2.5 KiB
-
Allow relative redirects when
raise_on_open_redirects
is enabledTom Hughes
-
Allow Content Security Policy DSL to generate for API responses.
Tim Wade
-
Fix
authenticate_with_http_basic
to allow for missing password.Before Rails 7.0 it was possible to handle basic authentication with only a username.
authenticate_with_http_basic do |token, _| ApiClient.authenticate(token) end
This ability is restored.
Jean Boussier
-
Fix
content_security_policy
returning invalid directives.Directives such as
self
,unsafe-eval
and few others were not single quoted when the directive was the result of calling a lambda returning an array.content_security_policy do |policy| policy.frame_ancestors lambda { [:self, "https://example.com"] } end
With this fix the policy generated from above will now be valid.
Edouard Chin
-
Fix
skip_forgery_protection
to run without raising an error if forgery protection has not been enabled /verify_authenticity_token
is not a defined callback.This fix prevents the Rails 7.0 Welcome Page (
/
) from raising anArgumentError
ifdefault_protect_from_forgery
is false.Brad Trick
-
Make
redirect_to
return an empty response body.Application controllers that wish to add a response body after calling
redirect_to
can continue to do so.Jon Dufresne
-
Use non-capturing group for subdomain matching in
ActionDispatch::HostAuthorization
Since we do nothing with the captured subdomain group, we can use a non-capturing group instead.
Sam Bostock
-
Fix
ActionController::Live
to copy the IsolatedExecutionState in the ephemeral thread.Since its inception
ActionController::Live
has been copying thread local variables to keep things such asCurrentAttributes
set from middlewares working in the controller action.With the introduction of
IsolatedExecutionState
in 7.0, some of that global state was lost inActionController::Live
controllers.Jean Boussier
-
Fix setting
trailing_slash: true
in route definition.get '/test' => "test#index", as: :test, trailing_slash: true test_path() # => "/test/"
Jean Boussier
-
Make
Session#merge!
stringify keys.Previously
Session#update
would, butmerge!
wouldn't.Drew Bragg
Please check 7-0-stable for previous changes.