| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
| |
this commit removes some direct access to `env`.
|
| |
|
| |
|
|
|
|
|
| |
`Rack::Session::Abstract::ID` is now deprecated and
`Rack::Session::Abstract::Persisted` should be used instead.
|
| |
|
|
|
|
|
| |
This method is specifically about the content type so lets remove the
parameter.
|
|
|
|
|
| |
create a singleton content type that just has nils, so that we don't
have to allocate a content type object all the time.
|
|
|
|
|
|
|
| |
If someone sets just a charset, but depends on the implicit type from
rendering, this will store a strange content type header that looks like
this: `; charset=blah`. This is so that when the content type header
is parsed again, it will return nil for the actual type.
|
|
|
|
|
| |
It turns out that the response object never really cares what the mime
type object is, so just use the string.
|
|
|
|
| |
pull content-type setting to a private method to dry it up.
|
|
|
|
|
| |
Instead of storing content type information in an ivar and a header,
lets move to just store the content type info in just the header.
|
|
|
|
| |
we'll use this method later to lazily parse content type headers.
|
|
|
|
| |
It's only used there.
|
|
|
|
|
| |
`CookieJar` is only at the start of the chain and has its own
request method, so we don't need it in the module.
|
|
|
|
| |
It was the same in both legacy versions of the signed and encrypted cookie jars.
|
|
|
|
| |
The `EncryptedCookieJar` already calls it for us, so just delegate to its `parse` implementation.
|
|
|
|
|
| |
`SignedCookieJar`'s parse method already attempts to verify the message,
so we can just call super and try the old verifier if it fails.
|
|
|
|
| |
Cuts down on the duplicated reading parts.
|
|
|
|
| |
Gets rid of the option parsing and makes what the encryptor does stand out.
|
|
|
|
| |
Lets us avoid worrying about parsing the options and doing just what we need.
|
|
|
|
| |
Remove the clutter to make PermanentCookieJar's one change stand out.
|
|
|
|
| |
Eventually this will be the superclass of all the chained jars.
|
|\
| |
| |
| |
| |
| | |
bernerdschaefer/bs-polymorphic-url_for-dups-arguments
`url_for` does not modify polymorphic options
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The `url_for` methods in `actionpack` and `actionview`
now make a copy of the provided options
before generating polymorphic paths or URLs.
The bug in the previous behavior
is most noticeable in a case like:
url_options = [:new, :post, param: 'value']
if current_page?(url_options)
css_class = "active"
end
link_to "New Post", url_options, class: css_class
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
SSL redirect:
* Move `:host` and `:port` options within `redirect: { … }`. Deprecate.
* Introduce `:status` and `:body` to customize the redirect response.
The 301 permanent default makes it difficult to test the redirect and
back out of it since browsers remember the 301. Test with a 302 or 307
instead, then switch to 301 once you're confident that all is well.
HTTP Strict Transport Security (HSTS):
* Shorter max-age. Shorten the default max-age from 1 year to 180 days,
the low end for https://www.ssllabs.com/ssltest/ grading and greater
than the 18-week minimum to qualify for browser preload lists.
* Disabling HSTS. Setting `hsts: false` now sets `hsts: { expires: 0 }`
instead of omitting the header. Omitting does nothing to disable HSTS
since browsers hang on to your previous settings until they expire.
Sending `{ hsts: { expires: 0 }}` flushes out old browser settings and
actually disables HSTS:
http://tools.ietf.org/html/rfc6797#section-6.1.1
* HSTS Preload. Introduce `preload: true` to set the `preload` flag,
indicating that your site may be included in browser preload lists,
including Chrome, Firefox, Safari, IE11, and Edge. Submit your site:
https://hstspreload.appspot.com
|
| |
| |
| |
| | |
converts old ID methods to the new abstract store methods in Rack
|
| | |
|
| |
| |
| |
| |
| |
| | |
Just include the modules necessary in the Request object to implement
the things we need. This should make it easier to build delegate
request objects because the API is smaller
|
|/
|
|
|
|
| |
Escaping and unescaping paths is different than query parameters, and we
need to respect that. This commit uses the new method in Rack to escape
and unescape paths. Fixes #11816
|
|\
| |
| | |
[ci skip] Added localhost IPv6
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Commit bff61ba, while reducing allocations, caused a regression when an empty
format is passed to a route.
This can happen in cases where you're using an anchor tag, for example:
`https://example.com/parent/575256966.#child_1032289285`.
Because of this change `format` was getting sent in
`parameterized_parts` when previously it was not included. This resulted
in blank `format`'s being returned as `.` when if there was an extension
included it would be `.extension`. Since there was no extension this
caused incorrect URL's.
The test shows this would result in `/posts/show/1.` instead of
`/posts/show/1` which causes bad urls since the format is not present.
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
With changes made in 8363b8 and ae29142 cookies that are mutated on the
request like `cookies.signed = x` were not retained in subsequent tests,
breaking cookie authentiation in controller tests.
The test added demonstrates the issue.
The reason we need to select from non-deleted cookies is because without
checking the `@delete_cookies` the `cookie_jar` `@cookies` will send the
wrong cookies to be updated. The code must check for `@deleted_cookies`
before sending an `#update` with the requests cookie_jar cookies.
This follows how the cookie_jar cookies from the request were updated
before these changes.
|
|\ \
| | |
| | | |
Fix broken IPv6 addresses handling
|
| | | |
|
| | | |
|
|\ \ \
| | | |
| | | | |
Code cleanup
|
| | |/
| |/|
| | |
| | |
| | |
| | |
| | |
| | | |
Cleanup for `ActionDispatch::Http::Parameters` - no need for required libraries
and remove not used private method.
Apparently this method was used in `ActionDispatch::Http::Request` - fixed
by calling `Request::Utils` explicitly (as was done in other parts of the codebase)
|
| | |
| | |
| | |
| | |
| | | |
eventually we'll remove this instance variable, but this is the first
step
|
| | |
| | |
| | |
| | |
| | | |
we're storing the value in the headers hash, so lets just store the
value in one place.
|
| | |
| | |
| | |
| | |
| | | |
Modules should be using the API that the abstract modules use so that we
can move these modules between implementations
|
| | |
| | |
| | |
| | |
| | | |
cookies are always stored as a string in the header hash, so it will not
need to be joined.
|
| | | |
|
|/ /
| |
| |
| | |
eventually we will refactor this to not know about header hashes
|
| |
| |
| |
| |
| | |
Rack::Response::Helpers implements this method, so we can safely remove
it
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Controllers should always have a request and response when responding.
Since we make this The Rule(tm), then controllers don't need to be
somewhere in limbo between "asking a response object for a rack
response" or "I, myself contain a rack response". This duality leads to
conditionals spread through the codebase that we can delete:
* https://github.com/rails/rails/blob/85a78d9358aa728298cd020cdc842b55c16f9549/actionpack/lib/action_controller/metal.rb#L221-L223
|
| |
| |
| |
| | |
This saves a lambda and request allocation on each request.
|
| |
| |
| |
| |
| | |
controllers should always go through the `action` class method so that
their middleware is respected.
|