Hi, I’m Emmanuel Hayford. Here’s what caught my eye in Rails this week.
Fix GET+JSON+params in integration tests for API-only apps
params: in integration test helpers was ambiguous for GET requests with as: :json — it wasn’t clear whether params should go in the query string or request body. The original workaround converted GET to POST with X-Http-Method-Override, which broke API-only apps that exclude Rack::MethodOverride. New query: and body: kwargs give explicit control: query: always lands in the URL query string, body: always goes into the encoded request body, and params: keeps its existing behavior unchanged.
get "/search", query: { q: "rails" }, as: :json
post "/search", query: { page: 1 }, body: { filters: {} }, as: :json
Add request.safe_method? and request.unsafe_method?
Two new predicate methods on ActionDispatch::Request let you ask whether the current HTTP method is safe (GET, HEAD, OPTIONS, TRACE) or unsafe (everything else), per RFC 9110.
Update Action Cable origin check to respect X-Forwarded-Host
The allow_same_origin_as_host check in allow_request_origin? compared the browser’s Origin header against the raw HTTP_HOST, which fails behind a reverse proxy where the internal host differs from the public one. This updates the check to use request.host_with_port and request.ssl? instead, consistent with how the rest of Rails resolves the host.
Rewrite the Layouts and Rendering guide
This pull request is open for review: it rewrites the layouts and rendering guide around how controllers and views work together, and trims or relocates overlap with other guides (partial rendering stays in the Action View Overview; request variants move here from the Action Controller Overview, which gets a short rendering intro that points here). If you use these guides or care how we explain Rails to newcomers, open the PR and share any feedback you have.
You can view the whole list of changes here.
We had 9 contributors to the Rails codebase this past week!
Until next time!
Subscribe to get these updates mailed to you.