From b50e88ebdf375cf81ad63586ce4599979262f975 Mon Sep 17 00:00:00 2001 From: yui-knk Date: Sat, 28 Nov 2015 16:32:24 +0900 Subject: Make `assert_recognizes` to traverse mounted engines Before this commit paths of mounted engines are not traversed when `assert_recognizes` is called, causing strange test results. This commit enable to traverse mounted paths. --- actionpack/CHANGELOG.md | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'actionpack/CHANGELOG.md') diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md index 370e3a1958..7eb56e596e 100644 --- a/actionpack/CHANGELOG.md +++ b/actionpack/CHANGELOG.md @@ -1,3 +1,7 @@ +* Make `assert_recognizes` to traverse mounted engines + + *Yuichiro Kaneko* + * Add extension synonyms `yml` and `yaml` for MIME type `application/x-yaml`. *bogdanvlviv* -- cgit v1.2.3 From ba04b580c6e56e366b1b8e4ef003e9a0c1c419bb Mon Sep 17 00:00:00 2001 From: Thomas Walpole Date: Sun, 17 Sep 2017 15:04:20 -0700 Subject: Use the default Capybara registered puma server configuration --- actionpack/CHANGELOG.md | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'actionpack/CHANGELOG.md') diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md index 932968fa35..a53d8efee1 100644 --- a/actionpack/CHANGELOG.md +++ b/actionpack/CHANGELOG.md @@ -1,3 +1,10 @@ +* Use Capybara registered `:puma` server config. + + The Capybara registered `:puma` server ensures the puma server is run in process so + connection sharing and open request detection work correctly by default. + + *Thomas Walpole* + * Cookies `:expires` option supports `ActiveSupport::Duration` object. cookies[:user_name] = { value: "assain", expires: 1.hour } -- cgit v1.2.3 From 8b0af54bbe5ab8b598e980013dd53a50d819b636 Mon Sep 17 00:00:00 2001 From: Michael Coyne Date: Sat, 23 Sep 2017 17:18:01 -0400 Subject: Add key rotation cookies middleware Using the action_dispatch.cookies_rotations interface, key rotation is now possible with cookies. Thus the secret_key_base as well as salts, ciphers, and digests, can be rotated without expiring sessions. --- actionpack/CHANGELOG.md | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'actionpack/CHANGELOG.md') diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md index a53d8efee1..1d4b27a0f9 100644 --- a/actionpack/CHANGELOG.md +++ b/actionpack/CHANGELOG.md @@ -1,3 +1,12 @@ +* Simplify cookies middleware with key rotation support + + Use the `rotate` method for both `MessageEncryptor` and + `MessageVerifier` to add key rotation support for encrypted and + signed cookies. This also helps simplify support for legacy cookie + security. + + *Michael J Coyne* + * Use Capybara registered `:puma` server config. The Capybara registered `:puma` server ensures the puma server is run in process so -- cgit v1.2.3 From 5755f57f3e887df93e11c4b3efb8bf21226744cc Mon Sep 17 00:00:00 2001 From: Ryuta Kamizono Date: Tue, 26 Sep 2017 14:54:22 +0900 Subject: Fix indentation in CHANGELOG [ci skip] --- actionpack/CHANGELOG.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'actionpack/CHANGELOG.md') diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md index 1d4b27a0f9..16090e7946 100644 --- a/actionpack/CHANGELOG.md +++ b/actionpack/CHANGELOG.md @@ -7,14 +7,14 @@ *Michael J Coyne* -* Use Capybara registered `:puma` server config. +* Use Capybara registered `:puma` server config. The Capybara registered `:puma` server ensures the puma server is run in process so connection sharing and open request detection work correctly by default. *Thomas Walpole* -* Cookies `:expires` option supports `ActiveSupport::Duration` object. +* Cookies `:expires` option supports `ActiveSupport::Duration` object. cookies[:user_name] = { value: "assain", expires: 1.hour } cookies[:key] = { value: "a yummy cookie", expires: 6.months } @@ -23,7 +23,7 @@ *Assain Jaleel* -* Enforce signed/encrypted cookie expiry server side. +* Enforce signed/encrypted cookie expiry server side. Rails can thwart attacks by malicious clients that don't honor a cookie's expiry. -- cgit v1.2.3 From 59a02fb7bcbe68f26e1e7fdcec45c00c66e4a065 Mon Sep 17 00:00:00 2001 From: eileencodes Date: Tue, 26 Sep 2017 13:27:53 -0400 Subject: Implement H2 Early Hints for Rails When puma/puma#1403 is merged Puma will support the Early Hints status code for sending assets before a request has finished. While the Early Hints spec is still in draft, this PR prepares Rails to allowing this status code. If the proxy server supports Early Hints, it will send H2 pushes to the client. This PR adds a method for setting Early Hints Link headers via Rails, and also automatically sends Early Hints if supported from the `stylesheet_link_tag` and the `javascript_include_tag`. Once puma supports Early Hints the `--early-hints` argument can be passed to the server to enable this or set in the puma config with `early_hints(true)`. Note that for Early Hints to work in the browser the requirements are 1) a proxy that can handle H2, and 2) HTTPS. To start the server with Early Hints enabled pass `--early-hints` to `rails s`. This has been verified to work with h2o, Puma, and Rails with Chrome. The commit adds a new option to the rails server to enable early hints for Puma. Early Hints spec: https://tools.ietf.org/html/draft-ietf-httpbis-early-hints-04 [Eileen M. Uchitelle, Aaron Patterson] --- actionpack/CHANGELOG.md | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'actionpack/CHANGELOG.md') diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md index 16090e7946..adb86aad9f 100644 --- a/actionpack/CHANGELOG.md +++ b/actionpack/CHANGELOG.md @@ -1,3 +1,11 @@ +* Add ability to enable Early Hints for HTTP/2 + + If supported by the server, and enabled in Puma this allows H2 Early Hints to be used. + + The `javascript_include_tag` and the `stylesheet_link_tag` automatically add Early Hints if requested. + + *Eileen M. Uchitelle*, *Aaron Patterson* + * Simplify cookies middleware with key rotation support Use the `rotate` method for both `MessageEncryptor` and -- cgit v1.2.3 From ada05850f84ee0eef5413950333e5b5332a64b48 Mon Sep 17 00:00:00 2001 From: "yuuji.yaginuma" Date: Fri, 13 Oct 2017 15:17:17 +0900 Subject: Add headless chrome driver to System Tests --- actionpack/CHANGELOG.md | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'actionpack/CHANGELOG.md') diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md index adb86aad9f..9a001cef9b 100644 --- a/actionpack/CHANGELOG.md +++ b/actionpack/CHANGELOG.md @@ -1,3 +1,7 @@ +* Add headless chrome support to System Tests. + + *Yuji Yaginuma* + * Add ability to enable Early Hints for HTTP/2 If supported by the server, and enabled in Puma this allows H2 Early Hints to be used. -- cgit v1.2.3 From 75597f064a21ba6682678edf10ae18c33653662d Mon Sep 17 00:00:00 2001 From: bogdanvlviv Date: Sat, 21 Oct 2017 18:01:57 +0300 Subject: Add changelog entry about new `allow_other_host` option for `redirect_back` method [ci skip] Related to #30850 --- actionpack/CHANGELOG.md | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'actionpack/CHANGELOG.md') diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md index 9a001cef9b..e5c814cc79 100644 --- a/actionpack/CHANGELOG.md +++ b/actionpack/CHANGELOG.md @@ -1,3 +1,10 @@ +* Add `:allow_other_host` option to `redirect_back` method. + When `allow_other_host` is set to `false`, the `redirect_back` + will not allow a redirecting from a different host. + `allow_other_host` is `true` by default. + + *Tim Masliuchenko* + * Add headless chrome support to System Tests. *Yuji Yaginuma* -- cgit v1.2.3 From e16c765ac6dcff068ff2e5554d69ff345c003de1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafael=20Mendon=C3=A7a=20Fran=C3=A7a?= Date: Mon, 17 Jul 2017 16:51:51 -0400 Subject: Remove deprecated `ActionController::ParamsParser::ParseError` --- actionpack/CHANGELOG.md | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'actionpack/CHANGELOG.md') diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md index e5c814cc79..32239d202c 100644 --- a/actionpack/CHANGELOG.md +++ b/actionpack/CHANGELOG.md @@ -1,3 +1,7 @@ +* Remove deprecated `ActionController::ParamsParser::ParseError`. + + *Rafael Mendonça França* + * Add `:allow_other_host` option to `redirect_back` method. When `allow_other_host` is set to `false`, the `redirect_back` will not allow a redirecting from a different host. @@ -82,7 +86,7 @@ *Kir Shatrov* -* `driven_by` now registers poltergeist and capybara-webkit +* `driven_by` now registers poltergeist and capybara-webkit. If poltergeist or capybara-webkit are set as drivers is set for System Tests, `driven_by` will register the driver and set additional options passed via @@ -92,7 +96,7 @@ *Mario Chavez* -* AEAD encrypted cookies and sessions with GCM +* AEAD encrypted cookies and sessions with GCM. Encrypted cookies now use AES-GCM which couples authentication and encryption in one faster step and produces shorter ciphertexts. Cookies -- cgit v1.2.3 From 723f29c0dd172ae41d710b239e2a000b16aad01a Mon Sep 17 00:00:00 2001 From: Andrew White Date: Mon, 27 Nov 2017 08:35:40 +0000 Subject: Add CHANGELOG.md entry for #31162 [ci skip] --- actionpack/CHANGELOG.md | 60 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 60 insertions(+) (limited to 'actionpack/CHANGELOG.md') diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md index e01f88e902..d48aa1081f 100644 --- a/actionpack/CHANGELOG.md +++ b/actionpack/CHANGELOG.md @@ -1,3 +1,63 @@ +* Add DSL for configuring Content-Security-Policy header + + The DSL allows you to configure a global Content-Security-Policy + header and then override within a controller. For more information + about the Content-Security-Policy header see MDN: + + https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy + + Example global policy: + + # config/initializers/content_security_policy.rb + Rails.application.config.content_security_policy do + p.default_src :self, :https + p.font_src :self, :https, :data + p.img_src :self, :https, :data + p.object_src :none + p.script_src :self, :https + p.style_src :self, :https, :unsafe_inline + end + + Example controller overrides: + + # Override policy inline + class PostsController < ApplicationController + content_security_policy do |p| + p.upgrade_insecure_requests true + end + end + + # Using literal values + class PostsController < ApplicationController + content_security_policy do |p| + p.base_uri "https://www.example.com" + end + end + + # Using mixed static and dynamic values + class PostsController < ApplicationController + content_security_policy do |p| + p.base_uri :self, -> { "https://#{current_user.domain}.example.com" } + end + end + + Allows you to also only report content violations for migrating + legacy content using the `content_security_policy_report_only` + configuration attribute, e.g; + + # config/initializers/content_security_policy.rb + Rails.application.config.content_security_policy_report_only = true + + # controller override + class PostsController < ApplicationController + self.content_security_policy_report_only = true + end + + Note that this feature does not validate the header for performance + reasons since the header is calculated at runtime. + + *Andrew White* + * Make `assert_recognizes` to traverse mounted engines *Yuichiro Kaneko* -- cgit v1.2.3 From 5910c1d24107d7e5e0f43fb342c37bdb388e56bf Mon Sep 17 00:00:00 2001 From: Prathamesh Sonpatki Date: Mon, 27 Nov 2017 15:46:18 +0530 Subject: Fix CHANGELOG for CSP PR #31162 [ci skip] --- actionpack/CHANGELOG.md | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) (limited to 'actionpack/CHANGELOG.md') diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md index d48aa1081f..1843f058e0 100644 --- a/actionpack/CHANGELOG.md +++ b/actionpack/CHANGELOG.md @@ -5,11 +5,11 @@ about the Content-Security-Policy header see MDN: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy - + Example global policy: - + # config/initializers/content_security_policy.rb - Rails.application.config.content_security_policy do + Rails.application.config.content_security_policy do |p| p.default_src :self, :https p.font_src :self, :https, :data p.img_src :self, :https, :data @@ -17,9 +17,9 @@ p.script_src :self, :https p.style_src :self, :https, :unsafe_inline end - + Example controller overrides: - + # Override policy inline class PostsController < ApplicationController content_security_policy do |p| @@ -40,22 +40,22 @@ p.base_uri :self, -> { "https://#{current_user.domain}.example.com" } end end - + Allows you to also only report content violations for migrating legacy content using the `content_security_policy_report_only` configuration attribute, e.g; - + # config/initializers/content_security_policy.rb Rails.application.config.content_security_policy_report_only = true - + # controller override class PostsController < ApplicationController self.content_security_policy_report_only = true end - + Note that this feature does not validate the header for performance reasons since the header is calculated at runtime. - + *Andrew White* * Make `assert_recognizes` to traverse mounted engines -- cgit v1.2.3 From cceeeb6e57f1cf8b24d507e2da9ed85d374c8bc5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafael=20Mendon=C3=A7a=20Fran=C3=A7a?= Date: Mon, 27 Nov 2017 13:01:15 -0500 Subject: Preparing for 5.2.0.beta1 release --- actionpack/CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) (limited to 'actionpack/CHANGELOG.md') diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md index 1843f058e0..968d4bb0f8 100644 --- a/actionpack/CHANGELOG.md +++ b/actionpack/CHANGELOG.md @@ -1,3 +1,5 @@ +## Rails 5.2.0.beta1 (November 27, 2017) ## + * Add DSL for configuring Content-Security-Policy header The DSL allows you to configure a global Content-Security-Policy -- cgit v1.2.3 From 00c0e4001cc875a51938a3086129b4dc275eef93 Mon Sep 17 00:00:00 2001 From: Andrew White Date: Tue, 28 Nov 2017 15:58:18 +0000 Subject: Fix optimized url helpers when using relative url root Fixes #31220. --- actionpack/CHANGELOG.md | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'actionpack/CHANGELOG.md') diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md index 968d4bb0f8..1b7b590877 100644 --- a/actionpack/CHANGELOG.md +++ b/actionpack/CHANGELOG.md @@ -1,3 +1,10 @@ +* Fix optimized url helpers when using relative url root + + Fixes #31220. + + *Andrew White* + + ## Rails 5.2.0.beta1 (November 27, 2017) ## * Add DSL for configuring Content-Security-Policy header -- cgit v1.2.3 From 2837d0f3347e747a8c12bd3c097bc7282072d42b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafael=20Mendon=C3=A7a=20Fran=C3=A7a?= Date: Tue, 28 Nov 2017 00:01:45 -0500 Subject: Preparing for 5.2.0.beta2 release --- actionpack/CHANGELOG.md | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'actionpack/CHANGELOG.md') diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md index 1b7b590877..2232767c05 100644 --- a/actionpack/CHANGELOG.md +++ b/actionpack/CHANGELOG.md @@ -5,6 +5,11 @@ *Andrew White* +## Rails 5.2.0.beta2 (November 28, 2017) ## + +* No changes. + + ## Rails 5.2.0.beta1 (November 27, 2017) ## * Add DSL for configuring Content-Security-Policy header -- cgit v1.2.3 From 729a3da0bb5993a4464ebdebcce8be3635b7f765 Mon Sep 17 00:00:00 2001 From: Guillermo Iguaran Date: Tue, 28 Nov 2017 01:09:06 -0500 Subject: Register most popular audio/video/font mime types supported by modern browsers --- actionpack/CHANGELOG.md | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'actionpack/CHANGELOG.md') diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md index 2232767c05..c8fb34ed52 100644 --- a/actionpack/CHANGELOG.md +++ b/actionpack/CHANGELOG.md @@ -1,3 +1,7 @@ +* Register most popular audio/video/font mime types supported by modern browsers. + + *Guillermo Iguaran* + * Fix optimized url helpers when using relative url root Fixes #31220. -- cgit v1.2.3 From 0185aae747676e636a52eb079a0a10a6f053fa2c Mon Sep 17 00:00:00 2001 From: eileencodes Date: Thu, 30 Nov 2017 12:26:33 -0500 Subject: Add changelog entry for 9d6e28 Since this changes a default setting a changelog entry is important. --- actionpack/CHANGELOG.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'actionpack/CHANGELOG.md') diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md index c8fb34ed52..d120d15770 100644 --- a/actionpack/CHANGELOG.md +++ b/actionpack/CHANGELOG.md @@ -1,3 +1,15 @@ +* Changed the default system test screenshot output from `inline` to `simple`. + + `inline` works well for iTerm2 but not everyone uses iTerm2. Some terminals like + Terminal.app ignore the `inline` and output the path to the file since it can't + render the image. Other terminals, like those on Ubuntu, cannot handle the image + inline, but also don't handle it gracefully and instead of outputting the file + path, it dumps binary into the terminal. + + Commit 9d6e28 fixes this by changing the default for screenshot to be `simple`. + + *Eileen M. Uchitelle* + * Register most popular audio/video/font mime types supported by modern browsers. *Guillermo Iguaran* -- cgit v1.2.3 From 82b974813b28748e5affcff1d8c4ad60ab2971be Mon Sep 17 00:00:00 2001 From: bogdanvlviv Date: Thu, 7 Dec 2017 20:02:34 +0200 Subject: Add headless firefox driver to System Tests --- actionpack/CHANGELOG.md | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'actionpack/CHANGELOG.md') diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md index d120d15770..753dd8589a 100644 --- a/actionpack/CHANGELOG.md +++ b/actionpack/CHANGELOG.md @@ -1,3 +1,7 @@ +* Add headless firefox support to System Tests. + + *bogdanvlviv* + * Changed the default system test screenshot output from `inline` to `simple`. `inline` works well for iTerm2 but not everyone uses iTerm2. Some terminals like -- cgit v1.2.3