| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
Updates the generator output to use a reserved domain[1] instead of a
potentially real world domain.
[1]: https://tools.ietf.org/html/rfc2606#section-3
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A HTTP feature policy is Yet Another HTTP header for instructing the
browser about which features the application intends to make use of and
to lock down access to others. This is a new security mechanism that
ensures that should an application become compromised or a third party
attempts an unexpected action, the browser will override it and maintain
the intended UX.
WICG specification: https://wicg.github.io/feature-policy/
The end result is a HTTP header that looks like the following:
```
Feature-Policy: geolocation 'none'; autoplay https://example.com
```
This will prevent the browser from using geolocation and only allow
autoplay on `https://example.com`. Full feature list can be found over
in the WICG repository[1].
As of today Chrome and Safari have public support[2] for this
functionality with Firefox working on support[3] and Edge still pending
acceptance of the suggestion[4].
#### Examples
Using an initializer
```rb
# config/initializers/feature_policy.rb
Rails.application.config.feature_policy do |f|
f.geolocation :none
f.camera :none
f.payment "https://secure.example.com"
f.fullscreen :self
end
```
In a controller
```rb
class SampleController < ApplicationController
def index
feature_policy do |f|
f.geolocation "https://example.com"
end
end
end
```
Some of you might realise that the HTTP feature policy looks pretty
close to that of a Content Security Policy; and you're right. So much so
that I used the Content Security Policy DSL from #31162 as the starting
point for this change.
This change *doesn't* introduce support for defining a feature policy on
an iframe and this has been intentionally done to split the HTTP header
and the HTML element (`iframe`) support. If this is successful, I'll
look to add that on it's own.
Full documentation on HTTP feature policies can be found at
https://wicg.github.io/feature-policy/. Google have also published[5] a
great in-depth write up of this functionality.
[1]: https://github.com/WICG/feature-policy/blob/master/features.md
[2]: https://www.chromestatus.com/feature/5694225681219584
[3]: https://bugzilla.mozilla.org/show_bug.cgi?id=1390801
[4]: https://wpdev.uservoice.com/forums/257854-microsoft-edge-developer/suggestions/33507907-support-feature-policy
[5]: https://developers.google.com/web/updates/2018/06/feature-policy
|
| |\
| |
| | |
Add the ability to set the CSP nonce only to the specified directives
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
I changed to set CSP nonce to `style-src` directive in #32932.
But this causes an issue when `unsafe-inline` is specified to `style-src`
(If a nonce is present, a nonce takes precedence over `unsafe-inline`).
So, I fixed to nonce directives configurable. By configure this, users
can make CSP as before.
Fixes #35137.
|
| |/
|
|
| |
The robots.txt site is moved permanently to https URL.
|
| |
|
|
|
|
|
|
|
| |
I changed return value of `ActionDispatch::Response#content_type` in #36034.
But this change seems to an obstacle to upgrading. https://github.com/rails/rails/pull/36034#issuecomment-498795893
Therefore, I restored the behavior of `ActionDispatch::Response#content_type`
to 5.2 and deprecated old behavior. Also, made it possible to control the
behavior with the config.
|
| |
|
|
|
|
|
|
|
|
|
| |
We sometimes say "✂️ newline after `private`" in a code review (e.g.
https://github.com/rails/rails/pull/18546#discussion_r23188776,
https://github.com/rails/rails/pull/34832#discussion_r244847195).
Now `Layout/EmptyLinesAroundAccessModifier` cop have new enforced style
`EnforcedStyle: only_before` (https://github.com/rubocop-hq/rubocop/pull/7059).
That cop and enforced style will reduce the our code review cost.
|
| | |
|
| | |
|
| |
|
|
|
| |
At class level `:nodoc:` all elements are prevented. Instead, use
`:stopdoc:` / `:startdoc:` to make `after_bundle` appear.
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
jbuilder 2.6.4 is the first version that relaxes the version constraint to allow
Rails 6. I also did some more tests in #25183, although not with 2.6.4
explicitly.
To simplify the version requirement, I went for 2.7.
https://github.com/rails/jbuilder/blob/v2.6.4/jbuilder.gemspec
https://github.com/rails/rails/issues/25183#issuecomment-494342406
|
| |
|
|
| |
supported version
|
| |
|
|
|
|
|
|
| |
This is the behavior I naively expect for the operator when used with a
single digit, but it's definitely an edge case for it, and it doesn't
seem to work as expected for including prereleases.
Using >= works fine and make the intention more clear anyways.
|
| |
|
|
|
|
|
|
|
| |
The virtual attributes(`attachment` and `rich_text`) can't set value
with `fill_in`. So avoid using it. Once #35885 is merged, will be
modified to use it.
Also, add checking attachment attached or not for avoiding
`DelegationError` when attachment didn't attach.
|
| |
|
|
| |
- Refs https://github.com/Shopify/bootsnap/pull/257
|
| |\
| |
| | |
Remove action_controller.perform_caching from api app's configs
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
As suggested in https://github.com/rails/rails/issues/35602#issuecomment-485833483, because we don't provide view caching and doesn't include `ActionController::Caching` for api apps, we should also avoid generating
```ruby
config.action_controller.perform_caching = true
```
for those api apps. So it won't confuse people.
**But because `perform_caching` will be `true` if not set, the behavior of the app would still be the same without these configs.**
|
| |\ \
| |/
|/| |
Resurrect external JS/CS generation
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| |
| | |
- Also deprecate passing {required} to the model generator.
- Also made sure the global config `belongs_to_required_by_default` is
applied correctly to the model generator for `null: false` option.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
`bin/setup` and `bin/update` are currently almost the same file. The
only thing that keeps them apart is that one is running `bin/rails
db:setup` and the other `bin/rails db:migrate`.
I'm suggesting here that they should be a unique script, which needs to
be idempotent.
- New to a project, need to get started? `bin/setup`
- Need to install new dependencies that were added recently? `bin/setup`.
Before deprecating `bin/update`, I'm suggesting we just have it call
`bin/setup`.
|
| | | |
|
| |/ |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
regression for fixture loading
d8d6bd5 makes fixture loading to bulk statements by using
`execute_batch` for sqlite3 adapter. But `execute_batch` is slower and
it caused the performance regression for fixture loading.
In sqlite3 1.4.0, it have new batch method `execute_batch2`. I've
confirmed `execute_batch2` is extremely faster than `execute_batch`.
So I think it is worth to upgrade sqlite3 to 1.4.0 to use that method.
Before:
```
% ARCONN=sqlite3 bundle exec ruby -w -Itest test/cases/associations/eager_test.rb -n test_eager_loading_too_may_ids
Using sqlite3
Run options: -n test_eager_loading_too_may_ids --seed 35790
# Running:
.
Finished in 202.437406s, 0.0049 runs/s, 0.0049 assertions/s.
1 runs, 1 assertions, 0 failures, 0 errors, 0 skips
ARCONN=sqlite3 bundle exec ruby -w -Itest -n test_eager_loading_too_may_ids 142.57s user 60.83s system 98% cpu 3:27.08 total
```
After:
```
% ARCONN=sqlite3 bundle exec ruby -w -Itest test/cases/associations/eager_test.rb -n test_eager_loading_too_may_ids
Using sqlite3
Run options: -n test_eager_loading_too_may_ids --seed 16649
# Running:
.
Finished in 8.471032s, 0.1180 runs/s, 0.1180 assertions/s.
1 runs, 1 assertions, 0 failures, 0 errors, 0 skips
ARCONN=sqlite3 bundle exec ruby -w -Itest -n test_eager_loading_too_may_ids 10.71s user 1.36s system 95% cpu 12.672 total
```
|
| |
|
|
|
| |
`original_app_name` is used to show error message if giving app name is
invalid, it should be shown raw app name.
|
| |\
| |
| | |
Add attachment and attachments field generators
|
| | | |
|
| |/ |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
Ref: https://travis-ci.org/rails/rails/jobs/501220262#L1194
|
| |
|
| |
Similarly to https://github.com/rails/webpacker/pull/1976
|
| |
|
|
| |
This is needed to fix #35278.
|
| |
|
|
|
| |
Zeitwerk is a strong dependency, planned to replace AS::Dependencies. A
line in the generated Gemfile does not convey this as much.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
Related 5754a29a974d31cab2b4392716b9825a3d910a69.
And follows Ruby standard library style https://github.com/ruby/ruby/commit/3406c5d.
|
