Protect from forgery by default

ApplicationController でよくみた protect_from_forgery の記述、最近よく見ないなぁと思っていたら Rails 5.2 でデフォルトで有効化されていた。

• Protect from forgery by default

Rather than protecting from forgery in the generated ApplicationController, add it to ActionController::Base depending on config.action_controller.default_protect_from_forgery. This configuration defaults to false to support older versions which have removed it from their ApplicationController, but is set to true for Rails 5.2.

ref. Protect from forgery by default · rails/rails@ec4a836

jQuery no longer a default dependency

もう一つRails昔話。

jQuery は長らくデフォルト依存としてRailsに存在し続けていたが、Rails5.1からデフォルト依存からは外された。Webpacker時代の幕開けである。

jQuery was required by default in earlier versions of Rails to provide features like data-remote, data-confirm and other parts of Rails’ Unobtrusive JavaScript offerings. It is no longer required, as the UJS has been rewritten to use plain, vanilla JavaScript. This code now ships inside of Action View as rails-ujs.

PR: Drop jQuery as a dependency by guilleiguaran · Pull Request #27113 · rails/rails

Before

//= require jquery
//= require jquery_ujs
//= require turbolinks
//= require_tree .

After

//= require rails-ujs
//= require turbolinks
//= require_tree .