We only add the header when releasing to avoid some conflicts.

[ci skip]

Because the UJS library creates a script tag to process responses it
normally requires the script-src attribute of the content security
policy to include 'unsafe-inline'.

To work around this we generate a per-request nonce value that is
embedded in a meta tag in a similar fashion to how CSRF protection
embeds its token in a meta tag. The UJS library can then read the
nonce value and set it on the dynamically generated script tag to
enable it to execute without needing 'unsafe-inline' enabled.

Nonce generation isn't 100% safe - if your script tag is including
user generated content in someway then it may be possible to exploit
an XSS vulnerability which can take advantage of the nonce. It is
however an improvement on a blanket permission for inline scripts.

It is also possible to use the nonce within your own script tags by
using `nonce: true` to set the nonce value on the tag, e.g

    <%= javascript_tag nonce: true do %>
      alert('Hello, World!');
    <% end %>

Fixes #31689.

Skipping over 2.4.0 to sidestep the `"symbol_from_string".to_sym.dup` bug.

References #32028

:tada::tada::tada:

- Update the default HSTS max-age value to 31536000 seconds (1 year)
  to meet the minimum max-age requirement for https://hstspreload.org/.

Change the system tests to set Puma as default server only when the user haven't specified manually another server.

Since this changes a default setting a changelog entry is important.

Fixes #31220.

Related to #30850

When puma/puma#1403 is merged Puma will support the Early Hints status
code for sending assets before a request has finished.

While the Early Hints spec is still in draft, this PR prepares Rails to
allowing this status code.

If the proxy server supports Early Hints, it will send H2 pushes to the
client.

This PR adds a method for setting Early Hints Link headers via Rails,
and also automatically sends Early Hints if supported from the
`stylesheet_link_tag` and the `javascript_include_tag`.

Once puma supports Early Hints the `--early-hints` argument can be
passed to the server to enable this or set in the puma config with
`early_hints(true)`. Note that for Early Hints to work
in the browser the requirements are 1) a proxy that can handle H2,
and 2) HTTPS.

To start the server with Early Hints enabled pass `--early-hints` to
`rails s`.

This has been verified to work with h2o, Puma, and Rails with Chrome.

The commit adds a new option to the rails server to enable early hints
for Puma.

Early Hints spec:
https://tools.ietf.org/html/draft-ietf-httpbis-early-hints-04

[Eileen M. Uchitelle, Aaron Patterson]

Using the action_dispatch.cookies_rotations interface, key rotation is
now possible with cookies. Thus the secret_key_base as well as salts,
ciphers, and digests, can be rotated without expiring sessions.

[ci skip]

* Documentation for Duration support added  to  signed/encrypted cookies

* Changelog entries for the duration support and expiry metadata added to cookies

[ci skip]

In Rails engine `Rails.root `returns the path of the dummy application.
Therefore, there is no `tmp` directly where the test is running, so can
not get the screenshot.
For this reason, instead of directly specifying tmp, retrive screenshot by
relative path from the current directory.

Fixes #30405

https://github.com/rails/rails/issues/30072

Fixes a few grammar things.

[ci skip]

Rather than protecting from forgery in the generated
ApplicationController, add it to ActionController::Base by config. This
configuration defaults to false to support older versions which have
removed it from their ApplicationController, but is set to true for
Rails 5.2.

drivers.

When using `driver_by` with capybara-webkit or poltergeist,
SystemTesting::Driver will register the driver while passing
`screen_size` and `options` parameteres.

`options` could contain any option supported by the underlying driver.

This commit changes encrypted cookies from AES in CBC HMAC mode to
Authenticated Encryption using AES-GCM. It also provides a cookie jar
to transparently upgrade encrypted cookies to this new scheme. Some
other notable changes include:

- There is a new application configuration value:
  +use_authenticated_cookie_encryption+. When enabled, AEAD encrypted
  cookies will be used.

- +cookies.signed+ does not raise a +TypeError+ now if the name of an
  encrypted cookie is used. Encrypted cookies using the same key as
  signed cookies would be verified and serialization would then fail
  due the message still be encrypted.

* Fix indentation.
* Add backticks.