| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
| |
|
| |
|
|
|
|
|
|
|
|
| |
- For old apps which are not setting any value for hsts[:subdomains],
a deprecation warning will be shown saying that hsts[:subdomains] will
be turned on by default in Rails 5.1. Currently it will be set to
false for backward compatibility.
- Adjusted tests to reflect this change.
|
|
|
|
|
|
|
|
| |
1) Because if you forget to add Secure; to the session cookie, it will leak to http:// subdomain in some cases
2) Because http:// subdomain can Cookie Bomb/cookie force main domain or be used for phishing.
That's why *by default* it must include subdomains as it's much more common scenario. Very few websites *intend* to leave their blog.app.com working over http:// while having everything else encrypted.
Yes, many developers forget to add subdomains=true by default, believe me :)
|
|
|
|
|
| |
This will keep our current API working without having the users to
change their codebases.
|
|
|
|
| |
This change was added in #23203 and it was not conforming our code style.
|
|\
| |
| | |
WIP: Errors in logs should show log tags as well.
|
| |
| |
| |
| |
| |
| |
| | |
- Changed formatted_code_for to return array of logs to be tagged for each line
- Changed some render tests to match new behaviour of return
Fixes #22979
|
| |
| |
| |
| |
| |
| |
| | |
Multiple cookie values should be separated by '; ' according
to RFC 6265, section 5.4.4[1].
[1]: https://tools.ietf.org/html/rfc6265#section-5.4
|
| | |
|
|\ \
| | |
| | |
| | | |
into ma2gedev-should-escape-cookie
|
| | |
| | |
| | |
| | |
| | | |
Get an incorrect cookie value in controller action method
if cookie value contains an escapable string.
|
| |/
|/| |
|
| |
| |
| |
| |
| |
| |
| |
| | |
gzipped version exists or not. This is helpful for CDN's to later distinguish assets, based on previous, current copies and introduced gzip version if any."
This reverts commit 067c52f608568e35181830a5c1016e382650e655.
Conversation: https://github.com/rails/rails/pull/23120#issuecomment-173007011
|
| |
| |
| |
| |
| |
| |
| |
| | |
version exists or not. This is helpful for CDN's to later distinguish assets, based on previous, current copies and introduced gzip version if any.
For ref: https://www.fastly.com/blog/best-practices-for-using-the-vary-header
This change sets `Vary` header always, to be on safer side
|
| |
| |
| |
| |
| |
| | |
File paths cannot contain null byte characters and methods that do path
operations such as Rack::Utils#clean_path_info will raise unwanted
errors.
|
|/ |
|
| |
|
|
|
|
|
| |
This was causing bug #22738 to occur. Also added extra tests to make
sure everything is A-OK.
|
|
|
|
| |
Still more to do. Please assist!
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This adds a new method to request and response so we don't need to
violate the law of demeter.
We are changing `Request` and `Response` so that they always have a
`cookie_jar`
This is a continuation on work to combine integration and controller
test code bases in Rails.
|
|\
| |
| | |
Add text template for source code
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When a request is made with AJAX and an error occurs, Rails will render
a text-template for the exception instead of the HTML error page
(#11960).
The `.text.erb` variant of the `_source` template is currently missing,
causing HTML to be rendered in the response. This commit adds the text
template.
To keep the page scannable we only only show the first three source
extracts.
Related to #14745.
Before:
```
~/testing-exceptions ᐅ curl 'http://localhost:3000/' -H
'X-Requested-With: XMLHttpRequest'
RuntimeError in PostsController#index
<div class="source " id="frame-source-0">
<div class="info">
Extracted source (around line <strong>#3</strong>):
</div>
<div class="data">
<table cellpadding="0" cellspacing="0" class="lines">
<tr>
```
After:
```
~/testing-exceptions ᐅ curl 'http://localhost:3000/' -H
'X-Requested-With: XMLHttpRequest'
RuntimeError in PostsController#index
Extracted source (around line #3):
*3 raise
```
|
| | |
|
| | |
|
|\ \
| | |
| | | |
remove unnecessary @compiled_root from static.rb
|
| |/ |
|
|/
|
|
|
|
|
| |
Closes #21230 by following the indication of @rafaelfranca:
> I think the output change would be simpler.
> What is really important to show is the class of the middleware, so we should change the output to show that.
|
| |
|
|
|
|
|
| |
When `require 'active_support/rails'`, 'active_support/deprecation'
is automatically loaded.
|
|\
| |
| |
| | |
Add basic support for access control headers to ActionDispatch::Static
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Now ActionDispatch::Static can accept HTTP headers so that developers
will have control of returning arbitrary headers like
'Access-Control-Allow-Origin' when a response is delivered. They can
be configured through `#config.public_file_server.headers`:
config.public_file_server.headers = {
"Cache-Control" => "public, max-age=60",
"Access-Control-Allow-Origin" => "http://rubyonrails.org"
}
Also deprecate `config.static_cache_control` in favor of
`config.public_file_server.headers`.
|
| |
| |
| |
| | |
header.
|
| | |
|
| |
| |
| |
| |
| |
| | |
We only want to activate flash when the user has enabled it. Api
servers don't use flash, so add an empty implementation to the base
Request object.
|
| |
| |
| |
| |
| | |
Committing the flash needs to happen in order for the session to be
written correctly, so lets guarantee that it actually does happen.
|
| |
| |
| |
| |
| | |
I'm doing this so that we can commit the flash to the session object Out
of Band of the flash middleware
|
| |
| |
| |
| |
| | |
Use the Rack utility methods for functional header manipulation. This
helps to eliminate coupling on the header hash
|
| |
| |
| |
| |
| | |
The flash middleware shouldn't know how to look up the session object.
Just ask the request for that information.
|
| | |
|
| |
| |
| |
| |
| |
| | |
we don't actually need a param parser middleware instance since the
request object will take care of parsing parameters for us. For now,
we'll just configure the parameter parsers on the request in this class.
|
| |
| |
| |
| |
| |
| |
| |
| | |
The middleware stack is a singleton in the application (one instance is
shared for the entire application) which means that there was only one
opportunity to set the parameter parsers. Since there is only one set
of parameter parsers in an app, lets just configure them on the request
class (since that is where they are used).
|