2022-03-09 19:37:07 -05:00
|
|
|
* Allow relative redirects when `raise_on_open_redirects` is enabled
|
|
|
|
|
|
|
|
*Tom Hughes*
|
|
|
|
|
2020-06-16 13:54:35 -04:00
|
|
|
* Allow Content Security Policy DSL to generate for API responses.
|
2022-03-07 19:33:00 -05:00
|
|
|
|
2020-06-16 13:54:35 -04:00
|
|
|
*Tim Wade*
|
|
|
|
|
2022-03-04 05:53:20 -05:00
|
|
|
* Fix `authenticate_with_http_basic` to allow for missing password.
|
|
|
|
|
|
|
|
Before Rails 7.0 it was possible to handle basic authentication with only a username.
|
|
|
|
|
|
|
|
```ruby
|
|
|
|
authenticate_with_http_basic do |token, _|
|
|
|
|
ApiClient.authenticate(token)
|
|
|
|
end
|
|
|
|
```
|
|
|
|
|
|
|
|
This ability is restored.
|
|
|
|
|
|
|
|
*Jean Boussier*
|
|
|
|
|
2022-02-28 13:12:45 -05:00
|
|
|
* Fix `content_security_policy` returning invalid directives.
|
|
|
|
|
|
|
|
Directives such as `self`, `unsafe-eval` and few others were not
|
|
|
|
single quoted when the directive was the result of calling a lambda
|
|
|
|
returning an array.
|
|
|
|
|
|
|
|
```ruby
|
|
|
|
content_security_policy do |policy|
|
|
|
|
policy.frame_ancestors lambda { [:self, "https://example.com"] }
|
|
|
|
end
|
|
|
|
```
|
|
|
|
|
|
|
|
With this fix the policy generated from above will now be valid.
|
|
|
|
|
|
|
|
*Edouard Chin*
|
|
|
|
|
2022-02-27 21:58:42 -05:00
|
|
|
* Fix `skip_forgery_protection` to run without raising an error if forgery
|
|
|
|
protection has not been enabled / `verify_authenticity_token` is not a
|
|
|
|
defined callback.
|
|
|
|
|
|
|
|
This fix prevents the Rails 7.0 Welcome Page (`/`) from raising an
|
|
|
|
`ArgumentError` if `default_protect_from_forgery` is false.
|
|
|
|
|
|
|
|
*Brad Trick*
|
|
|
|
|
2022-02-25 09:11:56 -05:00
|
|
|
* Make `redirect_to` return an empty response body.
|
|
|
|
|
|
|
|
Application controllers that wish to add a response body after calling
|
|
|
|
`redirect_to` can continue to do so.
|
|
|
|
|
|
|
|
*Jon Dufresne*
|
|
|
|
|
2022-02-22 11:03:19 -05:00
|
|
|
* Use non-capturing group for subdomain matching in `ActionDispatch::HostAuthorization`
|
|
|
|
|
|
|
|
Since we do nothing with the captured subdomain group, we can use a non-capturing group instead.
|
|
|
|
|
|
|
|
*Sam Bostock*
|
|
|
|
|
2022-02-22 12:53:52 -05:00
|
|
|
* Fix `ActionController::Live` to copy the IsolatedExecutionState in the ephemeral thread.
|
2022-02-21 05:35:22 -05:00
|
|
|
|
2022-02-22 12:53:52 -05:00
|
|
|
Since its inception `ActionController::Live` has been copying thread local variables
|
2022-02-21 05:35:22 -05:00
|
|
|
to keep things such as `CurrentAttributes` set from middlewares working in the controller action.
|
|
|
|
|
|
|
|
With the introduction of `IsolatedExecutionState` in 7.0, some of that global state was lost in
|
2022-02-22 12:53:52 -05:00
|
|
|
`ActionController::Live` controllers.
|
2022-02-21 05:35:22 -05:00
|
|
|
|
|
|
|
*Jean Boussier*
|
|
|
|
|
2022-02-15 04:41:42 -05:00
|
|
|
* Fix setting `trailing_slash: true` in route definition.
|
|
|
|
|
|
|
|
```ruby
|
|
|
|
get '/test' => "test#index", as: :test, trailing_slash: true
|
|
|
|
|
|
|
|
test_path() # => "/test/"
|
|
|
|
```
|
|
|
|
|
|
|
|
*Jean Boussier*
|
|
|
|
|
2022-01-26 09:47:35 -05:00
|
|
|
* Make `Session#merge!` stringify keys.
|
2021-11-10 12:58:18 -05:00
|
|
|
|
2022-01-26 09:47:35 -05:00
|
|
|
Previously `Session#update` would, but `merge!` wouldn't.
|
|
|
|
|
|
|
|
*Drew Bragg*
|
2021-11-10 12:58:18 -05:00
|
|
|
|
2021-12-07 10:52:30 -05:00
|
|
|
Please check [7-0-stable](https://github.com/rails/rails/blob/7-0-stable/actionpack/CHANGELOG.md) for previous changes.
|