-
Include the HTTP Permissions-Policy on non-HTML Content-Types [CVE-2024-28103]
Aaron Patterson, Zack Deveau
-
Fix
Mime::Type.parsehandling type parameters for HTTP Accept headers.Taylor Chaparro
-
Fix the error page that is displayed when a view template is missing to account for nested controller paths in the suggested correct location for the missing template.
Joshua Young
-
Add
save_and_open_pagehelper toIntegrationTest.save_and_open_pageis a helpful helper to keep a short feedback loop when working on system tests. A similar helper with matching signature has been added to integration tests.Joé Dupuis
-
Fix a regression in 7.1.3 passing a
to:option without a controller when the controller is already defined by a scope.Rails.application.routes.draw do controller :home do get "recent", to: "recent_posts" end end
Étienne Barrié
-
Request Forgery takes relative paths into account.
Stefan Wienert
-
Add ".test" as a default allowed host in development to ensure smooth golden-path setup with puma.dev.
DHH
-
Add
allow_browserto set minimum browser versions for the application.A browser that's blocked will by default be served the file in
public/406-unsupported-browser.htmlwith a HTTP status code of "406 Not Acceptable".class ApplicationController < ActionController::Base # Allow only browsers natively supporting webp images, web push, badges, import maps, CSS nesting + :has allow_browser versions: :modern end class ApplicationController < ActionController::Base # All versions of Chrome and Opera will be allowed, but no versions of "internet explorer" (ie). Safari needs to be 16.4+ and Firefox 121+. allow_browser versions: { safari: 16.4, firefox: 121, ie: false } end class MessagesController < ApplicationController # In addition to the browsers blocked by ApplicationController, also block Opera below 104 and Chrome below 119 for the show action. allow_browser versions: { opera: 104, chrome: 119 }, only: :show end
DHH
-
Add rate limiting API.
class SessionsController < ApplicationController rate_limit to: 10, within: 3.minutes, only: :create end class SignupsController < ApplicationController rate_limit to: 1000, within: 10.seconds, by: -> { request.domain }, with: -> { redirect_to busy_controller_url, alert: "Too many signups!" }, only: :new end
DHH, Jean Boussier
-
Add
image/svg+xmlto the compressible content types ofActionDispatch::Static.Georg Ledermann
-
Add instrumentation for
ActionController::Live#send_stream.Allows subscribing to
send_streamevents. The event payload contains the filename, disposition, and type.Hannah Ramadan
-
Add support for
with_routingtest helper inActionDispatch::IntegrationTest.Gannon McGibbon
-
Remove deprecated support to set
Rails.application.config.action_dispatch.show_exceptionstotrueandfalse.Rafael Mendonça França
-
Remove deprecated
speaker,vibrate, andvrpermissions policy directives.Rafael Mendonça França
-
Remove deprecated
Rails.application.config.action_dispatch.return_only_request_media_type_on_content_type.Rafael Mendonça França
-
Deprecate
Rails.application.config.action_controller.allow_deprecated_parameters_hash_equality.Rafael Mendonça França
-
Remove deprecated comparison between
ActionController::ParametersandHash.Rafael Mendonça França
-
Remove deprecated constant
AbstractController::Helpers::MissingHelperError.Rafael Mendonça França
-
Fix a race condition that could cause a
Text file busy - chromedrivererror with parallel system tests.Matt Brictson
-
Add
raccas a dependency since it will become a bundled gem in Ruby 3.4.0Hartley McGuire
-
Remove deprecated constant
ActionDispatch::IllegalStateError.Rafael Mendonça França
-
Add parameter filter capability for redirect locations.
It uses the
config.filter_parametersto match what needs to be filtered. The result would be like this:Redirected to http://secret.foo.bar?username=roque&password=[FILTERED]Fixes #14055.
Roque Pinel, Trevor Turk, tonytonyjan
Please check 7-1-stable for previous changes.