CSRF verification for non-XHR GET requests (cross-origin `<script>`
tags) didn't check this flag before logging failures.

Setting `config.action_controller.log_warning_on_csrf_failure = false`
now disables logging for these CSRF failures as well.

Closes #25086.
Signed-off-by: NJeremy Daer <jeremydaer@gmail.com>

When the token is generated by the form we were using the schema and
host information while only using the path to compare if the action was
the same. This was causing the token to be invalid.

To fix this we use the same information to generate the token and check
it.

Fix #24257

When `button_to 'Botton', url` form was being used the per form token
was not correct because the method that is was being used to generate it
was an empty string.

Fixes #23524

Per this comment
https://github.com/rails/rails/pull/18334#issuecomment-69234050 we want
`protect_from_forgery` to default to `prepend: false`.

`protect_from_forgery` will now be insterted into the callback chain at the
point it is called in your application. This is useful for cases where you
want to `protect_from_forgery` after you perform required authentication
callbacks or other callbacks that are required to run after forgery protection.

If you want `protect_from_forgery` callbacks to always run first, regardless of
position they are called in your application, then you can add `prepend: true`
to your `protect_from_forgery` call.

Example:

```ruby
protect_from_forgery prepend: true
```

This will silence deprecation warnings.

Most of the test can be changed from `render :text` to render `:plain`
or `render :body` right away. However, there are some tests that needed
to be fixed by hand as they actually assert the default Content-Type
returned from `render :body`.

We should leverage the request / response objects that the superclass
has already allocated for us.

`head` method works similar to `render` method with `:nothing` option

Non-string authenticity tokens raised NoMethodError when decoding the
masked token.

in `ActionController::TestCase` and
`ActionDispatch::Integration`

Old syntax:

    `xhr :get, :create, params: { id: 1 }`

New syntax example:

    `get :create, params: { id: 1 }, xhr: true`

Non-kwargs requests are deprecated now.
Guides are updated as well.

`post url, nil, nil, { a: 'b' }` doesn't make sense.
`post url, params: { y: x }, session: { a: 'b' }` would be an explicit way to do the same

This merges in the code from the breach-mitigation-rails gem that masks
authenticity tokens on each request by XORing them with a random set of
bytes. The masking is used to make it impossible for an attacker to
steal a CSRF token from an SSL session by using techniques like the
BREACH attack.

The patch is pretty simple - I've copied over the [relevant
code](https://github.com/meldium/breach-mitigation-rails/blob/master/lib/breach_mitigation/masking_secrets.rb)
and updated the tests to pass, mostly by adjusting stubs and mocks.

Nokogiri leaves '<' unescaped, so the assert_select looking for '&lt;' will never work. Switched to assert_matching the reponse body.

Fixed a Nokogiri::CSS::SyntaxError by using its expected format for unicode characters.

Related with cbb91745

This was changed at cbb91745

Added the log_warning_on_csrf_failure option to ActionController::RequestForgeryProtection
which is on by default.

Thanks to @homakov for sounding the alarm about JSONP-style data leaking

Previously it was raising a NilException

They don't add any benefits over `assert object.blank?`
and `assert object.present?`

It's further work on CSRF after 24594110.

The :null_session CSRF protection method provide an empty session during
request processing but doesn't reset it completely (as :reset_session
does).

If embedding auth_token in remote forms is off and we
pass a value for auth_token it should respect it.

Changed default value for `config.action_view.embed_authenticity_token_in_remote_forms`
to `false`. This change breaks remote forms that need to work also without javascript,
so if you need such behavior, you can either set it to `true` or explicitly pass
`:authenticity_token => true` in form options

There is a regression introduced in 16ee611f, which breaks
remote forms that should also work without javascript. This commit
introduces config option that allows to configure this behavior
defaulting to the old behavior (ie. include authenticity token
in remote forms by default)

Conflicts:

	actionpack/CHANGELOG.md