- 14 3月, 2018 1 次提交
-
-
由 Rafael Mendonça França 提交于
We only add the header when releasing to avoid some conflicts. [ci skip]
-
- 28 2月, 2018 1 次提交
-
-
由 Ryuta Kamizono 提交于
-
- 25 2月, 2018 1 次提交
-
-
由 Guillermo Iguaran 提交于
-
- 19 2月, 2018 1 次提交
-
-
由 Andrew White 提交于
Because the UJS library creates a script tag to process responses it normally requires the script-src attribute of the content security policy to include 'unsafe-inline'. To work around this we generate a per-request nonce value that is embedded in a meta tag in a similar fashion to how CSRF protection embeds its token in a meta tag. The UJS library can then read the nonce value and set it on the dynamically generated script tag to enable it to execute without needing 'unsafe-inline' enabled. Nonce generation isn't 100% safe - if your script tag is including user generated content in someway then it may be possible to exploit an XSS vulnerability which can take advantage of the nonce. It is however an improvement on a blanket permission for inline scripts. It is also possible to use the nonce within your own script tags by using `nonce: true` to set the nonce value on the tag, e.g <%= javascript_tag nonce: true do %> alert('Hello, World!'); <% end %> Fixes #31689.
-
- 18 2月, 2018 1 次提交
-
-
由 Jeremy Daer 提交于
Skipping over 2.4.0 to sidestep the `"symbol_from_string".to_sym.dup` bug. References #32028
-
- 01 2月, 2018 1 次提交
-
-
由 bogdanvlviv 提交于
-
- 31 1月, 2018 1 次提交
-
-
由 Rafael Mendonça França 提交于
:tada::tada::tada:
-
- 17 1月, 2018 1 次提交
-
-
由 Grant Bourque 提交于
- Update the default HSTS max-age value to 31536000 seconds (1 year) to meet the minimum max-age requirement for https://hstspreload.org/.
-
- 09 1月, 2018 1 次提交
-
-
由 Guillermo Iguaran 提交于
-
- 08 1月, 2018 1 次提交
-
-
由 Prathamesh Sonpatki 提交于
-
- 17 12月, 2017 1 次提交
-
-
由 Prathamesh Sonpatki 提交于
-
- 10 12月, 2017 2 次提交
-
-
由 Guillermo Iguaran 提交于
Change the system tests to set Puma as default server only when the user haven't specified manually another server.
-
由 Guillermo Iguaran 提交于
-
- 08 12月, 2017 1 次提交
-
-
由 bogdanvlviv 提交于
-
- 01 12月, 2017 1 次提交
-
-
由 eileencodes 提交于
Since this changes a default setting a changelog entry is important.
-
- 29 11月, 2017 2 次提交
-
-
由 Guillermo Iguaran 提交于
-
由 Rafael Mendonça França 提交于
-
- 28 11月, 2017 2 次提交
-
-
由 Andrew White 提交于
Fixes #31220.
-
由 Rafael Mendonça França 提交于
-
- 27 11月, 2017 2 次提交
-
-
由 Prathamesh Sonpatki 提交于
-
由 Andrew White 提交于
-
- 24 10月, 2017 1 次提交
-
-
由 Rafael Mendonça França 提交于
-
- 23 10月, 2017 1 次提交
-
-
由 bogdanvlviv 提交于
Related to #30850
-
- 17 10月, 2017 1 次提交
-
-
由 yuuji.yaginuma 提交于
-
- 04 10月, 2017 1 次提交
-
-
由 eileencodes 提交于
When puma/puma#1403 is merged Puma will support the Early Hints status code for sending assets before a request has finished. While the Early Hints spec is still in draft, this PR prepares Rails to allowing this status code. If the proxy server supports Early Hints, it will send H2 pushes to the client. This PR adds a method for setting Early Hints Link headers via Rails, and also automatically sends Early Hints if supported from the `stylesheet_link_tag` and the `javascript_include_tag`. Once puma supports Early Hints the `--early-hints` argument can be passed to the server to enable this or set in the puma config with `early_hints(true)`. Note that for Early Hints to work in the browser the requirements are 1) a proxy that can handle H2, and 2) HTTPS. To start the server with Early Hints enabled pass `--early-hints` to `rails s`. This has been verified to work with h2o, Puma, and Rails with Chrome. The commit adds a new option to the rails server to enable early hints for Puma. Early Hints spec: https://tools.ietf.org/html/draft-ietf-httpbis-early-hints-04 [Eileen M. Uchitelle, Aaron Patterson]
-
- 26 9月, 2017 1 次提交
-
-
由 Ryuta Kamizono 提交于
-
- 25 9月, 2017 1 次提交
-
-
由 Michael Coyne 提交于
Using the action_dispatch.cookies_rotations interface, key rotation is now possible with cookies. Thus the secret_key_base as well as salts, ciphers, and digests, can be rotated without expiring sessions.
-
- 18 9月, 2017 1 次提交
-
-
由 Thomas Walpole 提交于
-
- 07 9月, 2017 1 次提交
-
-
由 Ryuta Kamizono 提交于
[ci skip]
-
- 04 9月, 2017 1 次提交
-
-
由 Assain 提交于
* Documentation for Duration support added to signed/encrypted cookies * Changelog entries for the duration support and expiry metadata added to cookies [ci skip]
-
- 27 8月, 2017 1 次提交
-
-
由 yuuji.yaginuma 提交于
In Rails engine `Rails.root `returns the path of the dummy application. Therefore, there is no `tmp` directly where the test is running, so can not get the screenshot. For this reason, instead of directly specifying tmp, retrive screenshot by relative path from the current directory. Fixes #30405
-
- 07 8月, 2017 2 次提交
-
-
-
由 Jon Moss 提交于
Fixes a few grammar things. [ci skip]
-
- 11 7月, 2017 2 次提交
-
-
由 Ryuta Kamizono 提交于
-
由 Lisa Ugray 提交于
Rather than protecting from forgery in the generated ApplicationController, add it to ActionController::Base by config. This configuration defaults to false to support older versions which have removed it from their ApplicationController, but is set to true for Rails 5.2.
-
- 01 7月, 2017 1 次提交
-
-
由 Prathamesh Sonpatki 提交于
-
- 03 6月, 2017 1 次提交
-
-
由 Mario Alberto Chávez 提交于
drivers. When using `driver_by` with capybara-webkit or poltergeist, SystemTesting::Driver will register the driver while passing `screen_size` and `options` parameteres. `options` could contain any option supported by the underlying driver.
-
- 22 5月, 2017 1 次提交
-
-
由 Michael Coyne 提交于
This commit changes encrypted cookies from AES in CBC HMAC mode to Authenticated Encryption using AES-GCM. It also provides a cookie jar to transparently upgrade encrypted cookies to this new scheme. Some other notable changes include: - There is a new application configuration value: +use_authenticated_cookie_encryption+. When enabled, AEAD encrypted cookies will be used. - +cookies.signed+ does not raise a +TypeError+ now if the name of an encrypted cookie is used. Encrypted cookies using the same key as signed cookies would be verified and serialization would then fail due the message still be encrypted.
-
- 19 5月, 2017 2 次提交
-
-
由 Ryuta Kamizono 提交于
* Fix indentation. * Add backticks.
-
由 David Heinemeier Hansson 提交于
-