Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Discuss Action Pack's new CSRF protection from remote script tags and…

… what it means for your app. In short, update your tests if they don't already use the 'xhr :post' style.
  • Loading branch information...
commit 626ced225cd88d29557d2e6e2dbaed1db5c7ea7f 1 parent cf56dcf
Jeremy Kemper jeremy authored
Showing with 146 additions and 132 deletions.
  1. +146 −132 guides/source/4_1_release_notes.md
278 guides/source/4_1_release_notes.md
View
@@ -222,6 +222,17 @@ This example is equivalent to defining a `EventTracking` module inline,
extending it with `ActiveSupport::Concern`, then mixing it in to the
`Todo` class.
+### CSRF protection from remote `<script>` tags
+
+Cross-site request forgery (CSRF) protection now covers GET requests with
+JavaScript responses, too. That prevents a third-party site from referencing
+your JavaScript URL and attempting to run it to extract sensitive data.
+
+This means any of your tests that hit `.js` URLs will now fail CSRF protection
+unless they use `xhr`. Upgrade your tests to be explicit about expecting
+XmlHttpRequests. Instead of `post :create, format: :js`, switch to the explicit
+`xhr :post, :create, format: :js`.
+
Railties
--------
@@ -262,138 +273,6 @@ for detailed changes.
* Add `Application#message_verifier` method to return a message
verifier. ([Pull Request](https://github.com/rails/rails/pull/12995))
-Action Mailer
--------------
-
-Please refer to the
-[Changelog](https://github.com/rails/rails/blob/4-1-stable/actionmailer/CHANGELOG.md)
-for detailed changes.
-
-### Notable changes
-
-* Instrument the generation of Action Mailer messages. The time it takes to
- generate a message is written to the log. ([Pull Request](https://github.com/rails/rails/pull/12556))
-
-
-Active Model
-------------
-
-Please refer to the
-[Changelog](https://github.com/rails/rails/blob/4-1-stable/activemodel/CHANGELOG.md)
-for detailed changes.
-
-### Deprecations
-
-* Deprecate `Validator#setup`. This should be done manually now in the
- validator's constructor. ([Commit](https://github.com/rails/rails/commit/7d84c3a2f7ede0e8d04540e9c0640de7378e9b3a))
-
-### Notable changes
-
-* Added new API methods `reset_changes` and `changes_applied` to
- `ActiveModel::Dirty` that control changes state.
-
-
-Active Support
---------------
-
-Please refer to the
-[Changelog](https://github.com/rails/rails/blob/4-1-stable/activesupport/CHANGELOG.md)
-for detailed changes.
-
-
-### Removals
-
-* Removed `MultiJSON` dependency. As a result, `ActiveSupport::JSON.decode`
- no longer accepts an options hash for `MultiJSON`. ([Pull Request](https://github.com/rails/rails/pull/10576) / [More Details](upgrading_ruby_on_rails.html#changes-in-json-handling))
-
-* Removed support for the `encode_json` hook used for encoding custom objects into
- JSON. This feature has been extracted into the [activesupport-json_encoder](https://github.com/rails/activesupport-json_encoder)
- gem.
- ([Related Pull Request](https://github.com/rails/rails/pull/12183) /
- [More Details](upgrading_ruby_on_rails.html#changes-in-json-handling))
-
-* Removed deprecated `ActiveSupport::JSON::Variable` with no replacement.
-
-* Removed deprecated `String#encoding_aware?` core extensions (`core_ext/string/encoding`).
-
-* Removed deprecated `Module#local_constant_names` in favor of `Module#local_constants`.
-
-* Removed deprecated `DateTime.local_offset` in favor of `DateTime.civil_from_fromat`.
-
-* Removed deprecated `Logger` core extensions (`core_ext/logger.rb`).
-
-* Removed deprecated `Time#time_with_datetime_fallback`, `Time#utc_time` and
- `Time#local_time` in favor of `Time#utc` and `Time#local`.
-
-* Removed deprecated `Hash#diff` with no replacement.
-
-* Removed deprecated `Date#to_time_in_current_zone` in favor of `Date#in_time_zone`.
-
-* Removed deprecated `Proc#bind` with no replacement.
-
-* Removed deprecated `Array#uniq_by` and `Array#uniq_by!`, use native
- `Array#uniq` and `Array#uniq!` instead.
-
-* Removed deprecated `ActiveSupport::BasicObject`, use
- `ActiveSupport::ProxyObject` instead.
-
-* Removed deprecated `BufferedLogger`, use `ActiveSupport::Logger` instead.
-
-* Removed deprecated `assert_present` and `assert_blank` methods, use `assert
- object.blank?` and `assert object.present?` instead.
-
-### Deprecations
-
-* Deprecated `Numeric#{ago,until,since,from_now}`, the user is expected to
- explicitly convert the value into an AS::Duration, i.e. `5.ago` => `5.seconds.ago`
- ([Pull Request](https://github.com/rails/rails/pull/12389))
-
-* Deprecated the require path `active_support/core_ext/object/to_json`. Require
- `active_support/core_ext/object/json` instead. ([Pull Request](https://github.com/rails/rails/pull/12203))
-
-* Deprecated `ActiveSupport::JSON::Encoding::CircularReferenceError`. This feature
- has been extracted into the [activesupport-json_encoder](https://github.com/rails/activesupport-json_encoder)
- gem.
- ([Pull Request](https://github.com/rails/rails/pull/12785) /
- [More Details](upgrading_ruby_on_rails.html#changes-in-json-handling))
-
-* Deprecated `ActiveSupport.encode_big_decimal_as_string` option. This feature has
- been extracetd into the [activesupport-json_encoder](https://github.com/rails/activesupport-json_encoder)
- gem.
- ([Pull Request](https://github.com/rails/rails/pull/13060) /
- [More Details](upgrading_ruby_on_rails.html#changes-in-json-handling))
-
-### Notable changes
-
-* `ActiveSupport`'s JSON encoder has been rewritten to take advantage of the
- JSON gem rather than doing custom encoding in pure-Ruby.
- ([Pull Request](https://github.com/rails/rails/pull/12183) /
- [More Details](upgrading_ruby_on_rails.html#changes-in-json-handling))
-
-* Improved compatibility with the JSON gem.
- ([Pull Request](https://github.com/rails/rails/pull/12862) /
- [More Details](upgrading_ruby_on_rails.html#changes-in-json-handling))
-
-* Added `ActiveSupport::Testing::TimeHelpers#travel` and `#travel_to`. These
- methods change current time to the given time or time difference by stubbing
- `Time.now` and
- `Date.today`. ([Pull Request](https://github.com/rails/rails/pull/12824))
-
-* Added `Numeric#in_milliseconds`, like `1.hour.in_milliseconds`, so we can feed
- them to JavaScript functions like
- `getTime()`. ([Commit](https://github.com/rails/rails/commit/423249504a2b468d7a273cbe6accf4f21cb0e643))
-
-* Added `Date#middle_of_day`, `DateTime#middle_of_day` and `Time#middle_of_day`
- methods. Also added `midday`, `noon`, `at_midday`, `at_noon` and
- `at_middle_of_day` as
- aliases. ([Pull Request](https://github.com/rails/rails/pull/10879))
-
-* Added `String#remove(pattern)` as a short-hand for the common pattern of
- `String#gsub(pattern,'')`. ([Commit](https://github.com/rails/rails/commit/5da23a3f921f0a4a3139495d2779ab0d3bd4cb5f))
-
-* Removed 'cow' => 'kine' irregular inflection from default
- inflections. ([Commit](https://github.com/rails/rails/commit/c300dca9963bda78b8f358dbcb59cabcdc5e1dc9))
-
Action Pack
-----------
@@ -423,6 +302,11 @@ for detailed changes.
### Notable changes
+* `protect_from_forgery` also prevents cross-origin `<script>` tags.
+ Update your tests to use `xhr :get, :foo, format: :js` instead of
+ `get :foo, format: :js`.
+ ([Pull Request](https://github.com/rails/rails/pull/13345))
+
* `#url_for` takes a hash with options inside an
array. ([Pull Request](https://github.com/rails/rails/pull/9599))
@@ -434,6 +318,17 @@ for detailed changes.
* Separated Action View completely from Action
Pack. ([Pull Request](https://github.com/rails/rails/pull/11032))
+Action Mailer
+-------------
+
+Please refer to the
+[Changelog](https://github.com/rails/rails/blob/4-1-stable/actionmailer/CHANGELOG.md)
+for detailed changes.
+
+### Notable changes
+
+* Instrument the generation of Action Mailer messages. The time it takes to
+ generate a message is written to the log. ([Pull Request](https://github.com/rails/rails/pull/12556))
Active Record
-------------
@@ -578,6 +473,125 @@ for detailed changes.
object. Helper methods used by multiple fixtures should be defined on modules
included in `ActiveRecord::FixtureSet.context_class`. ([Pull Request](https://github.com/rails/rails/pull/13022))
+Active Model
+------------
+
+Please refer to the
+[Changelog](https://github.com/rails/rails/blob/4-1-stable/activemodel/CHANGELOG.md)
+for detailed changes.
+
+### Deprecations
+
+* Deprecate `Validator#setup`. This should be done manually now in the
+ validator's constructor. ([Commit](https://github.com/rails/rails/commit/7d84c3a2f7ede0e8d04540e9c0640de7378e9b3a))
+
+### Notable changes
+
+* Added new API methods `reset_changes` and `changes_applied` to
+ `ActiveModel::Dirty` that control changes state.
+
+
+Active Support
+--------------
+
+Please refer to the
+[Changelog](https://github.com/rails/rails/blob/4-1-stable/activesupport/CHANGELOG.md)
+for detailed changes.
+
+
+### Removals
+
+* Removed `MultiJSON` dependency. As a result, `ActiveSupport::JSON.decode`
+ no longer accepts an options hash for `MultiJSON`. ([Pull Request](https://github.com/rails/rails/pull/10576) / [More Details](upgrading_ruby_on_rails.html#changes-in-json-handling))
+
+* Removed support for the `encode_json` hook used for encoding custom objects into
+ JSON. This feature has been extracted into the [activesupport-json_encoder](https://github.com/rails/activesupport-json_encoder)
+ gem.
+ ([Related Pull Request](https://github.com/rails/rails/pull/12183) /
+ [More Details](upgrading_ruby_on_rails.html#changes-in-json-handling))
+
+* Removed deprecated `ActiveSupport::JSON::Variable` with no replacement.
+
+* Removed deprecated `String#encoding_aware?` core extensions (`core_ext/string/encoding`).
+
+* Removed deprecated `Module#local_constant_names` in favor of `Module#local_constants`.
+
+* Removed deprecated `DateTime.local_offset` in favor of `DateTime.civil_from_fromat`.
+
+* Removed deprecated `Logger` core extensions (`core_ext/logger.rb`).
+
+* Removed deprecated `Time#time_with_datetime_fallback`, `Time#utc_time` and
+ `Time#local_time` in favor of `Time#utc` and `Time#local`.
+
+* Removed deprecated `Hash#diff` with no replacement.
+
+* Removed deprecated `Date#to_time_in_current_zone` in favor of `Date#in_time_zone`.
+
+* Removed deprecated `Proc#bind` with no replacement.
+
+* Removed deprecated `Array#uniq_by` and `Array#uniq_by!`, use native
+ `Array#uniq` and `Array#uniq!` instead.
+
+* Removed deprecated `ActiveSupport::BasicObject`, use
+ `ActiveSupport::ProxyObject` instead.
+
+* Removed deprecated `BufferedLogger`, use `ActiveSupport::Logger` instead.
+
+* Removed deprecated `assert_present` and `assert_blank` methods, use `assert
+ object.blank?` and `assert object.present?` instead.
+
+### Deprecations
+
+* Deprecated `Numeric#{ago,until,since,from_now}`, the user is expected to
+ explicitly convert the value into an AS::Duration, i.e. `5.ago` => `5.seconds.ago`
+ ([Pull Request](https://github.com/rails/rails/pull/12389))
+
+* Deprecated the require path `active_support/core_ext/object/to_json`. Require
+ `active_support/core_ext/object/json` instead. ([Pull Request](https://github.com/rails/rails/pull/12203))
+
+* Deprecated `ActiveSupport::JSON::Encoding::CircularReferenceError`. This feature
+ has been extracted into the [activesupport-json_encoder](https://github.com/rails/activesupport-json_encoder)
+ gem.
+ ([Pull Request](https://github.com/rails/rails/pull/12785) /
+ [More Details](upgrading_ruby_on_rails.html#changes-in-json-handling))
+
+* Deprecated `ActiveSupport.encode_big_decimal_as_string` option. This feature has
+ been extracetd into the [activesupport-json_encoder](https://github.com/rails/activesupport-json_encoder)
+ gem.
+ ([Pull Request](https://github.com/rails/rails/pull/13060) /
+ [More Details](upgrading_ruby_on_rails.html#changes-in-json-handling))
+
+### Notable changes
+
+* `ActiveSupport`'s JSON encoder has been rewritten to take advantage of the
+ JSON gem rather than doing custom encoding in pure-Ruby.
+ ([Pull Request](https://github.com/rails/rails/pull/12183) /
+ [More Details](upgrading_ruby_on_rails.html#changes-in-json-handling))
+
+* Improved compatibility with the JSON gem.
+ ([Pull Request](https://github.com/rails/rails/pull/12862) /
+ [More Details](upgrading_ruby_on_rails.html#changes-in-json-handling))
+
+* Added `ActiveSupport::Testing::TimeHelpers#travel` and `#travel_to`. These
+ methods change current time to the given time or time difference by stubbing
+ `Time.now` and
+ `Date.today`. ([Pull Request](https://github.com/rails/rails/pull/12824))
+
+* Added `Numeric#in_milliseconds`, like `1.hour.in_milliseconds`, so we can feed
+ them to JavaScript functions like
+ `getTime()`. ([Commit](https://github.com/rails/rails/commit/423249504a2b468d7a273cbe6accf4f21cb0e643))
+
+* Added `Date#middle_of_day`, `DateTime#middle_of_day` and `Time#middle_of_day`
+ methods. Also added `midday`, `noon`, `at_midday`, `at_noon` and
+ `at_middle_of_day` as
+ aliases. ([Pull Request](https://github.com/rails/rails/pull/10879))
+
+* Added `String#remove(pattern)` as a short-hand for the common pattern of
+ `String#gsub(pattern,'')`. ([Commit](https://github.com/rails/rails/commit/5da23a3f921f0a4a3139495d2779ab0d3bd4cb5f))
+
+* Removed 'cow' => 'kine' irregular inflection from default
+ inflections. ([Commit](https://github.com/rails/rails/commit/c300dca9963bda78b8f358dbcb59cabcdc5e1dc9))
+
Credits
-------
Please sign in to comment.
Something went wrong with that request. Please try again.