aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/CHANGELOG.md
Commit message (Collapse)AuthorAgeFilesLines
* Merge pull request #29286 from vinistock/create_missing_exact_template_exceptionRafael Mendonça França2018-04-201-0/+7
|\ | | | | | | Create MissingExactTemplate exception with separate template
* | Introduce ActionDispatch::DebugExceptions interceptorsGenadi Samokovarov2018-04-201-0/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Plugins interacting with the exceptions caught and displayed by ActionDispatch::DebugExceptions currently have to monkey patch it to get the much needed exception for their calculation. With DebugExceptions.register_interceptor, plugin authors can hook into DebugExceptions and process the exception, before being rendered. They can store it into the request and process it on the way back of the middleware chain execution or act on it straight in the interceptor. The interceptors can be play blocks, procs, lambdas or any object that responds to `#call`.
* | Revert "Merge pull request #32652 from ↵Rafael Mendonça França2018-04-191-12/+0
| | | | | | | | | | | | | | | | | | bogdanvlviv/add-missing-changelog-for-32593" This reverts commit 78ff47f3e77925f72d98579da6feb68f36052ad8, reversing changes made to daffe03308bffc43ea343a886aab33082d83bb9c. That changelog entry should only be on 5-2-stable
* | Add missing changelog entrybogdanvlviv2018-04-201-0/+12
| | | | | | | | | | | | | | | | https://github.com/rails/rails/pull/32593 was backported to `5-2-stable` but since 5.2.0 is released the changelog entry should be in Rails 6.0.0 too. [ci skip]
* | Fix reference to fixed issue in actionpack/CHANGELOG.mdbogdanvlviv2018-04-191-1/+1
| | | | | | | | | | | | Pull Request #32602 fixes Issue #32597. [ci skip]
* | Don't link issue number in CHANGELOG [ci skip]Andrew White2018-04-181-1/+1
| |
* | Pass nonce to CSP policy from outsideAndrew White2018-04-181-1/+1
| |
* | Output only one nonce in CSP header per requestAndrey Novikov2018-04-171-0/+6
| |
* | Include default headers by default in API modeKevin Deisz2018-04-061-0/+4
| | | | | | | | ActionDispatch's default headers are now moved into their own module that are by default included in both Base and API. This allows API-mode applications to take advantage of the default security headers, as well as providing an easy way to add more.
* | Add changelog entry for #32446bogdanvlviv2018-04-061-0/+4
| | | | | | | | | | | | | | In #32446 was added method `dig` to `session`. Improve docs of method `dig`. [ci skip]
* | Deprecate controller level force_sslDerek Prior2018-03-301-0/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Today there are two common ways for Rails developers to force their applications to communicate over HTTPS: * `config.force_ssl` is a setting in environment configurations that enables the `ActionDispatch::SSL` middleware. With this middleware enabled, all HTTP communication to your application will be redirected to HTTPS. The middleware also takes care of other best practices by setting HSTS headers, upgrading all cookies to secure only, etc. * The `force_ssl` controller method redirects HTTP requests to certain controllers to HTTPS. As a consultant, I've seen many applications with misconfigured HTTPS setups due to developers adding `force_ssl` to `ApplicationController` and not enabling `config.force_ssl`. With this configuration, many application requests can be served over HTTP such as assets, requests that hit mounted engines, etc. In addition, because cookies are not upgraded to secure only in this configuration and HSTS headers are not set, it's possible for cookies that are meant to be secure to be sent over HTTP. The confusion between these two methods of forcing HTTPS is compounded by the fact that they share an identical name. This makes finding documentation on the "right" method confusing. HTTPS throughout is quickly becomming table stakes for all web sites. Sites are expected to operate over HTTPS for all communication, sensitive or otherwise. Let's encourage use of the broader-reaching `ActionDispatch::SSL` middleware and elminate this source of user confusion. If, for some reason, applications need to expose certain endpoints over HTTP they can do so by properly configuring `config.ssl_options`.
* | Don't need to include in the changelog something that was release in 5.2Rafael Mendonça França2018-03-151-4/+0
| | | | | | | | [ci skip]
* | Check exclude before flagging cookies as secure in ActionDispatch::SSL (#32262)Catherine Khuu2018-03-151-0/+4
| | | | | | | | | | | | | | * Check exclude before flagging cookies as secure. * Update comments in ActionDispatch::SSL. [Catherine Khuu + Rafael Mendonça França]
* | Remove changelog header for unreleased versionRafael Mendonça França2018-03-131-2/+0
| | | | | | | | | | | | We only add the header when releasing to avoid some conflicts. [ci skip]
* | Remove CHANGELOG entries which were backported to 5-2-stableRyuta Kamizono2018-02-281-5/+0
| |
* | Support for automatic nonce generation was backported to 5.2Guillermo Iguaran2018-02-241-28/+0
| |
* | Add support for automatic nonce generation for Rails UJSAndrew White2018-02-191-0/+28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Because the UJS library creates a script tag to process responses it normally requires the script-src attribute of the content security policy to include 'unsafe-inline'. To work around this we generate a per-request nonce value that is embedded in a meta tag in a similar fashion to how CSRF protection embeds its token in a meta tag. The UJS library can then read the nonce value and set it on the dynamically generated script tag to enable it to execute without needing 'unsafe-inline' enabled. Nonce generation isn't 100% safe - if your script tag is including user generated content in someway then it may be possible to exploit an XSS vulnerability which can take advantage of the nonce. It is however an improvement on a blanket permission for inline scripts. It is also possible to use the nonce within your own script tags by using `nonce: true` to set the nonce value on the tag, e.g <%= javascript_tag nonce: true do %> alert('Hello, World!'); <% end %> Fixes #31689.
* | Rails 6 requires Ruby 2.4.1+Jeremy Daer2018-02-171-0/+6
|/ | | | | | Skipping over 2.4.0 to sidestep the `"symbol_from_string".to_sym.dup` bug. References #32028
* Add changelog entry for #31844bogdanvlviv2018-02-011-0/+4
|
* Start Rails 6.0 development!!!Rafael Mendonça França2018-01-301-245/+1
| | | | :tada::tada::tada:
* Add 'Referrer-Policy' header to default headers setGuillermo Iguaran2018-01-081-0/+4
|
* Added deprecations and removals notes for Action Pack [ci skip]Prathamesh Sonpatki2018-01-071-1/+1
|
* Minor cleanup of CHANGELOG of PR #30850 [ci skip]Prathamesh Sonpatki2017-12-171-3/+3
|
* Change the system tests to set Puma as default server only when the user ↵Guillermo Iguaran2017-12-091-0/+5
| | | | haven't specified manually another server.
* Add secure `X-Download-Options` and `X-Permitted-Cross-Domain-Policies` to ↵Guillermo Iguaran2017-12-091-0/+5
| | | | default headers set.
* Add headless firefox driver to System Testsbogdanvlviv2017-12-071-0/+4
|
* Add changelog entry for 9d6e28eileencodes2017-11-301-0/+12
| | | | Since this changes a default setting a changelog entry is important.
* Register most popular audio/video/font mime types supported by modern browsersGuillermo Iguaran2017-11-281-0/+4
|
* Preparing for 5.2.0.beta2 releaseRafael Mendonça França2017-11-281-0/+5
|
* Fix optimized url helpers when using relative url rootAndrew White2017-11-281-0/+7
| | | | Fixes #31220.
* Preparing for 5.2.0.beta1 releaseRafael Mendonça França2017-11-271-0/+2
|
* Fix CHANGELOG for CSP PR #31162 [ci skip]Prathamesh Sonpatki2017-11-271-10/+10
|
* Add CHANGELOG.md entry for #31162 [ci skip]Andrew White2017-11-271-0/+60
|
* Merge pull request #22435 from yui-knk/fix_engine_route_testRafael Mendonça França2017-11-061-0/+4
|\ | | | | | | Make `assert_recognizes` to traverse mounted engines
| * Make `assert_recognizes` to traverse mounted enginesyui-knk2016-04-231-0/+4
| | | | | | | | | | | | Before this commit paths of mounted engines are not traversed when `assert_recognizes` is called, causing strange test results. This commit enable to traverse mounted paths.
* | Remove deprecated `ActionController::ParamsParser::ParseError`Rafael Mendonça França2017-10-231-2/+6
| |
* | Add changelog entry about new `allow_other_host` option for `redirect_back` ↵bogdanvlviv2017-10-221-0/+7
| | | | | | | | | | | | method [ci skip] Related to #30850
* | Add headless chrome driver to System Testsyuuji.yaginuma2017-10-171-0/+4
| |
* | Implement H2 Early Hints for Railseileencodes2017-10-041-0/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When puma/puma#1403 is merged Puma will support the Early Hints status code for sending assets before a request has finished. While the Early Hints spec is still in draft, this PR prepares Rails to allowing this status code. If the proxy server supports Early Hints, it will send H2 pushes to the client. This PR adds a method for setting Early Hints Link headers via Rails, and also automatically sends Early Hints if supported from the `stylesheet_link_tag` and the `javascript_include_tag`. Once puma supports Early Hints the `--early-hints` argument can be passed to the server to enable this or set in the puma config with `early_hints(true)`. Note that for Early Hints to work in the browser the requirements are 1) a proxy that can handle H2, and 2) HTTPS. To start the server with Early Hints enabled pass `--early-hints` to `rails s`. This has been verified to work with h2o, Puma, and Rails with Chrome. The commit adds a new option to the rails server to enable early hints for Puma. Early Hints spec: https://tools.ietf.org/html/draft-ietf-httpbis-early-hints-04 [Eileen M. Uchitelle, Aaron Patterson]
* | Fix indentation in CHANGELOG [ci skip]Ryuta Kamizono2017-09-261-3/+3
| |
* | Add key rotation cookies middlewareMichael Coyne2017-09-241-0/+9
| | | | | | | | | | | | Using the action_dispatch.cookies_rotations interface, key rotation is now possible with cookies. Thus the secret_key_base as well as salts, ciphers, and digests, can be rotated without expiring sessions.
* | Use the default Capybara registered puma server configurationThomas Walpole2017-09-181-0/+7
| |
* | :scissors:Ryuta Kamizono2017-09-071-1/+1
| | | | | | | | [ci skip]
* | This commit adds:Assain2017-09-041-0/+21
| | | | | | | | | | | | | | | | * Documentation for Duration support added to signed/encrypted cookies * Changelog entries for the duration support and expiry metadata added to cookies [ci skip]
* | Retrive screenshot in relative path of current directoryyuuji.yaginuma2017-08-271-0/+6
| | | | | | | | | | | | | | | | | | | | In Rails engine `Rails.root `returns the path of the dummy application. Therefore, there is no `tmp` directly where the test is running, so can not get the screenshot. For this reason, instead of directly specifying tmp, retrive screenshot by relative path from the current directory. Fixes #30405
* | Deprecate ActionDispatch::TestResponse response aliasesTrevor Wistaff2017-08-071-0/+8
| | | | | | | | https://github.com/rails/rails/issues/30072
* | Lint actionpack/CHANGELOG.mdJon Moss2017-08-061-3/+3
| | | | | | | | | | | | Fixes a few grammar things. [ci skip]
* | Add backticks for class names in CHANGELOG [ci skip]Ryuta Kamizono2017-07-111-3/+3
| |
* | Protect from forgery by defaultLisa Ugray2017-07-101-0/+10
| | | | | | | | | | | | | | | | Rather than protecting from forgery in the generated ApplicationController, add it to ActionController::Base by config. This configuration defaults to false to support older versions which have removed it from their ApplicationController, but is set to true for Rails 5.2.
* | Add CHANGELOG for #29630 [ci skip]Prathamesh Sonpatki2017-07-011-0/+4
| |