With the disabling of TLS 1.0 by most major websites, continuing to run
IE8 or lower becomes increasingly difficult so default to not enforcing
UTF-8 encoding as it's not relevant to other browsers.

[ci skip]

This was changed with 5d7b70f4 and 428939be.

Mention `config.generators.system_tests` in
the "Configuring Rails Applications" guide.

Instead of providing a configuration option to set the hash function,
switch to SHA-1 for new apps and allow upgrading apps to opt in later
via `new_framework_defaults_5_2.rb`.

  - Add mention about `config.active_record.internal_metadata_table_name`
  - Add mention about `config.active_record.protected_environments`

When `form_with` was introduced we disabled the automatic
generation of ids that was enabled in `form_for`. This usually
is not an good idea since labels don't work when the input
doesn't have an id and it made harder to test with Capybara.

You can still disable the automatic generation of ids setting
`config.action_view.form_with_generates_ids` to `false.`

It was brought to my attention that the Rails guide suggests using filenames to ensure code load order, so I thought I would suggest a better alternative.

Passing the environment's name as a regular argument is deprecated
in 48b24992.

It's become clear to me that the use case is still a bit muddy
and the upgrade path is going to be tough for people to figure
out.

This attempts at understanding it better through documentation,
but still needs follow up work.

[ Michael Coyne & Kasper Timm Hansen ]

Using the action_dispatch.cookies_rotations interface, key rotation is
now possible with cookies. Thus the secret_key_base as well as salts,
ciphers, and digests, can be rotated without expiring sessions.

Removes most mentions of secrets.secret_key_base and explains
credentials instead.

Also removes some very stale upgrade notices about Rails 3/4.

Should _probably_ be done across the board with all of our
documentation, but going to leave that for another time :)

[ci skip]

[ci skip]

Abstract boolean serialization has been using 't' and 'f', with MySQL
overriding that to use 1 and 0.

This has the advantage that SQLite natively recognizes 1 and 0 as true
and false, but does not natively recognize 't' and 'f'.

This change in serialization requires a migration of stored boolean data
for SQLite databases, so it's implemented behind a configuration flag
whose default false value is deprecated. The flag itself can be
deprecated in a future version of Rails.  While loaded models will give
the correct result for boolean columns without migrating old data,
where() clauses will interact incorrectly with old data.

While working in this area, also change the abstract adapter to use
`"TRUE"` and `"FALSE"` as quoted values and `true` and `false` for
unquoted.  These are supported by PostreSQL, and MySQL remains
overriden.

Rather than protecting from forgery in the generated
ApplicationController, add it to ActionController::Base by config. This
configuration defaults to false to support older versions which have
removed it from their ApplicationController, but is set to true for
Rails 5.2.

Remove references to deprecared raise_runtime_errors from documentation, which is always enabled now. Ref: https://github.com/rails/sprockets-rails/commit/655b93bffc6f51b96a7cc097f9010942693bfaae and https://github.com/rails/rails/pull/24070 . Fixes #29483 [ci skip] (#29484)

ActionDispatch::Callbacks.to_prepare was removed in #27587
[ci skip]

This commit changes encrypted cookies from AES in CBC HMAC mode to
Authenticated Encryption using AES-GCM. It also provides a cookie jar
to transparently upgrade encrypted cookies to this new scheme. Some
other notable changes include:

- There is a new application configuration value:
  +use_authenticated_cookie_encryption+. When enabled, AEAD encrypted
  cookies will be used.

- +cookies.signed+ does not raise a +TypeError+ now if the name of an
  encrypted cookie is used. Encrypted cookies using the same key as
  signed cookies would be verified and serialization would then fail
  due the message still be encrypted.

[ci skip]

config.time_zone is no longer in included in config/application.rb.

See 28dcadc0.

The default digest class changed to SHA256 in sprockets 3.0.
Ref: https://github.com/sstephenson/sprockets/pull/647

This changed in c0466603