mirror of
https://github.com/rails/rails.git
synced 2022-11-09 12:12:34 -05:00
Discuss Action Pack's new CSRF protection from remote script tags and what it means for your app. In short, update your tests if they don't already use the 'xhr :post' style.
This commit is contained in:
Jeremy Kemper
parent
cf56dcf930
commit
626ced225c
1 changed files with 146 additions and 132 deletions
|
|
@ -222,6 +222,17 @@ This example is equivalent to defining a `EventTracking` module inline,
|
|||
extending it with `ActiveSupport::Concern`, then mixing it in to the
|
||||
`Todo` class.
|
||||
|
||||
### CSRF protection from remote `<script>` tags
|
||||
|
||||
Cross-site request forgery (CSRF) protection now covers GET requests with
|
||||
JavaScript responses, too. That prevents a third-party site from referencing
|
||||
your JavaScript URL and attempting to run it to extract sensitive data.
|
||||
|
||||
This means any of your tests that hit `.js` URLs will now fail CSRF protection
|
||||
unless they use `xhr`. Upgrade your tests to be explicit about expecting
|
||||
XmlHttpRequests. Instead of `post :create, format: :js`, switch to the explicit
|
||||
`xhr :post, :create, format: :js`.
|
||||
|
||||
Railties
|
||||
--------
|
||||
|
||||
|
|
@ -262,138 +273,6 @@ for detailed changes.
|
|||
* Add `Application#message_verifier` method to return a message
|
||||
verifier. ([Pull Request](https://github.com/rails/rails/pull/12995))
|
||||
|
||||
Action Mailer
|
||||
-------------
|
||||
|
||||
Please refer to the
|
||||
[Changelog](https://github.com/rails/rails/blob/4-1-stable/actionmailer/CHANGELOG.md)
|
||||
for detailed changes.
|
||||
|
||||
### Notable changes
|
||||
|
||||
* Instrument the generation of Action Mailer messages. The time it takes to
|
||||
generate a message is written to the log. ([Pull Request](https://github.com/rails/rails/pull/12556))
|
||||
|
||||
|
||||
Active Model
|
||||
------------
|
||||
|
||||
Please refer to the
|
||||
[Changelog](https://github.com/rails/rails/blob/4-1-stable/activemodel/CHANGELOG.md)
|
||||
for detailed changes.
|
||||
|
||||
### Deprecations
|
||||
|
||||
* Deprecate `Validator#setup`. This should be done manually now in the
|
||||
validator's constructor. ([Commit](https://github.com/rails/rails/commit/7d84c3a2f7ede0e8d04540e9c0640de7378e9b3a))
|
||||
|
||||
### Notable changes
|
||||
|
||||
* Added new API methods `reset_changes` and `changes_applied` to
|
||||
`ActiveModel::Dirty` that control changes state.
|
||||
|
||||
|
||||
Active Support
|
||||
--------------
|
||||
|
||||
Please refer to the
|
||||
[Changelog](https://github.com/rails/rails/blob/4-1-stable/activesupport/CHANGELOG.md)
|
||||
for detailed changes.
|
||||
|
||||
|
||||
### Removals
|
||||
|
||||
* Removed `MultiJSON` dependency. As a result, `ActiveSupport::JSON.decode`
|
||||
no longer accepts an options hash for `MultiJSON`. ([Pull Request](https://github.com/rails/rails/pull/10576) / [More Details](upgrading_ruby_on_rails.html#changes-in-json-handling))
|
||||
|
||||
* Removed support for the `encode_json` hook used for encoding custom objects into
|
||||
JSON. This feature has been extracted into the [activesupport-json_encoder](https://github.com/rails/activesupport-json_encoder)
|
||||
gem.
|
||||
([Related Pull Request](https://github.com/rails/rails/pull/12183) /
|
||||
[More Details](upgrading_ruby_on_rails.html#changes-in-json-handling))
|
||||
|
||||
* Removed deprecated `ActiveSupport::JSON::Variable` with no replacement.
|
||||
|
||||
* Removed deprecated `String#encoding_aware?` core extensions (`core_ext/string/encoding`).
|
||||
|
||||
* Removed deprecated `Module#local_constant_names` in favor of `Module#local_constants`.
|
||||
|
||||
* Removed deprecated `DateTime.local_offset` in favor of `DateTime.civil_from_fromat`.
|
||||
|
||||
* Removed deprecated `Logger` core extensions (`core_ext/logger.rb`).
|
||||
|
||||
* Removed deprecated `Time#time_with_datetime_fallback`, `Time#utc_time` and
|
||||
`Time#local_time` in favor of `Time#utc` and `Time#local`.
|
||||
|
||||
* Removed deprecated `Hash#diff` with no replacement.
|
||||
|
||||
* Removed deprecated `Date#to_time_in_current_zone` in favor of `Date#in_time_zone`.
|
||||
|
||||
* Removed deprecated `Proc#bind` with no replacement.
|
||||
|
||||
* Removed deprecated `Array#uniq_by` and `Array#uniq_by!`, use native
|
||||
`Array#uniq` and `Array#uniq!` instead.
|
||||
|
||||
* Removed deprecated `ActiveSupport::BasicObject`, use
|
||||
`ActiveSupport::ProxyObject` instead.
|
||||
|
||||
* Removed deprecated `BufferedLogger`, use `ActiveSupport::Logger` instead.
|
||||
|
||||
* Removed deprecated `assert_present` and `assert_blank` methods, use `assert
|
||||
object.blank?` and `assert object.present?` instead.
|
||||
|
||||
### Deprecations
|
||||
|
||||
* Deprecated `Numeric#{ago,until,since,from_now}`, the user is expected to
|
||||
explicitly convert the value into an AS::Duration, i.e. `5.ago` => `5.seconds.ago`
|
||||
([Pull Request](https://github.com/rails/rails/pull/12389))
|
||||
|
||||
* Deprecated the require path `active_support/core_ext/object/to_json`. Require
|
||||
`active_support/core_ext/object/json` instead. ([Pull Request](https://github.com/rails/rails/pull/12203))
|
||||
|
||||
* Deprecated `ActiveSupport::JSON::Encoding::CircularReferenceError`. This feature
|
||||
has been extracted into the [activesupport-json_encoder](https://github.com/rails/activesupport-json_encoder)
|
||||
gem.
|
||||
([Pull Request](https://github.com/rails/rails/pull/12785) /
|
||||
[More Details](upgrading_ruby_on_rails.html#changes-in-json-handling))
|
||||
|
||||
* Deprecated `ActiveSupport.encode_big_decimal_as_string` option. This feature has
|
||||
been extracetd into the [activesupport-json_encoder](https://github.com/rails/activesupport-json_encoder)
|
||||
gem.
|
||||
([Pull Request](https://github.com/rails/rails/pull/13060) /
|
||||
[More Details](upgrading_ruby_on_rails.html#changes-in-json-handling))
|
||||
|
||||
### Notable changes
|
||||
|
||||
* `ActiveSupport`'s JSON encoder has been rewritten to take advantage of the
|
||||
JSON gem rather than doing custom encoding in pure-Ruby.
|
||||
([Pull Request](https://github.com/rails/rails/pull/12183) /
|
||||
[More Details](upgrading_ruby_on_rails.html#changes-in-json-handling))
|
||||
|
||||
* Improved compatibility with the JSON gem.
|
||||
([Pull Request](https://github.com/rails/rails/pull/12862) /
|
||||
[More Details](upgrading_ruby_on_rails.html#changes-in-json-handling))
|
||||
|
||||
* Added `ActiveSupport::Testing::TimeHelpers#travel` and `#travel_to`. These
|
||||
methods change current time to the given time or time difference by stubbing
|
||||
`Time.now` and
|
||||
`Date.today`. ([Pull Request](https://github.com/rails/rails/pull/12824))
|
||||
|
||||
* Added `Numeric#in_milliseconds`, like `1.hour.in_milliseconds`, so we can feed
|
||||
them to JavaScript functions like
|
||||
`getTime()`. ([Commit](https://github.com/rails/rails/commit/423249504a2b468d7a273cbe6accf4f21cb0e643))
|
||||
|
||||
* Added `Date#middle_of_day`, `DateTime#middle_of_day` and `Time#middle_of_day`
|
||||
methods. Also added `midday`, `noon`, `at_midday`, `at_noon` and
|
||||
`at_middle_of_day` as
|
||||
aliases. ([Pull Request](https://github.com/rails/rails/pull/10879))
|
||||
|
||||
* Added `String#remove(pattern)` as a short-hand for the common pattern of
|
||||
`String#gsub(pattern,'')`. ([Commit](https://github.com/rails/rails/commit/5da23a3f921f0a4a3139495d2779ab0d3bd4cb5f))
|
||||
|
||||
* Removed 'cow' => 'kine' irregular inflection from default
|
||||
inflections. ([Commit](https://github.com/rails/rails/commit/c300dca9963bda78b8f358dbcb59cabcdc5e1dc9))
|
||||
|
||||
Action Pack
|
||||
-----------
|
||||
|
||||
|
|
@ -423,6 +302,11 @@ for detailed changes.
|
|||
|
||||
### Notable changes
|
||||
|
||||
* `protect_from_forgery` also prevents cross-origin `<script>` tags.
|
||||
Update your tests to use `xhr :get, :foo, format: :js` instead of
|
||||
`get :foo, format: :js`.
|
||||
([Pull Request](https://github.com/rails/rails/pull/13345))
|
||||
|
||||
* `#url_for` takes a hash with options inside an
|
||||
array. ([Pull Request](https://github.com/rails/rails/pull/9599))
|
||||
|
||||
|
|
@ -434,6 +318,17 @@ for detailed changes.
|
|||
* Separated Action View completely from Action
|
||||
Pack. ([Pull Request](https://github.com/rails/rails/pull/11032))
|
||||
|
||||
Action Mailer
|
||||
-------------
|
||||
|
||||
Please refer to the
|
||||
[Changelog](https://github.com/rails/rails/blob/4-1-stable/actionmailer/CHANGELOG.md)
|
||||
for detailed changes.
|
||||
|
||||
### Notable changes
|
||||
|
||||
* Instrument the generation of Action Mailer messages. The time it takes to
|
||||
generate a message is written to the log. ([Pull Request](https://github.com/rails/rails/pull/12556))
|
||||
|
||||
Active Record
|
||||
-------------
|
||||
|
|
@ -578,6 +473,125 @@ for detailed changes.
|
|||
object. Helper methods used by multiple fixtures should be defined on modules
|
||||
included in `ActiveRecord::FixtureSet.context_class`. ([Pull Request](https://github.com/rails/rails/pull/13022))
|
||||
|
||||
Active Model
|
||||
------------
|
||||
|
||||
Please refer to the
|
||||
[Changelog](https://github.com/rails/rails/blob/4-1-stable/activemodel/CHANGELOG.md)
|
||||
for detailed changes.
|
||||
|
||||
### Deprecations
|
||||
|
||||
* Deprecate `Validator#setup`. This should be done manually now in the
|
||||
validator's constructor. ([Commit](https://github.com/rails/rails/commit/7d84c3a2f7ede0e8d04540e9c0640de7378e9b3a))
|
||||
|
||||
### Notable changes
|
||||
|
||||
* Added new API methods `reset_changes` and `changes_applied` to
|
||||
`ActiveModel::Dirty` that control changes state.
|
||||
|
||||
|
||||
Active Support
|
||||
--------------
|
||||
|
||||
Please refer to the
|
||||
[Changelog](https://github.com/rails/rails/blob/4-1-stable/activesupport/CHANGELOG.md)
|
||||
for detailed changes.
|
||||
|
||||
|
||||
### Removals
|
||||
|
||||
* Removed `MultiJSON` dependency. As a result, `ActiveSupport::JSON.decode`
|
||||
no longer accepts an options hash for `MultiJSON`. ([Pull Request](https://github.com/rails/rails/pull/10576) / [More Details](upgrading_ruby_on_rails.html#changes-in-json-handling))
|
||||
|
||||
* Removed support for the `encode_json` hook used for encoding custom objects into
|
||||
JSON. This feature has been extracted into the [activesupport-json_encoder](https://github.com/rails/activesupport-json_encoder)
|
||||
gem.
|
||||
([Related Pull Request](https://github.com/rails/rails/pull/12183) /
|
||||
[More Details](upgrading_ruby_on_rails.html#changes-in-json-handling))
|
||||
|
||||
* Removed deprecated `ActiveSupport::JSON::Variable` with no replacement.
|
||||
|
||||
* Removed deprecated `String#encoding_aware?` core extensions (`core_ext/string/encoding`).
|
||||
|
||||
* Removed deprecated `Module#local_constant_names` in favor of `Module#local_constants`.
|
||||
|
||||
* Removed deprecated `DateTime.local_offset` in favor of `DateTime.civil_from_fromat`.
|
||||
|
||||
* Removed deprecated `Logger` core extensions (`core_ext/logger.rb`).
|
||||
|
||||
* Removed deprecated `Time#time_with_datetime_fallback`, `Time#utc_time` and
|
||||
`Time#local_time` in favor of `Time#utc` and `Time#local`.
|
||||
|
||||
* Removed deprecated `Hash#diff` with no replacement.
|
||||
|
||||
* Removed deprecated `Date#to_time_in_current_zone` in favor of `Date#in_time_zone`.
|
||||
|
||||
* Removed deprecated `Proc#bind` with no replacement.
|
||||
|
||||
* Removed deprecated `Array#uniq_by` and `Array#uniq_by!`, use native
|
||||
`Array#uniq` and `Array#uniq!` instead.
|
||||
|
||||
* Removed deprecated `ActiveSupport::BasicObject`, use
|
||||
`ActiveSupport::ProxyObject` instead.
|
||||
|
||||
* Removed deprecated `BufferedLogger`, use `ActiveSupport::Logger` instead.
|
||||
|
||||
* Removed deprecated `assert_present` and `assert_blank` methods, use `assert
|
||||
object.blank?` and `assert object.present?` instead.
|
||||
|
||||
### Deprecations
|
||||
|
||||
* Deprecated `Numeric#{ago,until,since,from_now}`, the user is expected to
|
||||
explicitly convert the value into an AS::Duration, i.e. `5.ago` => `5.seconds.ago`
|
||||
([Pull Request](https://github.com/rails/rails/pull/12389))
|
||||
|
||||
* Deprecated the require path `active_support/core_ext/object/to_json`. Require
|
||||
`active_support/core_ext/object/json` instead. ([Pull Request](https://github.com/rails/rails/pull/12203))
|
||||
|
||||
* Deprecated `ActiveSupport::JSON::Encoding::CircularReferenceError`. This feature
|
||||
has been extracted into the [activesupport-json_encoder](https://github.com/rails/activesupport-json_encoder)
|
||||
gem.
|
||||
([Pull Request](https://github.com/rails/rails/pull/12785) /
|
||||
[More Details](upgrading_ruby_on_rails.html#changes-in-json-handling))
|
||||
|
||||
* Deprecated `ActiveSupport.encode_big_decimal_as_string` option. This feature has
|
||||
been extracetd into the [activesupport-json_encoder](https://github.com/rails/activesupport-json_encoder)
|
||||
gem.
|
||||
([Pull Request](https://github.com/rails/rails/pull/13060) /
|
||||
[More Details](upgrading_ruby_on_rails.html#changes-in-json-handling))
|
||||
|
||||
### Notable changes
|
||||
|
||||
* `ActiveSupport`'s JSON encoder has been rewritten to take advantage of the
|
||||
JSON gem rather than doing custom encoding in pure-Ruby.
|
||||
([Pull Request](https://github.com/rails/rails/pull/12183) /
|
||||
[More Details](upgrading_ruby_on_rails.html#changes-in-json-handling))
|
||||
|
||||
* Improved compatibility with the JSON gem.
|
||||
([Pull Request](https://github.com/rails/rails/pull/12862) /
|
||||
[More Details](upgrading_ruby_on_rails.html#changes-in-json-handling))
|
||||
|
||||
* Added `ActiveSupport::Testing::TimeHelpers#travel` and `#travel_to`. These
|
||||
methods change current time to the given time or time difference by stubbing
|
||||
`Time.now` and
|
||||
`Date.today`. ([Pull Request](https://github.com/rails/rails/pull/12824))
|
||||
|
||||
* Added `Numeric#in_milliseconds`, like `1.hour.in_milliseconds`, so we can feed
|
||||
them to JavaScript functions like
|
||||
`getTime()`. ([Commit](https://github.com/rails/rails/commit/423249504a2b468d7a273cbe6accf4f21cb0e643))
|
||||
|
||||
* Added `Date#middle_of_day`, `DateTime#middle_of_day` and `Time#middle_of_day`
|
||||
methods. Also added `midday`, `noon`, `at_midday`, `at_noon` and
|
||||
`at_middle_of_day` as
|
||||
aliases. ([Pull Request](https://github.com/rails/rails/pull/10879))
|
||||
|
||||
* Added `String#remove(pattern)` as a short-hand for the common pattern of
|
||||
`String#gsub(pattern,'')`. ([Commit](https://github.com/rails/rails/commit/5da23a3f921f0a4a3139495d2779ab0d3bd4cb5f))
|
||||
|
||||
* Removed 'cow' => 'kine' irregular inflection from default
|
||||
inflections. ([Commit](https://github.com/rails/rails/commit/c300dca9963bda78b8f358dbcb59cabcdc5e1dc9))
|
||||
|
||||
Credits
|
||||
-------
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue