From f66a977fc7ae30d2a07124ad91924c4ee638a703 Mon Sep 17 00:00:00 2001
From: Kasper Timm Hansen <kaspth@gmail.com>
Date: Tue, 8 Jan 2019 22:16:58 +0100
Subject: Revert "Merge pull request #34387 from
 yhirano55/rails_info_properties_json"

We had a discussion on the Core team and we don't want to expose this information
as a JSON endpoint and not by default.

It doesn't make sense to expose this JSON locally and this controller is only
accessible in dev, so the proposed access from a production app seems off.

This reverts commit 8eaffe7e89719ac62ff29c2e4208cfbeb1cd1c38, reversing
changes made to b6e4305c3bca4c673996d0af9db0f4cfbf50215e.
---
 actioncable/actioncable.gemspec                               |  3 ---
 actionmailer/actionmailer.gemspec                             |  3 ---
 actionpack/actionpack.gemspec                                 |  3 ---
 actionview/actionview.gemspec                                 |  3 ---
 activejob/activejob.gemspec                                   |  3 ---
 activemodel/activemodel.gemspec                               |  3 ---
 activerecord/activerecord.gemspec                             |  3 ---
 activestorage/activestorage.gemspec                           |  3 ---
 activesupport/activesupport.gemspec                           |  3 ---
 guides/source/security.md                                     |  5 -----
 .../config/initializers/content_security_policy.rb.tt         |  4 ----
 railties/railties.gemspec                                     |  3 ---
 railties/test/generators/app_generator_test.rb                | 11 -----------
 13 files changed, 50 deletions(-)

diff --git a/actioncable/actioncable.gemspec b/actioncable/actioncable.gemspec
index 29836f012f..c98ec9afc9 100644
--- a/actioncable/actioncable.gemspec
+++ b/actioncable/actioncable.gemspec
@@ -25,9 +25,6 @@ Gem::Specification.new do |s|
     "changelog_uri"   => "https://github.com/rails/rails/blob/v#{version}/actioncable/CHANGELOG.md"
   }
 
-  # NOTE: Please read our dependency guidelines before updating versions:
-  # https://edgeguides.rubyonrails.org/security.html#dependency-management-and-cves
-
   s.add_dependency "actionpack", version
 
   s.add_dependency "nio4r",            "~> 2.0"
diff --git a/actionmailer/actionmailer.gemspec b/actionmailer/actionmailer.gemspec
index c76cb3ec72..4503a30cca 100644
--- a/actionmailer/actionmailer.gemspec
+++ b/actionmailer/actionmailer.gemspec
@@ -26,9 +26,6 @@ Gem::Specification.new do |s|
     "changelog_uri"   => "https://github.com/rails/rails/blob/v#{version}/actionmailer/CHANGELOG.md"
   }
 
-  # NOTE: Please read our dependency guidelines before updating versions:
-  # https://edgeguides.rubyonrails.org/security.html#dependency-management-and-cves
-
   s.add_dependency "actionpack", version
   s.add_dependency "actionview", version
   s.add_dependency "activejob", version
diff --git a/actionpack/actionpack.gemspec b/actionpack/actionpack.gemspec
index c4c755b7ac..b3967f6ce4 100644
--- a/actionpack/actionpack.gemspec
+++ b/actionpack/actionpack.gemspec
@@ -26,9 +26,6 @@ Gem::Specification.new do |s|
     "changelog_uri"   => "https://github.com/rails/rails/blob/v#{version}/actionpack/CHANGELOG.md"
   }
 
-  # NOTE: Please read our dependency guidelines before updating versions:
-  # https://edgeguides.rubyonrails.org/security.html#dependency-management-and-cves
-
   s.add_dependency "activesupport", version
 
   s.add_dependency "rack",      "~> 2.0"
diff --git a/actionview/actionview.gemspec b/actionview/actionview.gemspec
index d8bd233ceb..dfc0072469 100644
--- a/actionview/actionview.gemspec
+++ b/actionview/actionview.gemspec
@@ -26,9 +26,6 @@ Gem::Specification.new do |s|
     "changelog_uri"   => "https://github.com/rails/rails/blob/v#{version}/actionview/CHANGELOG.md"
   }
 
-  # NOTE: Please read our dependency guidelines before updating versions:
-  # https://edgeguides.rubyonrails.org/security.html#dependency-management-and-cves
-
   s.add_dependency "activesupport", version
 
   s.add_dependency "builder",       "~> 3.1"
diff --git a/activejob/activejob.gemspec b/activejob/activejob.gemspec
index c3c0447d8e..40ca33dbfd 100644
--- a/activejob/activejob.gemspec
+++ b/activejob/activejob.gemspec
@@ -25,9 +25,6 @@ Gem::Specification.new do |s|
     "changelog_uri"   => "https://github.com/rails/rails/blob/v#{version}/activejob/CHANGELOG.md"
   }
 
-  # NOTE: Please read our dependency guidelines before updating versions:
-  # https://edgeguides.rubyonrails.org/security.html#dependency-management-and-cves
-
   s.add_dependency "activesupport", version
   s.add_dependency "globalid", ">= 0.3.6"
 end
diff --git a/activemodel/activemodel.gemspec b/activemodel/activemodel.gemspec
index 4deb76814b..24e5e838dd 100644
--- a/activemodel/activemodel.gemspec
+++ b/activemodel/activemodel.gemspec
@@ -25,8 +25,5 @@ Gem::Specification.new do |s|
     "changelog_uri"   => "https://github.com/rails/rails/blob/v#{version}/activemodel/CHANGELOG.md"
   }
 
-  # NOTE: Please read our dependency guidelines before updating versions:
-  # https://edgeguides.rubyonrails.org/security.html#dependency-management-and-cves
-
   s.add_dependency "activesupport", version
 end
diff --git a/activerecord/activerecord.gemspec b/activerecord/activerecord.gemspec
index 1e198c3a55..a8c2cc76a6 100644
--- a/activerecord/activerecord.gemspec
+++ b/activerecord/activerecord.gemspec
@@ -28,9 +28,6 @@ Gem::Specification.new do |s|
     "changelog_uri"   => "https://github.com/rails/rails/blob/v#{version}/activerecord/CHANGELOG.md"
   }
 
-  # NOTE: Please read our dependency guidelines before updating versions:
-  # https://edgeguides.rubyonrails.org/security.html#dependency-management-and-cves
-
   s.add_dependency "activesupport", version
   s.add_dependency "activemodel",   version
 end
diff --git a/activestorage/activestorage.gemspec b/activestorage/activestorage.gemspec
index dfada7054a..244065837c 100644
--- a/activestorage/activestorage.gemspec
+++ b/activestorage/activestorage.gemspec
@@ -25,9 +25,6 @@ Gem::Specification.new do |s|
     "changelog_uri"   => "https://github.com/rails/rails/blob/v#{version}/activestorage/CHANGELOG.md"
   }
 
-  # NOTE: Please read our dependency guidelines before updating versions:
-  # https://edgeguides.rubyonrails.org/security.html#dependency-management-and-cves
-
   s.add_dependency "actionpack", version
   s.add_dependency "activerecord", version
 
diff --git a/activesupport/activesupport.gemspec b/activesupport/activesupport.gemspec
index bdd7bc70a0..b5fa510bb3 100644
--- a/activesupport/activesupport.gemspec
+++ b/activesupport/activesupport.gemspec
@@ -27,9 +27,6 @@ Gem::Specification.new do |s|
     "changelog_uri"   => "https://github.com/rails/rails/blob/v#{version}/activesupport/CHANGELOG.md"
   }
 
-  # NOTE: Please read our dependency guidelines before updating versions:
-  # https://edgeguides.rubyonrails.org/security.html#dependency-management-and-cves
-
   s.add_dependency "i18n",       ">= 0.7", "< 2"
   s.add_dependency "tzinfo",     "~> 1.1"
   s.add_dependency "minitest",   "~> 5.1"
diff --git a/guides/source/security.md b/guides/source/security.md
index dbec3cdd2d..bb996cc39c 100644
--- a/guides/source/security.md
+++ b/guides/source/security.md
@@ -1235,11 +1235,6 @@ version:
 Rails.application.credentials.some_api_key! # => raises KeyError: :some_api_key is blank
 ```
 
-Dependency Management and CVEs
-------------------------------
-
-We don’t bump dependencies just to encourage use of new versions, including for security issues. This is because application owners need to manually update their gems regardless of our efforts. Use `bundle update --conservative gem_name` to safely update vulnerable dependencies.
-
 Additional Resources
 --------------------
 
diff --git a/railties/lib/rails/generators/rails/app/templates/config/initializers/content_security_policy.rb.tt b/railties/lib/rails/generators/rails/app/templates/config/initializers/content_security_policy.rb.tt
index c517b0f96b..d3bcaa5ec8 100644
--- a/railties/lib/rails/generators/rails/app/templates/config/initializers/content_security_policy.rb.tt
+++ b/railties/lib/rails/generators/rails/app/templates/config/initializers/content_security_policy.rb.tt
@@ -11,10 +11,6 @@
 #   policy.object_src  :none
 #   policy.script_src  :self, :https
 #   policy.style_src   :self, :https
-<%- unless options[:skip_javascript] -%>
-#   # If you are using webpack-dev-server then specify webpack-dev-server host
-#   policy.connect_src :self, :https, "http://localhost:3035", "ws://localhost:3035" if Rails.env.development?
-<%- end -%>
 
 #   # Specify URI for violation reports
 #   # policy.report_uri "/csp-violation-report-endpoint"
diff --git a/railties/railties.gemspec b/railties/railties.gemspec
index 1bfb0dfe48..e7de51f52a 100644
--- a/railties/railties.gemspec
+++ b/railties/railties.gemspec
@@ -30,9 +30,6 @@ Gem::Specification.new do |s|
     "changelog_uri"   => "https://github.com/rails/rails/blob/v#{version}/railties/CHANGELOG.md"
   }
 
-  # NOTE: Please read our dependency guidelines before updating versions:
-  # https://edgeguides.rubyonrails.org/security.html#dependency-management-and-cves
-
   s.add_dependency "activesupport", version
   s.add_dependency "actionpack",    version
 
diff --git a/railties/test/generators/app_generator_test.rb b/railties/test/generators/app_generator_test.rb
index 47e401c34f..a421ac326d 100644
--- a/railties/test/generators/app_generator_test.rb
+++ b/railties/test/generators/app_generator_test.rb
@@ -230,14 +230,6 @@ class AppGeneratorTest < Rails::Generators::TestCase
     assert_equal "false\n", output
   end
 
-  def test_csp_initializer_include_connect_src_example
-    run_generator
-
-    assert_file "config/initializers/content_security_policy.rb" do |content|
-      assert_match(/#   policy\.connect_src/, content)
-    end
-  end
-
   def test_app_update_keep_the_cookie_serializer_if_it_is_already_configured
     app_root = File.join(destination_root, "myapp")
     run_generator [app_root]
@@ -845,9 +837,6 @@ class AppGeneratorTest < Rails::Generators::TestCase
     end
 
     assert_no_gem "webpacker"
-    assert_file "config/initializers/content_security_policy.rb" do |content|
-      assert_no_match(/policy\.connect_src/, content)
-    end
   end
 
   def test_webpack_option_with_js_framework
-- 
cgit v1.2.3