = true`
Skip logging backtrace when exception is in `rescue_responses` Closes #9343 Co-authored-by: Mike Dalessio <mike.dalessio@gmail.com> 2018-09-25 03:31:11 -04:00			`config.action_dispatch.log_rescued_responses = true`
Allow rescue responses to be configured through a railtie. 2011-12-01 13:16:19 -05:00
Move AD default_headers configurations to railtie ActionDispatch railtie is a better place for config.action_dispatch.default_headers settings, users can continue overriding those settings in their configuration files if needed. 2012-08-10 22:11:56 -04:00			`config.action_dispatch.default_headers = {`
applies new string literal convention in actionpack/lib The current code base is not uniform. After some discussion, we have chosen to go with double quotes by default. 2016-08-06 12:51:43 -04:00			`"X-Frame-Options" => "SAMEORIGIN",`
			`"X-XSS-Protection" => "1; mode=block",`
Add secure `X-Download-Options` and `X-Permitted-Cross-Domain-Policies` to default headers set. 2017-12-09 15:41:55 -05:00			`"X-Content-Type-Options" => "nosniff",`
			`"X-Download-Options" => "noopen",`
Add 'Referrer-Policy' header to default headers set 2018-01-08 22:14:22 -05:00			`"X-Permitted-Cross-Domain-Policies" => "none",`
			`"Referrer-Policy" => "strict-origin-when-cross-origin"`
Move AD default_headers configurations to railtie ActionDispatch railtie is a better place for config.action_dispatch.default_headers settings, users can continue overriding those settings in their configuration files if needed. 2012-08-10 22:11:56 -04:00			`}`

Add key rotation cookies middleware Using the action_dispatch.cookies_rotations interface, key rotation is now possible with cookies. Thus the secret_key_base as well as salts, ciphers, and digests, can be rotated without expiring sessions. 2017-09-23 17:18:01 -04:00			`config.action_dispatch.cookies_rotations = ActiveSupport::Messages::RotationConfiguration.new`

Get rid of config.preload_frameworks in favor of config.eager_load_namespaces The new option allows any Ruby namespace to be registered and set up for eager load. We are effectively exposing the structure existing in Rails since v3.0 for all developers in order to make their applications thread-safe and CoW friendly. 2012-08-01 14:54:22 -04:00			`config.eager_load_namespaces << ActionDispatch`

Add configuration option for tld length 2010-07-27 10:39:28 -04:00			`initializer "action_dispatch.configure" do \|app\|`
Heed config.force_ssl when building URL `url_for` will now use "https://" as the default protocol when `Rails.application.config.force_ssl` is set to true. Action Mailer already behaves this way, effectively. This commit extends that behavior application-wide. Closes #23543. 2019-10-15 16:24:41 -04:00			`ActionDispatch::Http::URL.secure_protocol = app.config.force_ssl`
Add configuration option for tld length 2010-07-27 10:39:28 -04:00			`ActionDispatch::Http::URL.tld_length = app.config.action_dispatch.tld_length`
Do not eagerly load Request before initializers Without those changes the configurations to ActionDispatch::Request could not be applied in initializers. 2021-01-26 18:20:44 -05:00
			`ActiveSupport.on_load(:action_dispatch_request) do`
			`self.ignore_accept_header = app.config.action_dispatch.ignore_accept_header`
`ActionDispatch::Request#content_type` now returned Content-Type header as it is 2021-01-26 18:41:38 -05:00			`self.return_only_media_type_on_content_type = app.config.action_dispatch.return_only_request_media_type_on_content_type`
Do not eagerly load Request before initializers Without those changes the configurations to ActionDispatch::Request could not be applied in initializers. 2021-01-26 18:20:44 -05:00			`ActionDispatch::Request::Utils.perform_deep_munge = app.config.action_dispatch.perform_deep_munge`
			`end`
Change `ActionDispatch::Response#content_type` to return the full Content-Type header And deprecate the config to keep the previous behavior. 2020-10-28 15:09:38 -04:00
Delay ActionDispatch::Response configuration to load-time It fixes the problem in propagating return_only_media_type_on_content_type and fixes the corresponding test being ineffective. The mentioned test addes the following line: ...config.action_dispatch.return_only_media_type_on_content_type = true to the config and checks if it takes effect. However, in this scenario, the value is already true before this line. Moreover, the users are supposed to flip this from true to false in real situations. This commit flips the config in the test, making it to fail as expected. The next commit will fix the failure. In order for return_only_media_type_on_content_type to appropriately take effect on ActionDispatch::Response, we want to know when ActionDispatch::Response is loaded. As load hooks for ActionDispatch would be too broad, the appropriate registry is for ActionDispatch::Response itself. Looking into other examples, a hook name is a full class name in snake case with `_base` suffix omitted, if any. Therefore, in this case, :action_dispatch_response seems appropriate. 2019-09-30 01:40:49 -04:00			`ActiveSupport.on_load(:action_dispatch_response) do`
			`self.default_charset = app.config.action_dispatch.default_charset \|\| app.config.encoding`
			`self.default_headers = app.config.action_dispatch.default_headers`
			`end`
configuration option to always write cookie 2011-11-23 15:36:56 -05:00
Add an ExceptionWrapper that wraps an exception and provide convenience helpers. 2011-12-01 14:02:00 -05:00			`ActionDispatch::ExceptionWrapper.rescue_responses.merge!(config.action_dispatch.rescue_responses)`
			`ActionDispatch::ExceptionWrapper.rescue_templates.merge!(config.action_dispatch.rescue_templates)`
Allow rescue responses to be configured through a railtie. 2011-12-01 13:16:19 -05:00
configuration option to always write cookie 2011-11-23 15:36:56 -05:00			`config.action_dispatch.always_write_cookie = Rails.env.development? if config.action_dispatch.always_write_cookie.nil?`
			`ActionDispatch::Cookies::CookieJar.always_write_cookie = config.action_dispatch.always_write_cookie`
remove Rails application fallback from AD::IntegrationTest set AD::IntegrationTest.app in railtie initializer 2011-12-23 11:56:49 -05:00
			`ActionDispatch.test_app = app`
Add configuration option for tld length 2010-07-27 10:39:28 -04:00			`end`
Add ActionDispatch::Railties::Subscriber and finish tidying up the logging. 2010-01-17 06:41:55 -05:00			`end`
Add a header that tells Internet Explorer (all versions) to use the best available standards support. This ensures that IE doesn't go into quirks mode because it has been blacklisted by too many users pressing the incompatible button. It also tells IE to use the ChromeFrame renderer, if the user has installed the plugin. This guarantees that the best available standards support will be used on the client. 2010-07-27 22:24:56 -04:00			`end`