diff options
Diffstat (limited to 'actionpack/CHANGELOG.md')
| -rw-r--r-- | actionpack/CHANGELOG.md | 385 |
1 files changed, 150 insertions, 235 deletions
diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md index a7a4aabc98..c75f0e83ac 100644 --- a/actionpack/CHANGELOG.md +++ b/actionpack/CHANGELOG.md @@ -1,328 +1,243 @@ -* Remove deprecated `.to_prepare`, `.to_cleanup`, `.prepare!` and `.cleanup!` from `ActionDispatch::Reloader`. +* Changed the system tests to set Puma as default server only when the + user haven't specified manually another server. - *Rafael Mendonça França* - -* Remove deprecated `ActionDispatch::Callbacks.to_prepare` and `ActionDispatch::Callbacks.to_cleanup`. - - *Rafael Mendonça França* - -* Remove deprecated `ActionController::Metal.call`. - - *Rafael Mendonça França* - -* Remove deprecated `ActionController::Metal#env`. - - *Rafael Mendonça França* + *Guillermo Iguaran* -* Make `with_routing` test helper work when testing controllers inheriting from `ActionController::API` +* Add secure `X-Download-Options` and `X-Permitted-Cross-Domain-Policies` to + default headers set. - *Julia López* + *Guillermo Iguaran* -* Use accept header in integration tests with `as: :json` +* Add headless firefox support to System Tests. - Instead of appending the `format` to the request path, Rails will figure - out the format from the header instead. + *bogdanvlviv* - This allows devs to use `:as` on routes that don't have a format. +* Changed the default system test screenshot output from `inline` to `simple`. - Fixes #27144. + `inline` works well for iTerm2 but not everyone uses iTerm2. Some terminals like + Terminal.app ignore the `inline` and output the path to the file since it can't + render the image. Other terminals, like those on Ubuntu, cannot handle the image + inline, but also don't handle it gracefully and instead of outputting the file + path, it dumps binary into the terminal. - *Kasper Timm Hansen* + Commit 9d6e28 fixes this by changing the default for screenshot to be `simple`. -* Reset a new session directly after its creation in `ActionDispatch::IntegrationTest#open_session`. + *Eileen M. Uchitelle* - Fixes #22742. +* Register most popular audio/video/font mime types supported by modern browsers. - *Tawan Sierek* + *Guillermo Iguaran* -* Fixes incorrect output from rails routes when using singular resources. +* Fix optimized url helpers when using relative url root - Fixes #26606. + Fixes #31220. - *Erick Reyna* + *Andrew White* -* Fixes multiple calls to `logger.fatal` instead of a single call, - for every line in an exception backtrace, when printing trace - from `DebugExceptions` middleware. - Fixes #26134. +## Rails 5.2.0.beta2 (November 28, 2017) ## - *Vipul A M* +* No changes. -* Add support for arbitrary hashes in strong parameters: - ```ruby - params.permit(preferences: {}) - ``` +## Rails 5.2.0.beta1 (November 27, 2017) ## - *Xavier Noria* +* Add DSL for configuring Content-Security-Policy header -* Add `ActionController::Parameters#merge!`, which behaves the same as `Hash#merge!`. - - *Yuji Yaginuma* - -* Allow keys not found in `RACK_KEY_TRANSLATION` for setting the environment when rendering - arbitrary templates. - - *Sammy Larbi* - -* Remove deprecated support to non-keyword arguments in `ActionDispatch::IntegrationTest#process`, - `#get`, `#post`, `#patch`, `#put`, `#delete`, and `#head`. - - *Rafael Mendonça França* - -* Remove deprecated `ActionDispatch::IntegrationTest#*_via_redirect`. - - *Rafael Mendonça França* + The DSL allows you to configure a global Content-Security-Policy + header and then override within a controller. For more information + about the Content-Security-Policy header see MDN: -* Remove deprecated `ActionDispatch::IntegrationTest#xml_http_request`. + https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy - *Rafael Mendonça França* - -* Remove deprecated support for passing `:path` and route path as strings in `ActionDispatch::Routing::Mapper#match`. - - *Rafael Mendonça França* - -* Remove deprecated support for passing path as `nil` in `ActionDispatch::Routing::Mapper#match`. - - *Rafael Mendonça França* - -* Remove deprecated `cache_control` argument from `ActionDispatch::Static#initialize`. - - *Rafael Mendonça França* - -* Remove deprecated support to passing strings or symbols to the middleware stack. - - *Rafael Mendonça França* - -* Change HSTS subdomain to true. - - *Rafael Mendonça França* - -* Remove deprecated `host` and `port` ssl options. - - *Rafael Mendonça França* + Example global policy: -* Remove deprecated `const_error` argument in - `ActionDispatch::Session::SessionRestoreError#initialize`. + # config/initializers/content_security_policy.rb + Rails.application.config.content_security_policy do |p| + p.default_src :self, :https + p.font_src :self, :https, :data + p.img_src :self, :https, :data + p.object_src :none + p.script_src :self, :https + p.style_src :self, :https, :unsafe_inline + end - *Rafael Mendonça França* + Example controller overrides: -* Remove deprecated `#original_exception` in `ActionDispatch::Session::SessionRestoreError`. + # Override policy inline + class PostsController < ApplicationController + content_security_policy do |p| + p.upgrade_insecure_requests true + end + end - *Rafael Mendonça França* + # Using literal values + class PostsController < ApplicationController + content_security_policy do |p| + p.base_uri "https://www.example.com" + end + end -* Deprecate `ActionDispatch::ParamsParser::ParseError` in favor of - `ActionDispatch::Http::Parameters::ParseError`. + # Using mixed static and dynamic values + class PostsController < ApplicationController + content_security_policy do |p| + p.base_uri :self, -> { "https://#{current_user.domain}.example.com" } + end + end - *Rafael Mendonça França* + Allows you to also only report content violations for migrating + legacy content using the `content_security_policy_report_only` + configuration attribute, e.g; -* Remove deprecated `ActionDispatch::ParamsParser`. + # config/initializers/content_security_policy.rb + Rails.application.config.content_security_policy_report_only = true - *Rafael Mendonça França* + # controller override + class PostsController < ApplicationController + self.content_security_policy_report_only = true + end -* Remove deprecated `original_exception` and `message` arguments in - `ActionDispatch::ParamsParser::ParseError#initialize`. + Note that this feature does not validate the header for performance + reasons since the header is calculated at runtime. - *Rafael Mendonça França* + *Andrew White* -* Remove deprecated `#original_exception` in `ActionDispatch::ParamsParser::ParseError`. +* Make `assert_recognizes` to traverse mounted engines - *Rafael Mendonça França* + *Yuichiro Kaneko* -* Remove deprecated access to mime types through constants. +* Remove deprecated `ActionController::ParamsParser::ParseError`. *Rafael Mendonça França* -* Remove deprecated support to non-keyword arguments in `ActionController::TestCase#process`, - `#get`, `#post`, `#patch`, `#put`, `#delete`, and `#head`. +* Add `:allow_other_host` option to `redirect_back` method. - *Rafael Mendonça França* + When `allow_other_host` is set to `false`, the `redirect_back` will not allow redirecting from a + different host. `allow_other_host` is `true` by default. -* Remove deprecated `xml_http_request` and `xhr` methods in `ActionController::TestCase`. + *Tim Masliuchenko* - *Rafael Mendonça França* +* Add headless chrome support to System Tests. -* Remove deprecated methods in `ActionController::Parameters`. - - *Rafael Mendonça França* + *Yuji Yaginuma* -* Remove deprecated support to comparing a `ActionController::Parameters` - with a `Hash`. +* Add ability to enable Early Hints for HTTP/2 - *Rafael Mendonça França* + If supported by the server, and enabled in Puma this allows H2 Early Hints to be used. -* Remove deprecated support to `:text` in `render`. + The `javascript_include_tag` and the `stylesheet_link_tag` automatically add Early Hints if requested. - *Rafael Mendonça França* + *Eileen M. Uchitelle*, *Aaron Patterson* -* Remove deprecated support to `:nothing` in `render`. +* Simplify cookies middleware with key rotation support - *Rafael Mendonça França* + Use the `rotate` method for both `MessageEncryptor` and + `MessageVerifier` to add key rotation support for encrypted and + signed cookies. This also helps simplify support for legacy cookie + security. -* Remove deprecated support to `:back` in `redirect_to`. + *Michael J Coyne* - *Rafael Mendonça França* +* Use Capybara registered `:puma` server config. -* Remove deprecated support to passing status as option `head`. + The Capybara registered `:puma` server ensures the puma server is run in process so + connection sharing and open request detection work correctly by default. - *Rafael Mendonça França* + *Thomas Walpole* -* Remove deprecated support to passing original exception to `ActionController::BadRequest` - and the `ActionController::BadRequest#original_exception` method. +* Cookies `:expires` option supports `ActiveSupport::Duration` object. - *Rafael Mendonça França* + cookies[:user_name] = { value: "assain", expires: 1.hour } + cookies[:key] = { value: "a yummy cookie", expires: 6.months } -* Remove deprecated methods `skip_action_callback`, `skip_filter`, `before_filter`, - `prepend_before_filter`, `skip_before_filter`, `append_before_filter`, `around_filter` - `prepend_around_filter`, `skip_around_filter`, `append_around_filter`, `after_filter`, - `prepend_after_filter`, `skip_after_filter` and `append_after_filter`. + Pull Request: #30121 - *Rafael Mendonça França* + *Assain Jaleel* -* Show an "unmatched constraints" error when params fail to match constraints - on a matched route, rather than a "missing keys" error. +* Enforce signed/encrypted cookie expiry server side. - Fixes #26470. + Rails can thwart attacks by malicious clients that don't honor a cookie's expiry. - *Chris Carter* + It does so by stashing the expiry within the written cookie and relying on the + signing/encrypting to vouch that it hasn't been tampered with. Then on a + server-side read, the expiry is verified and any expired cookie is discarded. -* Fix adding implicitly rendered template digests to ETags. + Pull Request: #30121 - Fixes a case when modifying an implicitly rendered template for a - controller action using `fresh_when` or `stale?` would not result in a new - `ETag` value. + *Assain Jaleel* - *Javan Makhmali* +* Make `take_failed_screenshot` work within engine. -* Make `fixture_file_upload` work in integration tests. + Fixes #30405. *Yuji Yaginuma* -* Add `to_param` to `ActionController::Parameters` deprecations. +* Deprecate `ActionDispatch::TestResponse` response aliases - In the future `ActionController::Parameters` are discouraged from being used - in URLs without explicit whitelisting. Go through `to_h` to use `to_param`. - - *Kir Shatrov* + `#success?`, `#missing?` & `#error?` are not supported by the actual + `ActionDispatch::Response` object and can produce false-positives. Instead, + use the response helpers provided by `Rack::Response`. -* Fix nested multiple roots + *Trevor Wistaff* - The PR #20940 enabled the use of multiple roots with different constraints - at the top level but unfortunately didn't work when those roots were inside - a namespace and also broke the use of root inside a namespace after a top - level root was defined because the check for the existence of the named route - used the global :root name and not the namespaced name. +* Protect from forgery by default - This is fixed by using the name_for_action method to expand the :root name to - the full namespaced name. We can pass nil for the second argument as we're not - dealing with resource definitions so don't need to handle the cases for edit - and new routes. + Rather than protecting from forgery in the generated `ApplicationController`, + add it to `ActionController::Base` depending on + `config.action_controller.default_protect_from_forgery`. This configuration + defaults to false to support older versions which have removed it from their + `ApplicationController`, but is set to true for Rails 5.2. - Fixes #26148. + *Lisa Ugray* - *Ryo Hashimoto*, *Andrew White* +* Fallback `ActionController::Parameters#to_s` to `Hash#to_s`. -* Include the content of the flash in the auto-generated etag. This solves the following problem: - - 1. POST /messages - 2. redirect_to messages_url, notice: 'Message was created' - 3. GET /messages/1 - 4. GET /messages - - Step 4 would before still include the flash message, even though it's no longer relevant, - because the etag cache was recorded with the flash in place and didn't change when it was gone. - - *DHH* - -* SSL: Changes redirect behavior for all non-GET and non-HEAD requests - (like POST/PUT/PATCH etc) to `http://` resources to redirect to `https://` - with a [307 status code](http://tools.ietf.org/html/rfc7231#section-6.4.7) instead of [301 status code](http://tools.ietf.org/html/rfc7231#section-6.4.2). - - 307 status code instructs the HTTP clients to preserve the original - request method while redirecting. It has been part of HTTP RFC since - 1999 and is implemented/recognized by most (if not all) user agents. - - # Before - POST http://example.com/articles (i.e. ArticlesContoller#create) - redirects to - GET https://example.com/articles (i.e. ArticlesContoller#index) - - # After - POST http://example.com/articles (i.e. ArticlesContoller#create) - redirects to - POST https://example.com/articles (i.e. ArticlesContoller#create) - - *Chirag Singhal* - -* Add `:as` option to `ActionController:TestCase#process` and related methods. - - Specifying `as: mime_type` allows the `CONTENT_TYPE` header to be specified - in controller tests without manually doing this through `@request.headers['CONTENT_TYPE']`. - - *Everest Stefan Munro-Zeisberger* - -* Show cache hits and misses when rendering partials. - - Partials using the `cache` helper will show whether a render hit or missed - the cache: - - ``` - Rendered messages/_message.html.erb in 1.2 ms [cache hit] - Rendered recordings/threads/_thread.html.erb in 1.5 ms [cache miss] - ``` - - This removes the need for the old fragment cache logging: + *Kir Shatrov* - ``` - Read fragment views/v1/2914079/v1/2914079/recordings/70182313-20160225015037000000/d0bdf2974e1ef6d31685c3b392ad0b74 (0.6ms) - Rendered messages/_message.html.erb in 1.2 ms [cache hit] - Write fragment views/v1/2914079/v1/2914079/recordings/70182313-20160225015037000000/3b4e249ac9d168c617e32e84b99218b5 (1.1ms) - Rendered recordings/threads/_thread.html.erb in 1.5 ms [cache miss] - ``` +* `driven_by` now registers poltergeist and capybara-webkit. - Though that full output can be reenabled with - `config.action_controller.enable_fragment_cache_logging = true`. + If poltergeist or capybara-webkit are set as drivers is set for System Tests, + `driven_by` will register the driver and set additional options passed via + the `:options` parameter. - *Stan Lo* + Refer to the respective driver's documentation to see what options can be passed. -* Don't override the `Accept` header in integration tests when called with `xhr: true`. + *Mario Chavez* - Fixes #25859. +* AEAD encrypted cookies and sessions with GCM. - *David Chen* + Encrypted cookies now use AES-GCM which couples authentication and + encryption in one faster step and produces shorter ciphertexts. Cookies + encrypted using AES in CBC HMAC mode will be seamlessly upgraded when + this new mode is enabled via the + `action_dispatch.use_authenticated_cookie_encryption` configuration value. -* Fix `defaults` option for root route. + *Michael J Coyne* - A regression from some refactoring for the 5.0 release, this change - fixes the use of `defaults` (default parameters) in the `root` routing method. +* Change the cache key format for fragments to make it easier to debug key churn. The new format is: - *Chris Arcand* + views/template/action.html.erb:7a1156131a6928cb0026877f8b749ac9/projects/123 + ^template path ^template tree digest ^class ^id -* Check `request.path_parameters` encoding at the point they're set. + *DHH* - Check for any non-UTF8 characters in path parameters at the point they're - set in `env`. Previously they were checked for when used to get a controller - class, but this meant routes that went directly to a Rack app, or skipped - controller instantiation for some other reason, had to defend against - non-UTF8 characters themselves. +* Add support for recyclable cache keys with fragment caching. This uses the new versioned entries in the + `ActiveSupport::Cache` stores and relies on the fact that Active Record has split `#cache_key` and `#cache_version` + to support it. - *Grey Baker* + *DHH* -* Don't raise `ActionController::UnknownHttpMethod` from `ActionDispatch::Static`. +* Add `action_controller_api` and `action_controller_base` load hooks to be called in `ActiveSupport.on_load` - Pass `Rack::Request` objects to `ActionDispatch::FileHandler` to avoid it - raising `ActionController::UnknownHttpMethod`. If an unknown method is - passed, it should pass exception higher in the stack instead, once we've had a - chance to define exception handling behaviour. + `ActionController::Base` and `ActionController::API` have differing implementations. This means that + the one umbrella hook `action_controller` is not able to address certain situations where a method + may not exist in a certain implementation. - *Grey Baker* + This is fixed by adding two new hooks so you can target `ActionController::Base` vs `ActionController::API` -* Handle `Rack::QueryParser` errors in `ActionDispatch::ExceptionWrapper`. + Fixes #27013. - Updated `ActionDispatch::ExceptionWrapper` to handle the Rack 2.0 namespace - for `ParameterTypeError` and `InvalidParameterError` errors. + *Julian Nadeau* - *Grey Baker* -Please check [5-0-stable](https://github.com/rails/rails/blob/5-0-stable/actionpack/CHANGELOG.md) for previous changes. +Please check [5-1-stable](https://github.com/rails/rails/blob/5-1-stable/actionpack/CHANGELOG.md) for previous changes. |