- 19 2月, 2018 15 次提交
-
-
由 Andrew White 提交于
Because the UJS library creates a script tag to process responses it normally requires the script-src attribute of the content security policy to include 'unsafe-inline'. To work around this we generate a per-request nonce value that is embedded in a meta tag in a similar fashion to how CSRF protection embeds its token in a meta tag. The UJS library can then read the nonce value and set it on the dynamically generated script tag to enable it to execute without needing 'unsafe-inline' enabled. Nonce generation isn't 100% safe - if your script tag is including user generated content in someway then it may be possible to exploit an XSS vulnerability which can take advantage of the nonce. It is however an improvement on a blanket permission for inline scripts. It is also possible to use the nonce within your own script tags by using `nonce: true` to set the nonce value on the tag, e.g <%= javascript_tag nonce: true do %> alert('Hello, World!'); <% end %> Fixes #31689.
-
由 Andrew White 提交于
Fix generation of empty content security policy
-
由 Andrew White 提交于
Return all mappings for a timezone id in country_zones
-
由 Andrew White 提交于
Although the spec[1] is defined in such a way that a trailing semi-colon is valid it also doesn't allow a semi-colon by itself to indicate an empty policy. Therefore it's easier (and valid) just to omit it rather than to detect whether the policy is empty or not. [1]: https://www.w3.org/TR/CSP2/#policy-syntax
-
由 Andrew White 提交于
Setting up the request environment was accidentally creating a CSP as a consequence of accessing the option - only set the instance variable if a block is passed.
-
由 Andrew White 提交于
This reverts commit 86f7c269, reversing changes made to 5ece2e4a. If a policy is set then we should generate it even if it's empty. However what is happening is that we're accidentally generating an empty policy when the initializer is commented out by default.
-
由 Andrew White 提交于
Some timezones like `Europe/London` have multiple mappings in `ActiveSupport::TimeZone::MAPPING` so return all of them instead of the first one found by using `Hash#value`. e.g: # Before ActiveSupport::TimeZone.country_zones("GB") # => ["Edinburgh"] # After ActiveSupport::TimeZone.country_zones("GB") # => ["Edinburgh", "London"] Fixes #31668.
-
由 Ryuta Kamizono 提交于
rubocop single space after assignment
-
由 Dixit Patel 提交于
-
由 yuuji.yaginuma 提交于
Fixes #32021.
-
由 Guillermo Iguaran 提交于
-
由 Guillermo Iguaran 提交于
-
由 Guillermo Iguaran 提交于
The purpose of keeping app/views folder in API apps is that it's used for mailer views so doesn't makes sense to keep it when Action Mailer is skipped.
-
由 Kasper Timm Hansen 提交于
* Don't use :: for class methods, we don't do that elsewhere. * Don't install a needless method on minitest. Prefer assigning the reporter anyway as that's what minitest does internally. * Don't bother opting out when the reporter ain't a Minitest::CompositeReporter. It's hardcoded: https://github.com/seattlerb/minitest/blob/005a3ba42c07d04797e2d00ac2c53e3be127c12f/lib/minitest.rb#L125 And overrides have to create delegate reporters: https://github.com/kern/minitest-reporters/blob/1018b1b42f34b01d4de179c8aad2fa06771fe9b0/lib/minitest/minitest_reporter_plugin.rb#L72
-
由 Guillermo Iguaran 提交于
Skip generating empty CSP header when no policy is configured
-
- 18 2月, 2018 21 次提交
-
-
由 Ryuta Kamizono 提交于
-
由 Kohei Suzuki 提交于
`Rails.application.config.content_security_policy` is configured with no policies by default. In this case, Content-Security-Policy header should not be generated instead of generating the header with no directives. Firefox also warns "Content Security Policy: Couldn't process unknown directive ''".
-
由 Ryuta Kamizono 提交于
3acc5d6e was changed the order of scope evaluation from through scope to the association's own scope to be prioritized over the through scope. But the sorting order will be prioritized that is evaluated first. It is unintentional effect, association scope's sorting order should be prioritized as well. Fixes #32008.
-
由 Ryuta Kamizono 提交于
Fix active_job_basics.md callbacks example [ci skip]
-
由 fatkodima 提交于
-
由 Ryuta Kamizono 提交于
This reverts commit cf4f05a7. Since Rails 6 requires Ruby 2.4.1+.
-
由 Jeremy Daer 提交于
So `2.4` would match `2.4.1` (due to an rvm alias) rather than matching the latest `2.4.3` release.
-
由 Jeremy Daer 提交于
This faithfully preserves grapheme clusters (characters composed of other characters and combining marks) and other multibyte characters.
-
由 Jeremy Daer 提交于
```ruby "foo".freeze.strip_heredoc.frozen? # => true ``` Fixes the case where frozen string literals would inadvertently become unfrozen: ```ruby foo = <<-MSG.strip_heredoc la la la MSG foo.frozen? # => false !?? ```
-
由 bogdanvlviv 提交于
Prepare bug report templates for Rails 6.0 development Add missing `require "active_support"` in `guides/bug_report_templates/generic_gem.rb`
-
由 Brian Kephart 提交于
-
由 yuuji.yaginuma 提交于
-
由 Dharam Gollapudi 提交于
Fixes typos
-
由 Jeremy Daer 提交于
Skipping over 2.4.0 to sidestep the `"symbol_from_string".to_sym.dup` bug. References #32028
-
由 Sean Collins 提交于
Object#blank? used to be used in this file, but it's not anymore. This avoids a monkey-patch, for those who want to use just this isolated feature of ActiveSupport.
-
由 bogdanvlviv 提交于
* Global ignores at toplevel .gitignore * Component-specific ignores in each toplevel directory * Remove `actionview/test/tmp/.keep` for JRuby ``` rm actionview/test/tmp/ -fr cd actionview/ bundle exec jruby -Itest test/template/digestor_test.rb ``` Related to #11743, #30392. Closes #29978.
-
由 Eddie Lebow 提交于
Closes #31998
-
由 bogdanvlviv 提交于
Some attr_readers should be `protected` instead of `private` See https://travis-ci.org/rails/rails/builds/342800276
-
-
由 Guillermo Iguaran 提交于
Multipart file uploads are very rare in API only apps so don't include Rack::TemfileReaper in default middleware stack for API only apps
-
由 Jeremy Daer 提交于
-
- 17 2月, 2018 4 次提交
-
-
由 yuuji.yaginuma 提交于
-
由 Rafael França 提交于
Fix custome serializer setting
-
由 Rafael Mendonça França 提交于
-
由 Rafael Mendonça França 提交于
-