| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
|
| |
This was causing bug #22738 to occur. Also added extra tests to make
sure everything is A-OK.
|
|
|
|
| |
Still more to do. Please assist!
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This adds a new method to request and response so we don't need to
violate the law of demeter.
We are changing `Request` and `Response` so that they always have a
`cookie_jar`
This is a continuation on work to combine integration and controller
test code bases in Rails.
|
|\
| |
| | |
Add text template for source code
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When a request is made with AJAX and an error occurs, Rails will render
a text-template for the exception instead of the HTML error page
(#11960).
The `.text.erb` variant of the `_source` template is currently missing,
causing HTML to be rendered in the response. This commit adds the text
template.
To keep the page scannable we only only show the first three source
extracts.
Related to #14745.
Before:
```
~/testing-exceptions ᐅ curl 'http://localhost:3000/' -H
'X-Requested-With: XMLHttpRequest'
RuntimeError in PostsController#index
<div class="source " id="frame-source-0">
<div class="info">
Extracted source (around line <strong>#3</strong>):
</div>
<div class="data">
<table cellpadding="0" cellspacing="0" class="lines">
<tr>
```
After:
```
~/testing-exceptions ᐅ curl 'http://localhost:3000/' -H
'X-Requested-With: XMLHttpRequest'
RuntimeError in PostsController#index
Extracted source (around line #3):
*3 raise
```
|
| | |
|
| | |
|
|\ \
| | |
| | | |
remove unnecessary @compiled_root from static.rb
|
| |/ |
|
|/
|
|
|
|
|
| |
Closes #21230 by following the indication of @rafaelfranca:
> I think the output change would be simpler.
> What is really important to show is the class of the middleware, so we should change the output to show that.
|
| |
|
|
|
|
|
| |
When `require 'active_support/rails'`, 'active_support/deprecation'
is automatically loaded.
|
|\
| |
| |
| | |
Add basic support for access control headers to ActionDispatch::Static
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Now ActionDispatch::Static can accept HTTP headers so that developers
will have control of returning arbitrary headers like
'Access-Control-Allow-Origin' when a response is delivered. They can
be configured through `#config.public_file_server.headers`:
config.public_file_server.headers = {
"Cache-Control" => "public, max-age=60",
"Access-Control-Allow-Origin" => "http://rubyonrails.org"
}
Also deprecate `config.static_cache_control` in favor of
`config.public_file_server.headers`.
|
| |
| |
| |
| | |
header.
|
| | |
|
| |
| |
| |
| |
| |
| | |
We only want to activate flash when the user has enabled it. Api
servers don't use flash, so add an empty implementation to the base
Request object.
|
| |
| |
| |
| |
| | |
Committing the flash needs to happen in order for the session to be
written correctly, so lets guarantee that it actually does happen.
|
| |
| |
| |
| |
| | |
I'm doing this so that we can commit the flash to the session object Out
of Band of the flash middleware
|
| |
| |
| |
| |
| | |
Use the Rack utility methods for functional header manipulation. This
helps to eliminate coupling on the header hash
|
| |
| |
| |
| |
| | |
The flash middleware shouldn't know how to look up the session object.
Just ask the request for that information.
|
| | |
|
| |
| |
| |
| |
| |
| | |
we don't actually need a param parser middleware instance since the
request object will take care of parsing parameters for us. For now,
we'll just configure the parameter parsers on the request in this class.
|
| |
| |
| |
| |
| |
| |
| |
| | |
The middleware stack is a singleton in the application (one instance is
shared for the entire application) which means that there was only one
opportunity to set the parameter parsers. Since there is only one set
of parameter parsers in an app, lets just configure them on the request
class (since that is where they are used).
|
| |
| |
| |
| |
| | |
Parameters will not be parsed until they are specifically requested via
the `request_parameters` method.
|
| |
| |
| |
| |
| | |
`normalize_encode_params` is common to all parser code paths, so we can
pull that up and always apply it before assigning the request parameters
|
| |
| |
| |
| |
| | |
All parameter parsing should be on the request object because the
request object is the object that we ask for parameters.
|
| | |
|
| |
| |
| |
| |
| | |
`Rack::Session::Abstract::ID` is now deprecated and
`Rack::Session::Abstract::Persisted` should be used instead.
|
| |
| |
| |
| | |
It's only used there.
|
| |
| |
| |
| |
| | |
`CookieJar` is only at the start of the chain and has its own
request method, so we don't need it in the module.
|
| |
| |
| |
| | |
It was the same in both legacy versions of the signed and encrypted cookie jars.
|
| |
| |
| |
| | |
The `EncryptedCookieJar` already calls it for us, so just delegate to its `parse` implementation.
|
| |
| |
| |
| |
| | |
`SignedCookieJar`'s parse method already attempts to verify the message,
so we can just call super and try the old verifier if it fails.
|
| |
| |
| |
| | |
Cuts down on the duplicated reading parts.
|
| |
| |
| |
| | |
Gets rid of the option parsing and makes what the encryptor does stand out.
|
| |
| |
| |
| | |
Lets us avoid worrying about parsing the options and doing just what we need.
|
| |
| |
| |
| | |
Remove the clutter to make PermanentCookieJar's one change stand out.
|
| |
| |
| |
| | |
Eventually this will be the superclass of all the chained jars.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
SSL redirect:
* Move `:host` and `:port` options within `redirect: { … }`. Deprecate.
* Introduce `:status` and `:body` to customize the redirect response.
The 301 permanent default makes it difficult to test the redirect and
back out of it since browsers remember the 301. Test with a 302 or 307
instead, then switch to 301 once you're confident that all is well.
HTTP Strict Transport Security (HSTS):
* Shorter max-age. Shorten the default max-age from 1 year to 180 days,
the low end for https://www.ssllabs.com/ssltest/ grading and greater
than the 18-week minimum to qualify for browser preload lists.
* Disabling HSTS. Setting `hsts: false` now sets `hsts: { expires: 0 }`
instead of omitting the header. Omitting does nothing to disable HSTS
since browsers hang on to your previous settings until they expire.
Sending `{ hsts: { expires: 0 }}` flushes out old browser settings and
actually disables HSTS:
http://tools.ietf.org/html/rfc6797#section-6.1.1
* HSTS Preload. Introduce `preload: true` to set the `preload` flag,
indicating that your site may be included in browser preload lists,
including Chrome, Firefox, Safari, IE11, and Edge. Submit your site:
https://hstspreload.appspot.com
|
| |
| |
| |
| | |
converts old ID methods to the new abstract store methods in Rack
|