[ci skip]

Several methods of `RequestForgeryProtection` are not showed in the api
doc even though `:doc:` is specified.
(e.g. `form_authenticity_param`)
http://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection.html

These methods are listed in the doc of v4.1.
http://api.rubyonrails.org/v4.1/classes/ActionController/RequestForgeryProtection.html

This is due to the influence of `:nodoc:` added in #18102, methods after
 `CROSS_ORIGIN_JAVASCRIPT_WARNING` not showed from the doc.
Therefore, in order to show the method like originally, added `startdoc`
after `CROSS_ORIGIN_JAVASCRIPT_WARNING`.

This basically reverts e9fca766, d08da958,
d1fe1dcf, and 68eaf7b4

Since we now default to `protect_from_forgery with: :exception`,
provide a wrapper to `skip_before_action :verify_authenticity_token`
for disabling forgery protection.

Rather than protecting from forgery in the generated
ApplicationController, add it to ActionController::Base by config. This
configuration defaults to false to support older versions which have
removed it from their ApplicationController, but is set to true for
Rails 5.2.

This reverts commit 3420a145, reversing
changes made to afb66a5a.

I came up against this while dealing with a misconfigured server. The
browser was setting the Origin header to "https://example.com", but the
Rails app returned "http://example.com" from request.base_url (because
it was failing to detect that HTTPS was used).

This caused verify_authenticity_token to fail, but the message in the
log was "Can't verify CSRF token", which is confusing because the
failure had nothing to do with the CSRF token sent in the request. This
made it very hard to identify the issue, so hopefully this will make it
more obvious for the next person.

[ci skip]

The current code base is not uniform. After some discussion,
we have chosen to go with double quotes by default.

CSRF verification for non-XHR GET requests (cross-origin `<script>`
tags) didn't check this flag before logging failures.

Setting `config.action_controller.log_warning_on_csrf_failure = false`
now disables logging for these CSRF failures as well.

Closes #25086.
Signed-off-by: NJeremy Daer <jeremydaer@gmail.com>

When the token is generated by the form we were using the schema and
host information while only using the path to compare if the action was
the same. This was causing the token to be invalid.

To fix this we use the same information to generate the token and check
it.

Fix #24257

- we are ending sentences properly
- fixing of space issues
- fixed continuity issues in some sentences.

Reverts https://github.com/rails/rails/commit/8fc97d198ef31c1d7a4b9b849b96fc08a667fb02 .
This change reverts making sure we add '.' at end of deprecation sentences.
This is to keep sentences within Rails itself consistent and with a '.' at the end.

Use `each_byte` instead of `bytes` to speed up string xor operation and
reduce object allocations.

Inspired by commit 02c38678.

``` ruby
require 'benchmark/ips'
require 'allocation_tracer'

a = 32.times.map { rand(256) }.pack('C*')
b = 32.times.map { rand(256) }.pack('C*')

def xor_byte_strings1(s1, s2)
  s1.bytes.zip(s2.bytes).map { |(c1,c2)| c1 ^ c2 }.pack('c*')
end

def xor_byte_strings2(s1, s2)
  s2_bytes = s2.bytes
  s1.bytes.map.with_index { |c1, i| c1 ^ s2_bytes[i] }.pack('c*')
end

def xor_byte_strings3(s1, s2)
  s2_bytes = s2.bytes
  s1.each_byte.with_index { |c1, i| s2_bytes[i] ^= c1 }
  s2_bytes.pack('C*')
end

fail if xor_byte_strings1(a, b) != xor_byte_strings2(a, b)
fail if xor_byte_strings1(a, b) != xor_byte_strings3(a, b)

Benchmark.ips do |x|
  x.report('xor_byte_strings1') { xor_byte_strings1(a, b) }
  x.report('xor_byte_strings2') { xor_byte_strings2(a, b) }
  x.report('xor_byte_strings3') { xor_byte_strings3(a, b) }
  x.compare!
end

Tracer = ObjectSpace::AllocationTracer
Tracer.setup(%i{type})
p xor_byte_strings1: Tracer.trace { xor_byte_strings1(a, b) }
p xor_byte_strings2: Tracer.trace { xor_byte_strings2(a, b) }
p xor_byte_strings3: Tracer.trace { xor_byte_strings3(a, b) }
```

```
Warming up --------------------------------------
   xor_byte_strings1    10.668k i/100ms
   xor_byte_strings2    11.814k i/100ms
   xor_byte_strings3    13.139k i/100ms
Calculating -------------------------------------
   xor_byte_strings1    116.667k (± 3.1%) i/s -    586.740k
   xor_byte_strings2    129.932k (± 4.3%) i/s -    649.770k
   xor_byte_strings3    142.506k (± 4.2%) i/s -    722.645k

Comparison:
   xor_byte_strings3:   142506.3 i/s
   xor_byte_strings2:   129932.4 i/s - 1.10x slower
   xor_byte_strings1:   116666.8 i/s - 1.22x slower

{:xor_byte_strings1=>{[:T_ARRAY]=>[38, 0, 0, 0, 0, 0], [:T_STRING]=>[2, 0, 0, 0, 0, 0]}}
{:xor_byte_strings2=>{[:T_ARRAY]=>[3, 0, 0, 0, 0, 0], [:T_DATA]=>[1, 0, 0, 0, 0, 0], [:T_IMEMO]=>[2, 0, 0, 0, 0, 0], [:T_STRING]=>[2, 0, 0, 0, 0, 0]}}
{:xor_byte_strings3=>{[:T_ARRAY]=>[1, 0, 0, 0, 0, 0], [:T_DATA]=>[1, 0, 0, 0, 0, 0], [:T_IMEMO]=>[2, 0, 0, 0, 0, 0], [:T_STRING]=>[2, 0, 0, 0, 0, 0]}}
```

```
[aaron@TC rails (master)]$ cat xor.rb
a = "\x14b\"\xB4P8\x05\x8D\xC74\xC3\xEC}\xFDf\x8E!h\xCF^\xBF\xA5%\xC6\xF0\xA9\xF9x\x04\xFA\xF1\x82"
b = "O.\xF7\x01\xA9D\xA3\xE1D\x7FU\x85\xFC\x8Ak\e\x04\x8A\x97\x91\xD01\x02\xA4G\x1EIf:Y\x0F@"

def xor_byte_strings(s1, s2)
  s1.bytes.zip(s2.bytes).map { |(c1,c2)| c1 ^ c2 }.pack('c*')
end

def xor_byte_strings2(s1, s2)
  s2_bytes = s2.bytes
  s1.bytes.map.with_index { |c1, i| c1 ^ s2_bytes[i] }.pack('c*')
end

require 'benchmark/ips'
require 'allocation_tracer'

Benchmark.ips do |x|
  x.report 'xor_byte_strings' do
    xor_byte_strings a, b
  end

  x.report 'xor_byte_strings2' do
    xor_byte_strings2 a, b
  end
end

ObjectSpace::AllocationTracer.setup(%i{type})
result = ObjectSpace::AllocationTracer.trace do
  xor_byte_strings a, b
end
p :xor_byte_strings => result
ObjectSpace::AllocationTracer.clear
result = ObjectSpace::AllocationTracer.trace do
  xor_byte_strings2 a, b
end
p :xor_byte_strings2 => result
[aaron@TC rails (master)]$ ruby -I~/git/allocation_tracer/lib xor.rb
Calculating -------------------------------------
    xor_byte_strings    10.087k i/100ms
   xor_byte_strings2    11.339k i/100ms
-------------------------------------------------
    xor_byte_strings    108.386k (± 5.8%) i/s -    544.698k
   xor_byte_strings2    122.239k (± 3.0%) i/s -    612.306k
{:xor_byte_strings=>{[:T_ARRAY]=>[38, 0, 0, 0, 0, 0], [:T_STRING]=>[2, 0, 0, 0, 0, 0]}}
{:xor_byte_strings2=>{[:T_ARRAY]=>[3, 0, 0, 0, 0, 0], [:T_DATA]=>[1, 0, 0, 0, 0, 0], [:T_IMEMO]=>[2, 0, 0, 0, 0, 0], [:T_STRING]=>[2, 0, 0, 0, 0, 0]}}
```

Per this comment
https://github.com/rails/rails/pull/18334#issuecomment-69234050 we want
`protect_from_forgery` to default to `prepend: false`.

`protect_from_forgery` will now be insterted into the callback chain at the
point it is called in your application. This is useful for cases where you
want to `protect_from_forgery` after you perform required authentication
callbacks or other callbacks that are required to run after forgery protection.

If you want `protect_from_forgery` callbacks to always run first, regardless of
position they are called in your application, then you can add `prepend: true`
to your `protect_from_forgery` call.

Example:

```ruby
protect_from_forgery prepend: true
```

* add `end` to end of class definition
* add a blank line between explanation and example code

this commit removes some direct access to `env`.

May be missed in 5fe14163 commit
Also fixes the broken build

The cookie jar can just ask the request object for the information it
needs.  This allows us to stop allocating hashes for options, and also
allows us to delay calculating values in advance.  Generating the
options hash forced us to calculate values that we may never have needed
at runtime

Accessing a request object has nice advantages over accessing a hash.
If you use a missing method name, you'll get an exception rather than a
`nil` (is one nice feature)

spelling fix [ci skip]

example to be consistent [ci skip]

grammatical fix

typo fixes [ci skip]

 - Changed Javascript to JavaScript.
 - Added full-stop which was missing, also wrapped the sentence to 80 chars.
 - Changed proc to Proc and oauth to OAuth.

[ci skip]