aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/lib/action_controller/base.rb
Commit message (Collapse)AuthorAgeFilesLines
* Adds support for configuring HTTP Feature Policy (#33439)Jacob Bednarz2019-07-101-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | A HTTP feature policy is Yet Another HTTP header for instructing the browser about which features the application intends to make use of and to lock down access to others. This is a new security mechanism that ensures that should an application become compromised or a third party attempts an unexpected action, the browser will override it and maintain the intended UX. WICG specification: https://wicg.github.io/feature-policy/ The end result is a HTTP header that looks like the following: ``` Feature-Policy: geolocation 'none'; autoplay https://example.com ``` This will prevent the browser from using geolocation and only allow autoplay on `https://example.com`. Full feature list can be found over in the WICG repository[1]. As of today Chrome and Safari have public support[2] for this functionality with Firefox working on support[3] and Edge still pending acceptance of the suggestion[4]. #### Examples Using an initializer ```rb # config/initializers/feature_policy.rb Rails.application.config.feature_policy do |f| f.geolocation :none f.camera :none f.payment "https://secure.example.com" f.fullscreen :self end ``` In a controller ```rb class SampleController < ApplicationController def index feature_policy do |f| f.geolocation "https://example.com" end end end ``` Some of you might realise that the HTTP feature policy looks pretty close to that of a Content Security Policy; and you're right. So much so that I used the Content Security Policy DSL from #31162 as the starting point for this change. This change *doesn't* introduce support for defining a feature policy on an iframe and this has been intentionally done to split the HTTP header and the HTML element (`iframe`) support. If this is successful, I'll look to add that on it's own. Full documentation on HTTP feature policies can be found at https://wicg.github.io/feature-policy/. Google have also published[5] a great in-depth write up of this functionality. [1]: https://github.com/WICG/feature-policy/blob/master/features.md [2]: https://www.chromestatus.com/feature/5694225681219584 [3]: https://bugzilla.mozilla.org/show_bug.cgi?id=1390801 [4]: https://wpdev.uservoice.com/forums/257854-microsoft-edge-developer/suggestions/33507907-support-feature-policy [5]: https://developers.google.com/web/updates/2018/06/feature-policy
* Add quotes to code in rdoc comment in ActionController [ci skip]Eddie Lebow2018-04-301-1/+1
| | | | The example code is meant to be a string.
* Include default headers by default in API modeKevin Deisz2018-04-061-6/+1
| | | | ActionDispatch's default headers are now moved into their own module that are by default included in both Base and API. This allows API-mode applications to take advantage of the default security headers, as well as providing an easy way to add more.
* Add DSL for configuring Content-Security-Policy headerAndrew White2017-11-271-0/+1
| | | | https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
* [Action Pack] require => require_relativeAkira Matsuda2017-10-211-2/+2
| | | | | This basically reverts e9fca7668b9eba82bcc832cb0061459703368397, d08da958b9ae17d4bbe4c9d7db497ece2450db5f, d1fe1dcf8ab1c0210a37c2a78c1ee52cf199a66d, and 68eaf7b4d5f2bb56d939f71c5ece2d61cf6680a3
* Use frozen string literal in actionpack/Kir Shatrov2017-07-291-0/+2
|
* [Action Controller] require => require_relativeAkira Matsuda2017-07-011-2/+2
|
* Add action_controller_api, action_controller_base on_load hookJulian Nadeau2017-04-101-0/+1
|
* Do not include default response headers for AC::MetalJon Moss2017-03-291-0/+6
| | | | | | | | | | | | In Rails 4.2, `ActionController::Metal` controllers did not include the default headers from `ActionDispatch::Response`. However, through e16afe6, and a general shift towards having `ActionController::Metal` objects contain `ActionDispatch::Response` objects (instead of just returning an array of status, headers, and body), this behavior was lost. This PR helps to restore the original behavior by having `ActionController::Metal` controllers generate Response objects without the default headers, while `ActionController::Base` now overrides the factory method to make sure its version does have the default headers.
* [docs] fix ActionController documentationHrvoje Šimić2017-03-121-4/+4
| | | | [ci skip]
* Include the content of the flash in the auto-generated etag (#26250)David Heinemeier Hansson2016-08-221-0/+1
| | | Include the content of the flash in the auto-generated etag
* Allow specifying encoding of parameters by actionKerri Miller2016-08-091-1/+1
| | | | | At GitHub we need to handle parameter encodings that are not UTF-8. This patch allows us to specify encodings per parameter per action.
* applies new string literal convention in actionpack/libXavier Noria2016-08-061-1/+1
| | | | | The current code base is not uniform. After some discussion, we have chosen to go with double quotes by default.
* [ci skip] Add 'params' formatting in ActionController::BaseAlex Kitchens2016-06-301-4/+4
|
* Implement helpers proxy in controller instance levelRafael Mendonça França2016-05-051-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | It is a common pattern in the Rails community that when people want to :xa use any kind of helper that is defined inside app/helpers they includes the helper module inside the controller like: module UserHelper def my_user_helper # ... end end class UsersController < ApplicationController include UserHelper def index render inline: my_user_helper end end This has problem because the helper can't access anything that is defined in the view level context class. Also all public methods of the helper become available in the controller what can lead to undesirable methods being routed and behaving as actions. Also if you helper depends on other helpers or even Action View helpers you need to include each one of these dependencies in your controller otherwise your helper is not going to work. We already have a helpers proxy at controller class level but that proxy doesn't have access to the instance variables defined in the controller. With this new instance level helper proxy users can reuse helpers in the controller without having to include the modules and with access to instance variables defined in the controller. class UsersController < ApplicationController def index render inline: helpers.my_user_helper end end
* Move protected instance variable to the right placeRafael Mendonça França2016-05-051-3/+4
| | | | | | | | | There were a lot of protected instance variables in AbsctractController::Rendering that were related to Action Controller and Action View. Moving to ActionController::Base's protected instance list we make it closer to where they are really defined.
* Fix actionpack typos [ci skip]Tom Kadwill2016-05-041-1/+1
|
* eagerly allocate the renderer objectAaron Patterson2015-09-141-0/+1
| | | | | this means the reader doesn't need to lock, but does have the added cost of a new object created for every controller
* Merge pull request #21298 from rodzyn/remove_dead_codeRafael Mendonça França2015-09-011-4/+0
|\ | | | | Remove dead code
| * Remove dead codeMarcin Olichwirowicz2015-08-191-4/+0
| |
* | remove RackDelegation moduleAaron Patterson2015-08-261-1/+0
| | | | | | | | | | | | Since all controller instances are required to have a request and response object, RackDelegation is no longer needed (we always have to delegate to the response)
* | remove ivars from the "protected" listAaron Patterson2015-08-261-1/+1
|/ | | | these ivars don't exist anymore, so we can remove them from the list
* stop using @_env in the controller instanceAaron Patterson2015-08-071-1/+1
| | | | | | | Actions are processed through `dispatch`, so they should have the request set on them before any user land code can be executed. Lets stop setting _env on the controller, and give access to it through the `env` method.
* Merge pull request #21008 from svenwin/patch-1Yves Senn2015-08-011-1/+1
|\ | | | | | | Add documentation to get a running custom base controller [ci skip]
| * Add documentation to get a running custom base controller [ci skip]Sven Winkler2015-07-231-1/+1
|/
* fixed sring to be string in ActiveRecord::Base params documentationColby Swandale2015-06-121-1/+1
|
* better clarity of params source in ActionController::Base documentation [ci ↵Colby Swandale2015-06-111-3/+3
| | | | skip]
* Override default form builder for a controllerKevin McPhillips2015-04-131-0/+1
|
* Remove ActionController::HideActions (closes #18336)brainopia2015-01-061-1/+0
|
* :scissors:Rafael Mendonça França2014-11-261-1/+1
|
* getting the location of the serverdilpreet922014-11-261-2/+2
|
* When your templates change, browser caches bust automatically.Jeremy Kemper2014-08-171-0/+1
| | | | | | | | | | | | | | | | New default: the template digest is automatically included in your ETags. When you call `fresh_when @post`, the digest for `posts/show.html.erb` is mixed in so future changes to the HTML will blow HTTP caches for you. This makes it easy to HTTP-cache many more of your actions. If you render a different template, you can now pass the `:template` option to include its digest instead: fresh_when @post, template: 'widgets/show' Pass `template: false` to skip the lookup. To turn this off entirely, set: config.action_controller.etag_with_template_digest = false
* Update Docs in favor to use render plain instead of text optionrobertomiranda2014-02-181-1/+1
| | | | ref #14062
* Require action_view explicitly in AC::BaseŁukasz Strzałkowski2013-12-081-0/+1
|
* Retain ActionPack dependency on ActionViewŁukasz Strzałkowski2013-12-051-15/+3
|
* Use genderless pronouns in API docsGuillermo Iguaran2013-12-011-1/+1
|
* calculate the ivars to remove in advance as a set and cache them in aAaron Patterson2013-11-061-3/+10
| | | | | | | constant. `view_assigns` can use the precalculated sets and remove instance variables without allocating any extra arrays
* Typo fix [ci skip]Arun Agrawal2013-10-091-1/+1
| | | | | | | | | Fixing the typo which is formed a not required link. Check here http://api.rubyonrails.org/classes/ActionController/Base.html under paramters section keeping it under tt tag gets reverted here ec8ef1e1055c4e1598da13f49d30261f07f4a9b4
* [ci skip] escape unintended url in docsChris Ciollaro2013-09-261-1/+1
|
* Fixing comment typo in ActionController::BaseAttila Domokos2013-09-131-1/+1
|
* Remove BasicRendering and remove template functionality from AbsC::RenderingJosé Valim2013-09-091-2/+1
|
* Move BasicRendering to AbstractControllerŁukasz Strzałkowski2013-09-031-1/+1
|
* Revert "Port all remaining self.protected_instance_variables to class methods"Łukasz Strzałkowski2013-09-021-6/+5
| | | | This reverts commit 7de994fa215e9f4c2856d85034bc4dd7b65d0c01.
* Port all remaining self.protected_instance_variables to class methodsŁukasz Strzałkowski2013-08-291-5/+6
|
* Fist stab on basic renderingŁukasz Strzałkowski2013-08-251-0/+1
|
* Do not include action_view/layoutsŁukasz Strzałkowski2013-08-251-1/+0
| | | | We don't need them. They'll be loaded automaticly if AV will be included
* Change documentation of metal anonymous classŁukasz Strzałkowski2013-08-251-5/+10
| | | | | | Make it clearer [ci skip]
* Load AV::Layouts dynamicly via railtiesŁukasz Strzałkowski2013-08-251-1/+0
|
* Code formatting & typo fixesŁukasz Strzałkowski2013-08-251-1/+1
|
* Move anonymous class to the top, add documentationŁukasz Strzałkowski2013-08-251-4/+9
|