From fa487763d98ccf9c3e66fdb44f09af5c37a50fe5 Mon Sep 17 00:00:00 2001
From: Vipul A M <vipulnsward@gmail.com>
Date: Tue, 12 Apr 2016 02:41:06 +0530
Subject:     Changed default behaviour of
 `ActiveSupport::SecurityUtils.secure_compare`,     to make it not leak length
 information even for variable length string.

    Renamed old `ActiveSupport::SecurityUtils.secure_compare` to `fixed_length_secure_compare`,
    and started raising `ArgumentError` in case of length mismatch of passed strings.
---
 actionpack/lib/action_controller/metal/http_authentication.rb | 11 ++++-------
 .../lib/action_controller/metal/request_forgery_protection.rb |  4 ++--
 2 files changed, 6 insertions(+), 9 deletions(-)

(limited to 'actionpack')

diff --git a/actionpack/lib/action_controller/metal/http_authentication.rb b/actionpack/lib/action_controller/metal/http_authentication.rb
index d8bc895265..09df39db1f 100644
--- a/actionpack/lib/action_controller/metal/http_authentication.rb
+++ b/actionpack/lib/action_controller/metal/http_authentication.rb
@@ -70,10 +70,10 @@ module ActionController
             before_action(options.except(:name, :password, :realm)) do
               authenticate_or_request_with_http_basic(options[:realm] || "Application") do |name, password|
                 # This comparison uses & so that it doesn't short circuit and
-                # uses `variable_size_secure_compare` so that length information
+                # uses `secure_compare` so that length information
                 # isn't leaked.
-                ActiveSupport::SecurityUtils.variable_size_secure_compare(name, options[:name]) &
-                  ActiveSupport::SecurityUtils.variable_size_secure_compare(password, options[:password])
+                ActiveSupport::SecurityUtils.secure_compare(name, options[:name]) &
+                  ActiveSupport::SecurityUtils.secure_compare(password, options[:password])
               end
             end
           end
@@ -348,10 +348,7 @@ module ActionController
     #         authenticate_or_request_with_http_token do |token, options|
     #           # Compare the tokens in a time-constant manner, to mitigate
     #           # timing attacks.
-    #           ActiveSupport::SecurityUtils.secure_compare(
-    #             ::Digest::SHA256.hexdigest(token),
-    #             ::Digest::SHA256.hexdigest(TOKEN)
-    #           )
+    #           ActiveSupport::SecurityUtils.secure_compare(token, TOKEN)
     #         end
     #       end
     #   end
diff --git a/actionpack/lib/action_controller/metal/request_forgery_protection.rb b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
index 5051c02a62..13662fc021 100644
--- a/actionpack/lib/action_controller/metal/request_forgery_protection.rb
+++ b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
@@ -353,7 +353,7 @@ module ActionController #:nodoc:
       end
 
       def compare_with_real_token(token, session) # :doc:
-        ActiveSupport::SecurityUtils.secure_compare(token, real_csrf_token(session))
+        ActiveSupport::SecurityUtils.fixed_length_secure_compare(token, real_csrf_token(session))
       end
 
       def valid_per_form_csrf_token?(token, session) # :doc:
@@ -364,7 +364,7 @@ module ActionController #:nodoc:
             request.request_method
           )
 
-          ActiveSupport::SecurityUtils.secure_compare(token, correct_token)
+          ActiveSupport::SecurityUtils.fixed_length_secure_compare(token, correct_token)
         else
           false
         end
-- 
cgit v1.2.3


From 516c63a71e632c862841cbcb3f9b7ecfc05d9675 Mon Sep 17 00:00:00 2001
From: Joe Marty <josephmarty@gmail.com>
Date: Tue, 21 Nov 2017 12:27:25 -0600
Subject: Fix tld_length documentation

Change recommendation for tld_length (for sharing cookies across subdomains of a 2-token TLD), to 2 instead of 1.
---
 actionpack/lib/action_dispatch/middleware/cookies.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'actionpack')

diff --git a/actionpack/lib/action_dispatch/middleware/cookies.rb b/actionpack/lib/action_dispatch/middleware/cookies.rb
index 86a070c6ad..ea4156c972 100644
--- a/actionpack/lib/action_dispatch/middleware/cookies.rb
+++ b/actionpack/lib/action_dispatch/middleware/cookies.rb
@@ -161,7 +161,7 @@ module ActionDispatch
   #
   # * <tt>:tld_length</tt> - When using <tt>:domain => :all</tt>, this option can be used to explicitly
   #   set the TLD length when using a short (<= 3 character) domain that is being interpreted as part of a TLD.
-  #   For example, to share cookies between user1.lvh.me and user2.lvh.me, set <tt>:tld_length</tt> to 1.
+  #   For example, to share cookies between user1.lvh.me and user2.lvh.me, set <tt>:tld_length</tt> to 2.
   # * <tt>:expires</tt> - The time at which this cookie expires, as a \Time or ActiveSupport::Duration object.
   # * <tt>:secure</tt> - Whether this cookie is only transmitted to HTTPS servers.
   #   Default is +false+.
-- 
cgit v1.2.3


From 3063ace1070e4ddb8d0cc09fbd23049e7b21617a Mon Sep 17 00:00:00 2001
From: "T.J. Schuck" <tj@tjschuck.com>
Date: Wed, 22 Nov 2017 14:45:51 -0500
Subject: Update incorrect backtick usage in RDoc to teletype

[ci skip]
---
 actionpack/lib/action_controller/metal/redirecting.rb               | 4 ++--
 .../lib/action_controller/metal/request_forgery_protection.rb       | 6 +++---
 actionpack/lib/action_dispatch/routing/url_for.rb                   | 2 +-
 3 files changed, 6 insertions(+), 6 deletions(-)

(limited to 'actionpack')

diff --git a/actionpack/lib/action_controller/metal/redirecting.rb b/actionpack/lib/action_controller/metal/redirecting.rb
index 8de57f9199..87a2e29a3f 100644
--- a/actionpack/lib/action_controller/metal/redirecting.rb
+++ b/actionpack/lib/action_controller/metal/redirecting.rb
@@ -68,7 +68,7 @@ module ActionController
     # if possible, otherwise redirects to the provided default fallback
     # location.
     #
-    # The referrer information is pulled from the HTTP `Referer` (sic) header on
+    # The referrer information is pulled from the HTTP +Referer+ (sic) header on
     # the request. This is an optional header and its presence on the request is
     # subject to browser security settings and user preferences. If the request
     # is missing this header, the <tt>fallback_location</tt> will be used.
@@ -82,7 +82,7 @@ module ActionController
     #   redirect_back fallback_location: '/', allow_other_host: false
     #
     # ==== Options
-    # * <tt>:fallback_location</tt> - The default fallback location that will be used on missing `Referer` header.
+    # * <tt>:fallback_location</tt> - The default fallback location that will be used on missing +Referer+ header.
     # * <tt>:allow_other_host</tt> - Allows or disallow redirection to the host that is different to the current host
     #
     # All other options that can be passed to <tt>redirect_to</tt> are accepted as
diff --git a/actionpack/lib/action_controller/metal/request_forgery_protection.rb b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
index bd133f24a1..906494ba16 100644
--- a/actionpack/lib/action_controller/metal/request_forgery_protection.rb
+++ b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
@@ -216,7 +216,7 @@ module ActionController #:nodoc:
       # The actual before_action that is used to verify the CSRF token.
       # Don't override this directly. Provide your own forgery protection
       # strategy instead. If you override, you'll disable same-origin
-      # `<script>` verification.
+      # <tt><script></tt> verification.
       #
       # Lean on the protect_from_forgery declaration to mark which actions are
       # due for same-origin request verification. If protect_from_forgery is
@@ -250,7 +250,7 @@ module ActionController #:nodoc:
       private_constant :CROSS_ORIGIN_JAVASCRIPT_WARNING
       # :startdoc:
 
-      # If `verify_authenticity_token` was run (indicating that we have
+      # If +verify_authenticity_token+ was run (indicating that we have
       # forgery protection enabled for this request) then also verify that
       # we aren't serving an unauthorized cross-origin response.
       def verify_same_origin_request # :doc:
@@ -267,7 +267,7 @@ module ActionController #:nodoc:
         @marked_for_same_origin_verification = request.get?
       end
 
-      # If the `verify_authenticity_token` before_action ran, verify that
+      # If the +verify_authenticity_token+ before_action ran, verify that
       # JavaScript responses are only served to same-origin GET requests.
       def marked_for_same_origin_verification? # :doc:
         @marked_for_same_origin_verification ||= false
diff --git a/actionpack/lib/action_dispatch/routing/url_for.rb b/actionpack/lib/action_dispatch/routing/url_for.rb
index 3ae533dd37..fa345dccdf 100644
--- a/actionpack/lib/action_dispatch/routing/url_for.rb
+++ b/actionpack/lib/action_dispatch/routing/url_for.rb
@@ -155,7 +155,7 @@ module ActionDispatch
       # Missing routes keys may be filled in from the current request's parameters
       # (e.g. +:controller+, +:action+, +:id+ and any other parameters that are
       # placed in the path). Given that the current action has been reached
-      # through `GET /users/1`:
+      # through <tt>GET /users/1</tt>:
       #
       #   url_for(only_path: true)                        # => '/users/1'
       #   url_for(only_path: true, action: 'edit')        # => '/users/1/edit'
-- 
cgit v1.2.3


From f7f7a08fa8593a014a6b91027eee28548a3d2102 Mon Sep 17 00:00:00 2001
From: "T.J. Schuck" <tj@tjschuck.com>
Date: Wed, 22 Nov 2017 15:11:54 -0500
Subject: Fix CustomUrls#direct doc formatting

Particularly, the bulleted list was getting formatted as a code block because of the extra level of indentation.  Pulling it back to the left makes it render properly as a list instead.

[ci skip]
---
 actionpack/lib/action_dispatch/routing/mapper.rb | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

(limited to 'actionpack')

diff --git a/actionpack/lib/action_dispatch/routing/mapper.rb b/actionpack/lib/action_dispatch/routing/mapper.rb
index ded42adee9..d87a23a58c 100644
--- a/actionpack/lib/action_dispatch/routing/mapper.rb
+++ b/actionpack/lib/action_dispatch/routing/mapper.rb
@@ -2046,7 +2046,7 @@ module ActionDispatch
       end
 
       module CustomUrls
-        # Define custom url helpers that will be added to the application's
+        # Define custom URL helpers that will be added to the application's
         # routes. This allows you to override and/or replace the default behavior
         # of routing helpers, e.g:
         #
@@ -2066,11 +2066,11 @@ module ActionDispatch
         # arguments for +url_for+ which will actually build the URL string. This can
         # be one of the following:
         #
-        #   * A string, which is treated as a generated URL
-        #   * A hash, e.g. { controller: "pages", action: "index" }
-        #   * An array, which is passed to `polymorphic_url`
-        #   * An Active Model instance
-        #   * An Active Model class
+        # * A string, which is treated as a generated URL
+        # * A hash, e.g. <tt>{ controller: "pages", action: "index" }</tt>
+        # * An array, which is passed to +polymorphic_url+
+        # * An Active Model instance
+        # * An Active Model class
         #
         # NOTE: Other URL helpers can be called in the block but be careful not to invoke
         # your custom URL helper again otherwise it will result in a stack overflow error.
-- 
cgit v1.2.3


From 456c3ffdbe37d430c12ad269514674cc89f38c11 Mon Sep 17 00:00:00 2001
From: Andrew White <andrew.white@unboxed.co>
Date: Wed, 15 Nov 2017 21:07:28 +0000
Subject: Add DSL for configuring Content-Security-Policy header

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
---
 actionpack/lib/action_controller.rb                |   1 +
 actionpack/lib/action_controller/base.rb           |   1 +
 .../metal/content_security_policy.rb               |  26 ++
 actionpack/lib/action_dispatch.rb                  |   1 +
 .../http/content_security_policy.rb                | 233 +++++++++++++
 actionpack/lib/action_dispatch/http/request.rb     |   1 +
 .../test/dispatch/content_security_policy_test.rb  | 359 +++++++++++++++++++++
 7 files changed, 622 insertions(+)
 create mode 100644 actionpack/lib/action_controller/metal/content_security_policy.rb
 create mode 100644 actionpack/lib/action_dispatch/http/content_security_policy.rb
 create mode 100644 actionpack/test/dispatch/content_security_policy_test.rb

(limited to 'actionpack')

diff --git a/actionpack/lib/action_controller.rb b/actionpack/lib/action_controller.rb
index bd19b8cd5d..f43784f9f2 100644
--- a/actionpack/lib/action_controller.rb
+++ b/actionpack/lib/action_controller.rb
@@ -22,6 +22,7 @@ module ActionController
 
   autoload_under "metal" do
     autoload :ConditionalGet
+    autoload :ContentSecurityPolicy
     autoload :Cookies
     autoload :DataStreaming
     autoload :EtagWithTemplateDigest
diff --git a/actionpack/lib/action_controller/base.rb b/actionpack/lib/action_controller/base.rb
index b73269871b..204a3d400c 100644
--- a/actionpack/lib/action_controller/base.rb
+++ b/actionpack/lib/action_controller/base.rb
@@ -225,6 +225,7 @@ module ActionController
       Flash,
       FormBuilder,
       RequestForgeryProtection,
+      ContentSecurityPolicy,
       ForceSSL,
       Streaming,
       DataStreaming,
diff --git a/actionpack/lib/action_controller/metal/content_security_policy.rb b/actionpack/lib/action_controller/metal/content_security_policy.rb
new file mode 100644
index 0000000000..48a7109bea
--- /dev/null
+++ b/actionpack/lib/action_controller/metal/content_security_policy.rb
@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+module ActionController #:nodoc:
+  module ContentSecurityPolicy
+    # TODO: Documentation
+    extend ActiveSupport::Concern
+
+    module ClassMethods
+      def content_security_policy(**options, &block)
+        before_action(options) do
+          if block_given?
+            policy = request.content_security_policy.clone
+            yield policy
+            request.content_security_policy = policy
+          end
+        end
+      end
+
+      def content_security_policy_report_only(report_only = true, **options)
+        before_action(options) do
+          request.content_security_policy_report_only = report_only
+        end
+      end
+    end
+  end
+end
diff --git a/actionpack/lib/action_dispatch.rb b/actionpack/lib/action_dispatch.rb
index 34937f3229..6fed911d0a 100644
--- a/actionpack/lib/action_dispatch.rb
+++ b/actionpack/lib/action_dispatch.rb
@@ -42,6 +42,7 @@ module ActionDispatch
 
   eager_autoload do
     autoload_under "http" do
+      autoload :ContentSecurityPolicy
       autoload :Request
       autoload :Response
     end
diff --git a/actionpack/lib/action_dispatch/http/content_security_policy.rb b/actionpack/lib/action_dispatch/http/content_security_policy.rb
new file mode 100644
index 0000000000..d10d4faf3d
--- /dev/null
+++ b/actionpack/lib/action_dispatch/http/content_security_policy.rb
@@ -0,0 +1,233 @@
+# frozen_string_literal: true
+
+module ActionDispatch #:nodoc:
+  class ContentSecurityPolicy
+    class Middleware
+      CONTENT_TYPE = "Content-Type".freeze
+      POLICY = "Content-Security-Policy".freeze
+      POLICY_REPORT_ONLY = "Content-Security-Policy-Report-Only".freeze
+
+      def initialize(app)
+        @app = app
+      end
+
+      def call(env)
+        request = ActionDispatch::Request.new env
+        _, headers, _ = response = @app.call(env)
+
+        return response unless html_response?(headers)
+        return response if policy_present?(headers)
+
+        if policy = request.content_security_policy
+          headers[header_name(request)] = policy.build(request.controller_instance)
+        end
+
+        response
+      end
+
+      private
+
+        def html_response?(headers)
+          if content_type = headers[CONTENT_TYPE]
+            content_type =~ /html/
+          end
+        end
+
+        def header_name(request)
+          if request.content_security_policy_report_only
+            POLICY_REPORT_ONLY
+          else
+            POLICY
+          end
+        end
+
+        def policy_present?(headers)
+          headers[POLICY] || headers[POLICY_REPORT_ONLY]
+        end
+    end
+
+    module Request
+      POLICY = "action_dispatch.content_security_policy".freeze
+      POLICY_REPORT_ONLY = "action_dispatch.content_security_policy_report_only".freeze
+
+      def content_security_policy
+        get_header(POLICY)
+      end
+
+      def content_security_policy=(policy)
+        set_header(POLICY, policy)
+      end
+
+      def content_security_policy_report_only
+        get_header(POLICY_REPORT_ONLY)
+      end
+
+      def content_security_policy_report_only=(value)
+        set_header(POLICY_REPORT_ONLY, value)
+      end
+    end
+
+    MAPPINGS = {
+      self:           "'self'",
+      unsafe_eval:    "'unsafe-eval'",
+      unsafe_inline:  "'unsafe-inline'",
+      none:           "'none'",
+      http:           "http:",
+      https:          "https:",
+      data:           "data:",
+      mediastream:    "mediastream:",
+      blob:           "blob:",
+      filesystem:     "filesystem:",
+      report_sample:  "'report-sample'",
+      strict_dynamic: "'strict-dynamic'"
+    }.freeze
+
+    DIRECTIVES = {
+      base_uri:        "base-uri",
+      child_src:       "child-src",
+      connect_src:     "connect-src",
+      default_src:     "default-src",
+      font_src:        "font-src",
+      form_action:     "form-action",
+      frame_ancestors: "frame-ancestors",
+      frame_src:       "frame-src",
+      img_src:         "img-src",
+      manifest_src:    "manifest-src",
+      media_src:       "media-src",
+      object_src:      "object-src",
+      script_src:      "script-src",
+      style_src:       "style-src",
+      worker_src:      "worker-src"
+    }.freeze
+
+    private_constant :MAPPINGS, :DIRECTIVES
+
+    attr_reader :directives
+
+    def initialize
+      @directives = {}
+      yield self if block_given?
+    end
+
+    def initialize_copy(other)
+      @directives = copy_directives(other.directives)
+    end
+
+    DIRECTIVES.each do |name, directive|
+      define_method(name) do |*sources|
+        if sources.first
+          @directives[directive] = apply_mappings(sources)
+        else
+          @directives.delete(directive)
+        end
+      end
+    end
+
+    def block_all_mixed_content(enabled = true)
+      if enabled
+        @directives["block-all-mixed-content"] = true
+      else
+        @directives.delete("block-all-mixed-content")
+      end
+    end
+
+    def plugin_types(*types)
+      if types.first
+        @directives["plugin-types"] = types
+      else
+        @directives.delete("plugin-types")
+      end
+    end
+
+    def report_uri(uri)
+      @directives["report-uri"] = [uri]
+    end
+
+    def require_sri_for(*types)
+      if types.first
+        @directives["require-sri-for"] = types
+      else
+        @directives.delete("require-sri-for")
+      end
+    end
+
+    def sandbox(*values)
+      if values.empty?
+        @directives["sandbox"] = true
+      elsif values.first
+        @directives["sandbox"] = values
+      else
+        @directives.delete("sandbox")
+      end
+    end
+
+    def upgrade_insecure_requests(enabled = true)
+      if enabled
+        @directives["upgrade-insecure-requests"] = true
+      else
+        @directives.delete("upgrade-insecure-requests")
+      end
+    end
+
+    def build(context = nil)
+      build_directives(context).compact.join("; ") + ";"
+    end
+
+    private
+      def copy_directives(directives)
+        directives.transform_values { |sources| sources.map(&:dup) }
+      end
+
+      def apply_mappings(sources)
+        sources.map do |source|
+          case source
+          when Symbol
+            apply_mapping(source)
+          when String, Proc
+            source
+          else
+            raise ArgumentError, "Invalid content security policy source: #{source.inspect}"
+          end
+        end
+      end
+
+      def apply_mapping(source)
+        MAPPINGS.fetch(source) do
+          raise ArgumentError, "Unknown content security policy source mapping: #{source.inspect}"
+        end
+      end
+
+      def build_directives(context)
+        @directives.map do |directive, sources|
+          if sources.is_a?(Array)
+            "#{directive} #{build_directive(sources, context).join(' ')}"
+          elsif sources
+            directive
+          else
+            nil
+          end
+        end
+      end
+
+      def build_directive(sources, context)
+        sources.map { |source| resolve_source(source, context) }
+      end
+
+      def resolve_source(source, context)
+        case source
+        when String
+          source
+        when Symbol
+          source.to_s
+        when Proc
+          if context.nil?
+            raise RuntimeError, "Missing context for the dynamic content security policy source: #{source.inspect}"
+          else
+            context.instance_exec(&source)
+          end
+        else
+          raise RuntimeError, "Unexpected content security policy source: #{source.inspect}"
+        end
+      end
+  end
+end
diff --git a/actionpack/lib/action_dispatch/http/request.rb b/actionpack/lib/action_dispatch/http/request.rb
index d631281e4b..3838b84a7a 100644
--- a/actionpack/lib/action_dispatch/http/request.rb
+++ b/actionpack/lib/action_dispatch/http/request.rb
@@ -22,6 +22,7 @@ module ActionDispatch
     include ActionDispatch::Http::Parameters
     include ActionDispatch::Http::FilterParameters
     include ActionDispatch::Http::URL
+    include ActionDispatch::ContentSecurityPolicy::Request
     include Rack::Request::Env
 
     autoload :Session, "action_dispatch/request/session"
diff --git a/actionpack/test/dispatch/content_security_policy_test.rb b/actionpack/test/dispatch/content_security_policy_test.rb
new file mode 100644
index 0000000000..8a1ac066e8
--- /dev/null
+++ b/actionpack/test/dispatch/content_security_policy_test.rb
@@ -0,0 +1,359 @@
+# frozen_string_literal: true
+
+require "abstract_unit"
+
+class ContentSecurityPolicyTest < ActiveSupport::TestCase
+  def setup
+    @policy = ActionDispatch::ContentSecurityPolicy.new
+  end
+
+  def test_build
+    assert_equal ";", @policy.build
+
+    @policy.script_src :self
+    assert_equal "script-src 'self';", @policy.build
+  end
+
+  def test_mappings
+    @policy.script_src :data
+    assert_equal "script-src data:;", @policy.build
+
+    @policy.script_src :mediastream
+    assert_equal "script-src mediastream:;", @policy.build
+
+    @policy.script_src :blob
+    assert_equal "script-src blob:;", @policy.build
+
+    @policy.script_src :filesystem
+    assert_equal "script-src filesystem:;", @policy.build
+
+    @policy.script_src :self
+    assert_equal "script-src 'self';", @policy.build
+
+    @policy.script_src :unsafe_inline
+    assert_equal "script-src 'unsafe-inline';", @policy.build
+
+    @policy.script_src :unsafe_eval
+    assert_equal "script-src 'unsafe-eval';", @policy.build
+
+    @policy.script_src :none
+    assert_equal "script-src 'none';", @policy.build
+
+    @policy.script_src :strict_dynamic
+    assert_equal "script-src 'strict-dynamic';", @policy.build
+
+    @policy.script_src :none, :report_sample
+    assert_equal "script-src 'none' 'report-sample';", @policy.build
+  end
+
+  def test_fetch_directives
+    @policy.child_src :self
+    assert_match %r{child-src 'self'}, @policy.build
+
+    @policy.child_src false
+    assert_no_match %r{child-src}, @policy.build
+
+    @policy.connect_src :self
+    assert_match %r{connect-src 'self'}, @policy.build
+
+    @policy.connect_src false
+    assert_no_match %r{connect-src}, @policy.build
+
+    @policy.default_src :self
+    assert_match %r{default-src 'self'}, @policy.build
+
+    @policy.default_src false
+    assert_no_match %r{default-src}, @policy.build
+
+    @policy.font_src :self
+    assert_match %r{font-src 'self'}, @policy.build
+
+    @policy.font_src false
+    assert_no_match %r{font-src}, @policy.build
+
+    @policy.frame_src :self
+    assert_match %r{frame-src 'self'}, @policy.build
+
+    @policy.frame_src false
+    assert_no_match %r{frame-src}, @policy.build
+
+    @policy.img_src :self
+    assert_match %r{img-src 'self'}, @policy.build
+
+    @policy.img_src false
+    assert_no_match %r{img-src}, @policy.build
+
+    @policy.manifest_src :self
+    assert_match %r{manifest-src 'self'}, @policy.build
+
+    @policy.manifest_src false
+    assert_no_match %r{manifest-src}, @policy.build
+
+    @policy.media_src :self
+    assert_match %r{media-src 'self'}, @policy.build
+
+    @policy.media_src false
+    assert_no_match %r{media-src}, @policy.build
+
+    @policy.object_src :self
+    assert_match %r{object-src 'self'}, @policy.build
+
+    @policy.object_src false
+    assert_no_match %r{object-src}, @policy.build
+
+    @policy.script_src :self
+    assert_match %r{script-src 'self'}, @policy.build
+
+    @policy.script_src false
+    assert_no_match %r{script-src}, @policy.build
+
+    @policy.style_src :self
+    assert_match %r{style-src 'self'}, @policy.build
+
+    @policy.style_src false
+    assert_no_match %r{style-src}, @policy.build
+
+    @policy.worker_src :self
+    assert_match %r{worker-src 'self'}, @policy.build
+
+    @policy.worker_src false
+    assert_no_match %r{worker-src}, @policy.build
+  end
+
+  def test_document_directives
+    @policy.base_uri "https://example.com"
+    assert_match %r{base-uri https://example\.com;}, @policy.build
+
+    @policy.plugin_types "application/x-shockwave-flash"
+    assert_match %r{plugin-types application/x-shockwave-flash;}, @policy.build
+
+    @policy.sandbox
+    assert_match %r{sandbox;}, @policy.build
+
+    @policy.sandbox "allow-scripts", "allow-modals"
+    assert_match %r{sandbox allow-scripts allow-modals;}, @policy.build
+
+    @policy.sandbox false
+    assert_no_match %r{sandbox}, @policy.build
+  end
+
+  def test_navigation_directives
+    @policy.form_action :self
+    assert_match %r{form-action 'self';}, @policy.build
+
+    @policy.frame_ancestors :self
+    assert_match %r{frame-ancestors 'self';}, @policy.build
+  end
+
+  def test_reporting_directives
+    @policy.report_uri "/violations"
+    assert_match %r{report-uri /violations;}, @policy.build
+  end
+
+  def test_other_directives
+    @policy.block_all_mixed_content
+    assert_match %r{block-all-mixed-content;}, @policy.build
+
+    @policy.block_all_mixed_content false
+    assert_no_match %r{block-all-mixed-content}, @policy.build
+
+    @policy.require_sri_for :script, :style
+    assert_match %r{require-sri-for script style;}, @policy.build
+
+    @policy.require_sri_for "script", "style"
+    assert_match %r{require-sri-for script style;}, @policy.build
+
+    @policy.require_sri_for
+    assert_no_match %r{require-sri-for}, @policy.build
+
+    @policy.upgrade_insecure_requests
+    assert_match %r{upgrade-insecure-requests;}, @policy.build
+
+    @policy.upgrade_insecure_requests false
+    assert_no_match %r{upgrade-insecure-requests}, @policy.build
+  end
+
+  def test_multiple_sources
+    @policy.script_src :self, :https
+    assert_equal "script-src 'self' https:;", @policy.build
+  end
+
+  def test_multiple_directives
+    @policy.script_src :self, :https
+    @policy.style_src :self, :https
+    assert_equal "script-src 'self' https:; style-src 'self' https:;", @policy.build
+  end
+
+  def test_dynamic_directives
+    request = Struct.new(:host).new("www.example.com")
+    controller = Struct.new(:request).new(request)
+
+    @policy.script_src -> { request.host }
+    assert_equal "script-src www.example.com;", @policy.build(controller)
+  end
+
+  def test_mixed_static_and_dynamic_directives
+    @policy.script_src :self, -> { "foo.com" }, "bar.com"
+    assert_equal "script-src 'self' foo.com bar.com;", @policy.build(Object.new)
+  end
+
+  def test_invalid_directive_source
+    exception = assert_raises(ArgumentError) do
+      @policy.script_src [:self]
+    end
+
+    assert_equal "Invalid content security policy source: [:self]", exception.message
+  end
+
+  def test_missing_context_for_dynamic_source
+    @policy.script_src -> { request.host }
+
+    exception = assert_raises(RuntimeError) do
+      @policy.build
+    end
+
+    assert_match %r{\AMissing context for the dynamic content security policy source:}, exception.message
+  end
+
+  def test_raises_runtime_error_when_unexpected_source
+    @policy.plugin_types [:flash]
+
+    exception = assert_raises(RuntimeError) do
+      @policy.build
+    end
+
+    assert_match %r{\AUnexpected content security policy source:}, exception.message
+  end
+end
+
+class ContentSecurityPolicyIntegrationTest < ActionDispatch::IntegrationTest
+  class PolicyController < ActionController::Base
+    content_security_policy only: :inline do |p|
+      p.default_src "https://example.com"
+    end
+
+    content_security_policy only: :conditional, if: :condition? do |p|
+      p.default_src "https://true.example.com"
+    end
+
+    content_security_policy only: :conditional, unless: :condition? do |p|
+      p.default_src "https://false.example.com"
+    end
+
+    content_security_policy only: :report_only do |p|
+      p.report_uri "/violations"
+    end
+
+    content_security_policy_report_only only: :report_only
+
+    def index
+      head :ok
+    end
+
+    def inline
+      head :ok
+    end
+
+    def conditional
+      head :ok
+    end
+
+    def report_only
+      head :ok
+    end
+
+    private
+      def condition?
+        params[:condition] == "true"
+      end
+  end
+
+  ROUTES = ActionDispatch::Routing::RouteSet.new
+  ROUTES.draw do
+    scope module: "content_security_policy_integration_test" do
+      get "/", to: "policy#index"
+      get "/inline", to: "policy#inline"
+      get "/conditional", to: "policy#conditional"
+      get "/report-only", to: "policy#report_only"
+    end
+  end
+
+  POLICY = ActionDispatch::ContentSecurityPolicy.new do |p|
+    p.default_src :self
+  end
+
+  class PolicyConfigMiddleware
+    def initialize(app)
+      @app = app
+    end
+
+    def call(env)
+      env["action_dispatch.content_security_policy"] = POLICY
+      env["action_dispatch.content_security_policy_report_only"] = false
+      env["action_dispatch.show_exceptions"] = false
+
+      @app.call(env)
+    end
+  end
+
+  APP = build_app(ROUTES) do |middleware|
+    middleware.use PolicyConfigMiddleware
+    middleware.use ActionDispatch::ContentSecurityPolicy::Middleware
+  end
+
+  def app
+    APP
+  end
+
+  def test_generates_content_security_policy_header
+    get "/"
+    assert_policy "default-src 'self';"
+  end
+
+  def test_generates_inline_content_security_policy
+    get "/inline"
+    assert_policy "default-src https://example.com;"
+  end
+
+  def test_generates_conditional_content_security_policy
+    get "/conditional", params: { condition: "true" }
+    assert_policy "default-src https://true.example.com;"
+
+    get "/conditional", params: { condition: "false" }
+    assert_policy "default-src https://false.example.com;"
+  end
+
+  def test_generates_report_only_content_security_policy
+    get "/report-only"
+    assert_policy "default-src 'self'; report-uri /violations;", report_only: true
+  end
+
+  private
+
+    def env_config
+      Rails.application.env_config
+    end
+
+    def content_security_policy
+      env_config["action_dispatch.content_security_policy"]
+    end
+
+    def content_security_policy=(policy)
+      env_config["action_dispatch.content_security_policy"] = policy
+    end
+
+    def assert_policy(expected, report_only: false)
+      assert_response :success
+
+      if report_only
+        expected_header = "Content-Security-Policy-Report-Only"
+        unexpected_header = "Content-Security-Policy"
+      else
+        expected_header = "Content-Security-Policy"
+        unexpected_header = "Content-Security-Policy-Report-Only"
+      end
+
+      assert_nil response.headers[unexpected_header]
+      assert_equal expected, response.headers[expected_header]
+    end
+end
-- 
cgit v1.2.3


From 723f29c0dd172ae41d710b239e2a000b16aad01a Mon Sep 17 00:00:00 2001
From: Andrew White <andrew.white@unboxed.co>
Date: Mon, 27 Nov 2017 08:35:40 +0000
Subject: Add CHANGELOG.md entry for #31162 [ci skip]

---
 actionpack/CHANGELOG.md | 60 +++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 60 insertions(+)

(limited to 'actionpack')

diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md
index e01f88e902..d48aa1081f 100644
--- a/actionpack/CHANGELOG.md
+++ b/actionpack/CHANGELOG.md
@@ -1,3 +1,63 @@
+*   Add DSL for configuring Content-Security-Policy header
+
+    The DSL allows you to configure a global Content-Security-Policy
+    header and then override within a controller. For more information
+    about the Content-Security-Policy header see MDN:
+
+    https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
+    
+    Example global policy:
+    
+        # config/initializers/content_security_policy.rb
+        Rails.application.config.content_security_policy do
+          p.default_src :self, :https
+          p.font_src    :self, :https, :data
+          p.img_src     :self, :https, :data
+          p.object_src  :none
+          p.script_src  :self, :https
+          p.style_src   :self, :https, :unsafe_inline
+        end
+    
+    Example controller overrides:
+    
+        # Override policy inline
+        class PostsController < ApplicationController
+          content_security_policy do |p|
+            p.upgrade_insecure_requests true
+          end
+        end
+
+        # Using literal values
+        class PostsController < ApplicationController
+          content_security_policy do |p|
+            p.base_uri "https://www.example.com"
+          end
+        end
+
+        # Using mixed static and dynamic values
+        class PostsController < ApplicationController
+          content_security_policy do |p|
+            p.base_uri :self, -> { "https://#{current_user.domain}.example.com" }
+          end
+        end
+        
+    Allows you to also only report content violations for migrating
+    legacy content using the `content_security_policy_report_only`
+    configuration attribute, e.g;
+    
+        # config/initializers/content_security_policy.rb
+        Rails.application.config.content_security_policy_report_only = true
+        
+        # controller override
+        class PostsController < ApplicationController
+          self.content_security_policy_report_only = true
+        end
+    
+    Note that this feature does not validate the header for performance
+    reasons since the header is calculated at runtime.
+    
+    *Andrew White*
+
 *   Make `assert_recognizes` to traverse mounted engines
 
     *Yuichiro Kaneko*
-- 
cgit v1.2.3


From 5910c1d24107d7e5e0f43fb342c37bdb388e56bf Mon Sep 17 00:00:00 2001
From: Prathamesh Sonpatki <csonpatki@gmail.com>
Date: Mon, 27 Nov 2017 15:46:18 +0530
Subject: Fix CHANGELOG for CSP PR #31162 [ci skip]

---
 actionpack/CHANGELOG.md | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

(limited to 'actionpack')

diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md
index d48aa1081f..1843f058e0 100644
--- a/actionpack/CHANGELOG.md
+++ b/actionpack/CHANGELOG.md
@@ -5,11 +5,11 @@
     about the Content-Security-Policy header see MDN:
 
     https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
-    
+
     Example global policy:
-    
+
         # config/initializers/content_security_policy.rb
-        Rails.application.config.content_security_policy do
+        Rails.application.config.content_security_policy do |p|
           p.default_src :self, :https
           p.font_src    :self, :https, :data
           p.img_src     :self, :https, :data
@@ -17,9 +17,9 @@
           p.script_src  :self, :https
           p.style_src   :self, :https, :unsafe_inline
         end
-    
+
     Example controller overrides:
-    
+
         # Override policy inline
         class PostsController < ApplicationController
           content_security_policy do |p|
@@ -40,22 +40,22 @@
             p.base_uri :self, -> { "https://#{current_user.domain}.example.com" }
           end
         end
-        
+
     Allows you to also only report content violations for migrating
     legacy content using the `content_security_policy_report_only`
     configuration attribute, e.g;
-    
+
         # config/initializers/content_security_policy.rb
         Rails.application.config.content_security_policy_report_only = true
-        
+
         # controller override
         class PostsController < ApplicationController
           self.content_security_policy_report_only = true
         end
-    
+
     Note that this feature does not validate the header for performance
     reasons since the header is calculated at runtime.
-    
+
     *Andrew White*
 
 *   Make `assert_recognizes` to traverse mounted engines
-- 
cgit v1.2.3


From cceeeb6e57f1cf8b24d507e2da9ed85d374c8bc5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rafael=20Mendon=C3=A7a=20Fran=C3=A7a?=
 <rafaelmfranca@gmail.com>
Date: Mon, 27 Nov 2017 13:01:15 -0500
Subject: Preparing for 5.2.0.beta1 release

---
 actionpack/CHANGELOG.md                   | 2 ++
 actionpack/lib/action_pack/gem_version.rb | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

(limited to 'actionpack')

diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md
index 1843f058e0..968d4bb0f8 100644
--- a/actionpack/CHANGELOG.md
+++ b/actionpack/CHANGELOG.md
@@ -1,3 +1,5 @@
+## Rails 5.2.0.beta1 (November 27, 2017) ##
+
 *   Add DSL for configuring Content-Security-Policy header
 
     The DSL allows you to configure a global Content-Security-Policy
diff --git a/actionpack/lib/action_pack/gem_version.rb b/actionpack/lib/action_pack/gem_version.rb
index 28bc153f4d..cfced715fd 100644
--- a/actionpack/lib/action_pack/gem_version.rb
+++ b/actionpack/lib/action_pack/gem_version.rb
@@ -10,7 +10,7 @@ module ActionPack
     MAJOR = 5
     MINOR = 2
     TINY  = 0
-    PRE   = "alpha"
+    PRE   = "beta1"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end
-- 
cgit v1.2.3


From 00c0e4001cc875a51938a3086129b4dc275eef93 Mon Sep 17 00:00:00 2001
From: Andrew White <andrew.white@unboxed.co>
Date: Tue, 28 Nov 2017 15:58:18 +0000
Subject: Fix optimized url helpers when using relative url root

Fixes #31220.
---
 actionpack/CHANGELOG.md                            |  7 ++++
 .../lib/action_dispatch/routing/route_set.rb       | 10 ++++++
 actionpack/test/dispatch/routing_test.rb           | 37 ++++++++++++++++++++++
 3 files changed, 54 insertions(+)

(limited to 'actionpack')

diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md
index 968d4bb0f8..1b7b590877 100644
--- a/actionpack/CHANGELOG.md
+++ b/actionpack/CHANGELOG.md
@@ -1,3 +1,10 @@
+*   Fix optimized url helpers when using relative url root
+
+    Fixes #31220.
+
+    *Andrew White*
+
+
 ## Rails 5.2.0.beta1 (November 27, 2017) ##
 
 *   Add DSL for configuring Content-Security-Policy header
diff --git a/actionpack/lib/action_dispatch/routing/route_set.rb b/actionpack/lib/action_dispatch/routing/route_set.rb
index 987e709f6f..9eff30fa53 100644
--- a/actionpack/lib/action_dispatch/routing/route_set.rb
+++ b/actionpack/lib/action_dispatch/routing/route_set.rb
@@ -199,6 +199,16 @@ module ActionDispatch
               if args.size == arg_size && !inner_options && optimize_routes_generation?(t)
                 options = t.url_options.merge @options
                 options[:path] = optimized_helper(args)
+
+                original_script_name = options.delete(:original_script_name)
+                script_name = t._routes.find_script_name(options)
+
+                if original_script_name
+                  script_name = original_script_name + script_name
+                end
+
+                options[:script_name] = script_name
+
                 url_strategy.call options
               else
                 super
diff --git a/actionpack/test/dispatch/routing_test.rb b/actionpack/test/dispatch/routing_test.rb
index 44f902c163..b2d2bf0416 100644
--- a/actionpack/test/dispatch/routing_test.rb
+++ b/actionpack/test/dispatch/routing_test.rb
@@ -5057,3 +5057,40 @@ class TestRecognizePath < ActionDispatch::IntegrationTest
       Routes.recognize_path(*args)
     end
 end
+
+class TestRelativeUrlRootGeneration < ActionDispatch::IntegrationTest
+  config = ActionDispatch::Routing::RouteSet::Config.new("/blog", false)
+
+  stub_controllers(config) do |routes|
+    Routes = routes
+
+    routes.draw do
+      get "/", to: "posts#index", as: :posts
+      get "/:id", to: "posts#show", as: :post
+    end
+  end
+
+  include Routes.url_helpers
+
+  APP = build_app Routes
+
+  def app
+    APP
+  end
+
+  def test_url_helpers
+    assert_equal "/blog/", posts_path({})
+    assert_equal "/blog/", Routes.url_helpers.posts_path({})
+
+    assert_equal "/blog/1", post_path(id: "1")
+    assert_equal "/blog/1", Routes.url_helpers.post_path(id: "1")
+  end
+
+  def test_optimized_url_helpers
+    assert_equal "/blog/", posts_path
+    assert_equal "/blog/", Routes.url_helpers.posts_path
+
+    assert_equal "/blog/1", post_path("1")
+    assert_equal "/blog/1", Routes.url_helpers.post_path("1")
+  end
+end
-- 
cgit v1.2.3


From 37cf9b34667965402e804d75a78ccdeeb7d55166 Mon Sep 17 00:00:00 2001
From: Fatos Morina <fatosi.morina@gmail.com>
Date: Tue, 28 Nov 2017 19:27:43 +0100
Subject: Fix typos and add a few suggestions

---
 actionpack/README.rdoc | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'actionpack')

diff --git a/actionpack/README.rdoc b/actionpack/README.rdoc
index 93b2a0932a..f56230ffa0 100644
--- a/actionpack/README.rdoc
+++ b/actionpack/README.rdoc
@@ -30,7 +30,7 @@ The latest version of Action Pack can be installed with RubyGems:
 
   $ gem install actionpack
 
-Source code can be downloaded as part of the Rails project on GitHub
+Source code can be downloaded as part of the Rails project on GitHub:
 
 * https://github.com/rails/rails/tree/master/actionpack
 
@@ -44,11 +44,11 @@ Action Pack is released under the MIT license:
 
 == Support
 
-API documentation is at
+API documentation is at:
 
 * http://api.rubyonrails.org
 
-Bug reports can be filed for the Ruby on Rails project here:
+Bug reports for the Ruby on Rails project can be filed here:
 
 * https://github.com/rails/rails/issues
 
-- 
cgit v1.2.3


From 2837d0f3347e747a8c12bd3c097bc7282072d42b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rafael=20Mendon=C3=A7a=20Fran=C3=A7a?=
 <rafaelmfranca@gmail.com>
Date: Tue, 28 Nov 2017 00:01:45 -0500
Subject: Preparing for 5.2.0.beta2 release

---
 actionpack/CHANGELOG.md                   | 5 +++++
 actionpack/lib/action_pack/gem_version.rb | 2 +-
 2 files changed, 6 insertions(+), 1 deletion(-)

(limited to 'actionpack')

diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md
index 1b7b590877..2232767c05 100644
--- a/actionpack/CHANGELOG.md
+++ b/actionpack/CHANGELOG.md
@@ -5,6 +5,11 @@
     *Andrew White*
 
 
+## Rails 5.2.0.beta2 (November 28, 2017) ##
+
+*   No changes.
+
+
 ## Rails 5.2.0.beta1 (November 27, 2017) ##
 
 *   Add DSL for configuring Content-Security-Policy header
diff --git a/actionpack/lib/action_pack/gem_version.rb b/actionpack/lib/action_pack/gem_version.rb
index cfced715fd..97f4934b58 100644
--- a/actionpack/lib/action_pack/gem_version.rb
+++ b/actionpack/lib/action_pack/gem_version.rb
@@ -10,7 +10,7 @@ module ActionPack
     MAJOR = 5
     MINOR = 2
     TINY  = 0
-    PRE   = "beta1"
+    PRE   = "beta2"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end
-- 
cgit v1.2.3


From 729a3da0bb5993a4464ebdebcce8be3635b7f765 Mon Sep 17 00:00:00 2001
From: Guillermo Iguaran <guilleiguaran@gmail.com>
Date: Tue, 28 Nov 2017 01:09:06 -0500
Subject: Register most popular audio/video/font mime types supported by modern
 browsers

---
 actionpack/CHANGELOG.md                           |  4 ++++
 actionpack/lib/action_dispatch/http/mime_types.rb | 20 +++++++++++++++++++-
 actionpack/test/dispatch/mime_type_test.rb        | 12 ++++++------
 3 files changed, 29 insertions(+), 7 deletions(-)

(limited to 'actionpack')

diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md
index 2232767c05..c8fb34ed52 100644
--- a/actionpack/CHANGELOG.md
+++ b/actionpack/CHANGELOG.md
@@ -1,3 +1,7 @@
+*   Register most popular audio/video/font mime types supported by modern browsers.
+
+    *Guillermo Iguaran*
+
 *   Fix optimized url helpers when using relative url root
 
     Fixes #31220.
diff --git a/actionpack/lib/action_dispatch/http/mime_types.rb b/actionpack/lib/action_dispatch/http/mime_types.rb
index f8e6fca36d..9f8db397fd 100644
--- a/actionpack/lib/action_dispatch/http/mime_types.rb
+++ b/actionpack/lib/action_dispatch/http/mime_types.rb
@@ -10,6 +10,7 @@ Mime::Type.register "text/css", :css
 Mime::Type.register "text/calendar", :ics
 Mime::Type.register "text/csv", :csv
 Mime::Type.register "text/vcard", :vcf
+Mime::Type.register "text/vtt", :vtt, %w(vtt)
 
 Mime::Type.register "image/png", :png, [], %w(png)
 Mime::Type.register "image/jpeg", :jpeg, [], %w(jpg jpeg jpe pjpeg)
@@ -17,8 +18,25 @@ Mime::Type.register "image/gif", :gif, [], %w(gif)
 Mime::Type.register "image/bmp", :bmp, [], %w(bmp)
 Mime::Type.register "image/tiff", :tiff, [], %w(tif tiff)
 Mime::Type.register "image/svg+xml", :svg
+Mime::Type.register "image/webp", :webp, [], %w(webp)
 
-Mime::Type.register "video/mpeg", :mpeg, [], %w(mpg mpeg mpe)
+Mime::Type.register "audio/mpeg", :mpg, [], %w(mp1 mp2 mp3)
+Mime::Type.register "audio/webm", :weba, [], %w(weba)
+Mime::Type.register "audio/ogg", :ogg, [], %w(oga ogg spx opus)
+Mime::Type.register "audio/aac", :acc, [], %w(aac)
+Mime::Type.register "audio/mp4", :mp4, [], %w(m4a mpg4)
+Mime::Type.register "audio/flac", :flac, [], %w(flac)
+
+Mime::Type.register "video/webm", :webm, [], %w(webm)
+Mime::Type.register "video/mp4", :mp4, [], %w(mp4 m4v)
+Mime::Type.register "video/ogg", :ogv, [], %w(ogv)
+
+Mime::Type.register "application/ogx", :ogx, [], %w(ogx)
+
+Mime::Type.register "font/otf", :otf, [], %w(otf)
+Mime::Type.register "font/ttf", :ttf, [], %w(ttf)
+Mime::Type.register "font/woff", :woff, [], %w(woff)
+Mime::Type.register "font/woff2", :woff2, [], %w(woff2)
 
 Mime::Type.register "application/xml", :xml, %w( text/xml application/x-xml )
 Mime::Type.register "application/rss+xml", :rss
diff --git a/actionpack/test/dispatch/mime_type_test.rb b/actionpack/test/dispatch/mime_type_test.rb
index 90e95e972d..c0b4034d28 100644
--- a/actionpack/test/dispatch/mime_type_test.rb
+++ b/actionpack/test/dispatch/mime_type_test.rb
@@ -30,28 +30,28 @@ class MimeTypeTest < ActiveSupport::TestCase
 
   test "parse text with trailing star at the beginning" do
     accept = "text/*, text/html, application/json, multipart/form-data"
-    expect = [Mime[:html], Mime[:text], Mime[:js], Mime[:css], Mime[:ics], Mime[:csv], Mime[:vcf], Mime[:xml], Mime[:yaml], Mime[:json], Mime[:multipart_form]]
+    expect = [Mime[:html], Mime[:text], Mime[:js], Mime[:css], Mime[:ics], Mime[:csv], Mime[:vcf], Mime[:vtt], Mime[:xml], Mime[:yaml], Mime[:json], Mime[:multipart_form]]
     parsed = Mime::Type.parse(accept)
-    assert_equal expect, parsed
+    assert_equal expect.map(&:to_s), parsed.map(&:to_s)
   end
 
   test "parse text with trailing star in the end" do
     accept = "text/html, application/json, multipart/form-data, text/*"
-    expect = [Mime[:html], Mime[:json], Mime[:multipart_form], Mime[:text], Mime[:js], Mime[:css], Mime[:ics], Mime[:csv], Mime[:vcf], Mime[:xml], Mime[:yaml]]
+    expect = [Mime[:html], Mime[:json], Mime[:multipart_form], Mime[:text], Mime[:js], Mime[:css], Mime[:ics], Mime[:csv], Mime[:vcf], Mime[:vtt], Mime[:xml], Mime[:yaml]]
     parsed = Mime::Type.parse(accept)
-    assert_equal expect, parsed
+    assert_equal expect.map(&:to_s), parsed.map(&:to_s)
   end
 
   test "parse text with trailing star" do
     accept = "text/*"
-    expect = [Mime[:html], Mime[:text], Mime[:js], Mime[:css], Mime[:ics], Mime[:csv], Mime[:vcf], Mime[:xml], Mime[:yaml], Mime[:json]]
+    expect = [Mime[:html], Mime[:text], Mime[:js], Mime[:css], Mime[:ics], Mime[:csv], Mime[:vcf], Mime[:vtt], Mime[:xml], Mime[:yaml], Mime[:json]]
     parsed = Mime::Type.parse(accept)
     assert_equal expect.map(&:to_s).sort!, parsed.map(&:to_s).sort!
   end
 
   test "parse application with trailing star" do
     accept = "application/*"
-    expect = [Mime[:html], Mime[:js], Mime[:xml], Mime[:rss], Mime[:atom], Mime[:yaml], Mime[:url_encoded_form], Mime[:json], Mime[:pdf], Mime[:zip], Mime[:gzip]]
+    expect = [Mime[:html], Mime[:js], Mime[:xml], Mime[:rss], Mime[:atom], Mime[:yaml], Mime[:url_encoded_form], Mime[:json], Mime[:pdf], Mime[:zip], Mime[:gzip], Mime[:ogx]]
     parsed = Mime::Type.parse(accept)
     assert_equal expect.map(&:to_s).sort!, parsed.map(&:to_s).sort!
   end
-- 
cgit v1.2.3


From af10a39f88488109cecc6e425e08c083a7e55289 Mon Sep 17 00:00:00 2001
From: Guillermo Iguaran <guilleiguaran@gmail.com>
Date: Tue, 28 Nov 2017 21:15:01 -0500
Subject: Update send_file headers test to use mp4 as example instead of mpg

---
 actionpack/test/controller/send_file_test.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'actionpack')

diff --git a/actionpack/test/controller/send_file_test.rb b/actionpack/test/controller/send_file_test.rb
index fd2399e433..7b1a52b277 100644
--- a/actionpack/test/controller/send_file_test.rb
+++ b/actionpack/test/controller/send_file_test.rb
@@ -178,7 +178,7 @@ class SendFileTest < ActionController::TestCase
       "image.jpg" => "image/jpeg",
       "image.tif" => "image/tiff",
       "image.gif" => "image/gif",
-      "movie.mpg" => "video/mpeg",
+      "movie.mp4" => "video/mp4",
       "file.zip" => "application/zip",
       "file.unk" => "application/octet-stream",
       "zip" => "application/octet-stream"
-- 
cgit v1.2.3


From f128177eb701373326a3ae91651bf291d0fd245c Mon Sep 17 00:00:00 2001
From: Guillermo Iguaran <guilleiguaran@gmail.com>
Date: Wed, 29 Nov 2017 01:37:48 -0500
Subject: Register "audio/mp4" mime type with :m4a symbol

---
 actionpack/lib/action_dispatch/http/mime_types.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'actionpack')

diff --git a/actionpack/lib/action_dispatch/http/mime_types.rb b/actionpack/lib/action_dispatch/http/mime_types.rb
index 9f8db397fd..cc41bdda5a 100644
--- a/actionpack/lib/action_dispatch/http/mime_types.rb
+++ b/actionpack/lib/action_dispatch/http/mime_types.rb
@@ -24,7 +24,7 @@ Mime::Type.register "audio/mpeg", :mpg, [], %w(mp1 mp2 mp3)
 Mime::Type.register "audio/webm", :weba, [], %w(weba)
 Mime::Type.register "audio/ogg", :ogg, [], %w(oga ogg spx opus)
 Mime::Type.register "audio/aac", :acc, [], %w(aac)
-Mime::Type.register "audio/mp4", :mp4, [], %w(m4a mpg4)
+Mime::Type.register "audio/mp4", :m4a, [], %w(m4a mpg4)
 Mime::Type.register "audio/flac", :flac, [], %w(flac)
 
 Mime::Type.register "video/webm", :webm, [], %w(webm)
-- 
cgit v1.2.3


From 0061e0cd28438f4f3f334c5a75eb292e5f110262 Mon Sep 17 00:00:00 2001
From: Guillermo Iguaran <guilleiguaran@gmail.com>
Date: Wed, 29 Nov 2017 02:29:33 -0500
Subject: Restore mpeg mime type, delete less common mime types

See discussion in #31251
---
 actionpack/lib/action_dispatch/http/mime_types.rb | 13 ++++---------
 1 file changed, 4 insertions(+), 9 deletions(-)

(limited to 'actionpack')

diff --git a/actionpack/lib/action_dispatch/http/mime_types.rb b/actionpack/lib/action_dispatch/http/mime_types.rb
index cc41bdda5a..6d703cb6b1 100644
--- a/actionpack/lib/action_dispatch/http/mime_types.rb
+++ b/actionpack/lib/action_dispatch/http/mime_types.rb
@@ -18,20 +18,15 @@ Mime::Type.register "image/gif", :gif, [], %w(gif)
 Mime::Type.register "image/bmp", :bmp, [], %w(bmp)
 Mime::Type.register "image/tiff", :tiff, [], %w(tif tiff)
 Mime::Type.register "image/svg+xml", :svg
-Mime::Type.register "image/webp", :webp, [], %w(webp)
 
-Mime::Type.register "audio/mpeg", :mpg, [], %w(mp1 mp2 mp3)
-Mime::Type.register "audio/webm", :weba, [], %w(weba)
+Mime::Type.register "video/mpeg", :mpeg, [], %w(mpg mpeg mpe)
+
+Mime::Type.register "audio/mpeg", :mp3, [], %w(mp1 mp2 mp3)
 Mime::Type.register "audio/ogg", :ogg, [], %w(oga ogg spx opus)
-Mime::Type.register "audio/aac", :acc, [], %w(aac)
-Mime::Type.register "audio/mp4", :m4a, [], %w(m4a mpg4)
-Mime::Type.register "audio/flac", :flac, [], %w(flac)
+Mime::Type.register "audio/aac", :m4a, %( audio/mp4 ), %w(m4a mpg4 aac)
 
 Mime::Type.register "video/webm", :webm, [], %w(webm)
 Mime::Type.register "video/mp4", :mp4, [], %w(mp4 m4v)
-Mime::Type.register "video/ogg", :ogv, [], %w(ogv)
-
-Mime::Type.register "application/ogx", :ogx, [], %w(ogx)
 
 Mime::Type.register "font/otf", :otf, [], %w(otf)
 Mime::Type.register "font/ttf", :ttf, [], %w(ttf)
-- 
cgit v1.2.3


From d41d586e4e00990a8b5e1e62b75857fea0effaf4 Mon Sep 17 00:00:00 2001
From: Guillermo Iguaran <guilleiguaran@gmail.com>
Date: Wed, 29 Nov 2017 02:37:39 -0500
Subject: Fix typo in mime type registering

---
 actionpack/lib/action_dispatch/http/mime_types.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'actionpack')

diff --git a/actionpack/lib/action_dispatch/http/mime_types.rb b/actionpack/lib/action_dispatch/http/mime_types.rb
index 6d703cb6b1..342e6de312 100644
--- a/actionpack/lib/action_dispatch/http/mime_types.rb
+++ b/actionpack/lib/action_dispatch/http/mime_types.rb
@@ -23,7 +23,7 @@ Mime::Type.register "video/mpeg", :mpeg, [], %w(mpg mpeg mpe)
 
 Mime::Type.register "audio/mpeg", :mp3, [], %w(mp1 mp2 mp3)
 Mime::Type.register "audio/ogg", :ogg, [], %w(oga ogg spx opus)
-Mime::Type.register "audio/aac", :m4a, %( audio/mp4 ), %w(m4a mpg4 aac)
+Mime::Type.register "audio/aac", :m4a, %w( audio/mp4 ), %w(m4a mpg4 aac)
 
 Mime::Type.register "video/webm", :webm, [], %w(webm)
 Mime::Type.register "video/mp4", :mp4, [], %w(mp4 m4v)
-- 
cgit v1.2.3


From e3d658e319bd0ab179fc0e12329ed4dc18bce584 Mon Sep 17 00:00:00 2001
From: Guillermo Iguaran <guilleiguaran@gmail.com>
Date: Wed, 29 Nov 2017 02:51:31 -0500
Subject: Fix tests: Remove ogx mime type from tests

---
 actionpack/test/dispatch/mime_type_test.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'actionpack')

diff --git a/actionpack/test/dispatch/mime_type_test.rb b/actionpack/test/dispatch/mime_type_test.rb
index c0b4034d28..6854783386 100644
--- a/actionpack/test/dispatch/mime_type_test.rb
+++ b/actionpack/test/dispatch/mime_type_test.rb
@@ -51,7 +51,7 @@ class MimeTypeTest < ActiveSupport::TestCase
 
   test "parse application with trailing star" do
     accept = "application/*"
-    expect = [Mime[:html], Mime[:js], Mime[:xml], Mime[:rss], Mime[:atom], Mime[:yaml], Mime[:url_encoded_form], Mime[:json], Mime[:pdf], Mime[:zip], Mime[:gzip], Mime[:ogx]]
+    expect = [Mime[:html], Mime[:js], Mime[:xml], Mime[:rss], Mime[:atom], Mime[:yaml], Mime[:url_encoded_form], Mime[:json], Mime[:pdf], Mime[:zip], Mime[:gzip]]
     parsed = Mime::Type.parse(accept)
     assert_equal expect.map(&:to_s).sort!, parsed.map(&:to_s).sort!
   end
-- 
cgit v1.2.3


From 9d6e288ee96d6241f864dbf90211c37b14a57632 Mon Sep 17 00:00:00 2001
From: eileencodes <eileencodes@gmail.com>
Date: Wed, 29 Nov 2017 10:54:56 -0500
Subject: Make screenshots default to "simple" format

Not everyone uses iTerm2 and whereas Terminal.app on a mac just ignores
that and outputs the path, other terminals like those on Ubuntu do not.
A friendlier default is one that works by default.

Closes #31159
Closes #30957
---
 .../system_testing/test_helpers/screenshot_helper.rb     | 16 ++++++----------
 .../dispatch/system_testing/screenshot_helper_test.rb    |  7 +++++++
 2 files changed, 13 insertions(+), 10 deletions(-)

(limited to 'actionpack')

diff --git a/actionpack/lib/action_dispatch/system_testing/test_helpers/screenshot_helper.rb b/actionpack/lib/action_dispatch/system_testing/test_helpers/screenshot_helper.rb
index 6c337cdc31..df0c5d3f0e 100644
--- a/actionpack/lib/action_dispatch/system_testing/test_helpers/screenshot_helper.rb
+++ b/actionpack/lib/action_dispatch/system_testing/test_helpers/screenshot_helper.rb
@@ -15,12 +15,11 @@ module ActionDispatch
         #
         # You can set the +RAILS_SYSTEM_TESTING_SCREENSHOT+ environment variable to
         # control the output. Possible values are:
-        # * [+inline+ (default)]    display the screenshot in the terminal using the
+        # * [+simple+ (default)]    Only displays the screenshot path.
+        #                           This is the default value.
+        # * [+inline+]              Display the screenshot in the terminal using the
         #                           iTerm image protocol (https://iterm2.com/documentation-images.html).
-        # * [+simple+]              only display the screenshot path.
-        #                           This is the default value if the +CI+ environment variables
-        #                           is defined.
-        # * [+artifact+]            display the screenshot in the terminal, using the terminal
+        # * [+artifact+]            Display the screenshot in the terminal, using the terminal
         #                           artifact format (https://buildkite.github.io/terminal/inline-images/).
         def take_screenshot
           save_image
@@ -59,11 +58,8 @@ module ActionDispatch
             # Environment variables have priority
             output_type = ENV["RAILS_SYSTEM_TESTING_SCREENSHOT"] || ENV["CAPYBARA_INLINE_SCREENSHOT"]
 
-            # If running in a CI environment, default to simple
-            output_type ||= "simple" if ENV["CI"]
-
-            # Default
-            output_type ||= "inline"
+            # Default to outputting a path to the screenshot
+            output_type ||= "simple"
 
             output_type
           end
diff --git a/actionpack/test/dispatch/system_testing/screenshot_helper_test.rb b/actionpack/test/dispatch/system_testing/screenshot_helper_test.rb
index 2afda31cf5..264844fc7d 100644
--- a/actionpack/test/dispatch/system_testing/screenshot_helper_test.rb
+++ b/actionpack/test/dispatch/system_testing/screenshot_helper_test.rb
@@ -35,6 +35,11 @@ class ScreenshotHelperTest < ActiveSupport::TestCase
     end
   end
 
+  test "defaults to simple output for the screenshot" do
+    new_test = DrivenBySeleniumWithChrome.new("x")
+    assert_equal "simple", new_test.send(:output_type)
+  end
+
   test "display_image return artifact format when specify RAILS_SYSTEM_TESTING_SCREENSHOT environment" do
     begin
       original_output_type = ENV["RAILS_SYSTEM_TESTING_SCREENSHOT"]
@@ -42,6 +47,8 @@ class ScreenshotHelperTest < ActiveSupport::TestCase
 
       new_test = DrivenBySeleniumWithChrome.new("x")
 
+      assert_equal "artifact", new_test.send(:output_type)
+
       Rails.stub :root, Pathname.getwd do
         new_test.stub :passed?, false do
           assert_match %r|url=artifact://.+?tmp/screenshots/failures_x\.png|, new_test.send(:display_image)
-- 
cgit v1.2.3