From c113bdc9d0c2cffd535ca97aff85c4bdc46b11f6 Mon Sep 17 00:00:00 2001
From: Guillermo Iguaran <guilleiguaran@gmail.com>
Date: Sat, 24 Feb 2018 18:08:38 -0500
Subject: Support for automatic nonce generation was backported to 5.2

---
 actionpack/CHANGELOG.md | 28 ----------------------------
 1 file changed, 28 deletions(-)

(limited to 'actionpack')

diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md
index 98bf9c944b..cd419b68f7 100644
--- a/actionpack/CHANGELOG.md
+++ b/actionpack/CHANGELOG.md
@@ -1,33 +1,5 @@
 ## Rails 6.0.0.alpha (Unreleased) ##
 
-*   Add support for automatic nonce generation for Rails UJS
-
-    Because the UJS library creates a script tag to process responses it
-    normally requires the script-src attribute of the content security
-    policy to include 'unsafe-inline'.
-
-    To work around this we generate a per-request nonce value that is
-    embedded in a meta tag in a similar fashion to how CSRF protection
-    embeds its token in a meta tag. The UJS library can then read the
-    nonce value and set it on the dynamically generated script tag to
-    enable it to execute without needing 'unsafe-inline' enabled.
-
-    Nonce generation isn't 100% safe - if your script tag is including
-    user generated content in someway then it may be possible to exploit
-    an XSS vulnerability which can take advantage of the nonce. It is
-    however an improvement on a blanket permission for inline scripts.
-
-    It is also possible to use the nonce within your own script tags by
-    using `nonce: true` to set the nonce value on the tag, e.g
-
-        <%= javascript_tag nonce: true do %>
-          alert('Hello, World!');
-        <% end %>
-
-    Fixes #31689.
-
-    *Andrew White*
-
 *   Rails 6 requires Ruby 2.4.1 or newer.
 
     *Jeremy Daer*
-- 
cgit v1.2.3