* Add binary encoding logic into ActionDispatch::Request::Utils

Moving the logic to set binary encoding into ActionDispatch::Request::Utils
will allow us to encode from GET and POST in ActionDispatch::Request.

* Refactor binary encoding logic

- Move binary encoding calls into GET, POST and path_parameters
- Remove binary encoding from ActionDispatch::Http::Request
- This way, we only raise an invalid encoding exception if the controller is not requesting
parameters in binary encoding

* Check if encoding is valid in ActionDispatch::Request#POST and raise BadRequest if invalid

* Fix multipart_params_test that has binary-encoded params containing invalid UTF-8 characters

* Address PR comments

* Pass action and controller to Request::Utils.set_binary_encoding

[Rafael Mendonça França + Adrianna Chang]

Calling request in an action of a controller generates an endless stream of
characters, including the Rack app and middlewares.
This can be frustrating when using a debugger in a controller and
accidentally calling `request` generates output for a couple of seconds.

Inspect on ActionDispatch::Request is shortened to the most relevant
attributes and uses the same format as used for request in the logs:

    "#<ActionDispatch::Request POST "https://example.com/path/of/some/uri?q=1" for 1.2.3.4>"

Follow up to c07dff72.

Actually it is not the cop's fault, but we mistakenly use `^`, `$`, and
`\Z` in much places, the cop doesn't correct those conservatively.

I've checked all those usage and replaced all safe ones.

* Remove dup from post body for forcing encoding

* Properly assign raw_post variable to encoded version
Co-authored-by: NRyuta Kamizono <kamipo@gmail.com>

[ci skip]

This reverts commit 4e105385, reversing
changes made to 62b43839.

The change in Ruby that made those changes required was reverted in
https://bugs.ruby-lang.org/projects/ruby-trunk/repository/git/revisions/8852fa876039ed177fd5e867f36177d8a9ff411c

Fix: https://github.com/rails/rails/issues/37650

The classic autoloader used to totally unregister any constant that
failed midway. Which mean `"SomeConst".constantize` was idempotent.

However Zeitwerk rely on normal `Kernel#require` behavior, which mean
that if an exception is raised during a class/module definition,
it will be left incompletely defined. For instance:

```ruby
class FooController
  ::DoesNotExist

  def index
  end
end
```

Will leave `FooController` defined, but without its `index` method.

Because of this, when silencing a NameError, it's important
to make sure the missing constant is really the one we were trying
to load.

Aa of ruby/ruby@2a22a6b2d8465934e75520a7fdcf522d50890caf calling
`Regexp#match?(nil)` raises an exception.

[utilum, eregon, eugeneius]

Updated the setter to clear the value in the `@remote_ip` instance
variable before setting the header that the value is derived from in the
getter.

A HTTP feature policy is Yet Another HTTP header for instructing the
browser about which features the application intends to make use of and
to lock down access to others. This is a new security mechanism that
ensures that should an application become compromised or a third party
attempts an unexpected action, the browser will override it and maintain
the intended UX.

WICG specification: https://wicg.github.io/feature-policy/

The end result is a HTTP header that looks like the following:

```
Feature-Policy: geolocation 'none'; autoplay https://example.com
```

This will prevent the browser from using geolocation and only allow
autoplay on `https://example.com`. Full feature list can be found over
in the WICG repository[1].

As of today Chrome and Safari have public support[2] for this
functionality with Firefox working on support[3] and Edge still pending
acceptance of the suggestion[4].

#### Examples

Using an initializer

```rb
# config/initializers/feature_policy.rb
Rails.application.config.feature_policy do |f|
  f.geolocation :none
  f.camera      :none
  f.payment     "https://secure.example.com"
  f.fullscreen  :self
end
```

In a controller

```rb
class SampleController < ApplicationController
  def index
    feature_policy do |f|
      f.geolocation "https://example.com"
    end
  end
end
```

Some of you might realise that the HTTP feature policy looks pretty
close to that of a Content Security Policy; and you're right. So much so
that I used the Content Security Policy DSL from #31162 as the starting
point for this change.

This change *doesn't* introduce support for defining a feature policy on
an iframe and this has been intentionally done to split the HTTP header
and the HTML element (`iframe`) support. If this is successful, I'll
look to add that on it's own.

Full documentation on HTTP feature policies can be found at
https://wicg.github.io/feature-policy/. Google have also published[5] a
great in-depth write up of this functionality.

[1]: https://github.com/WICG/feature-policy/blob/master/features.md
[2]: https://www.chromestatus.com/feature/5694225681219584
[3]: https://bugzilla.mozilla.org/show_bug.cgi?id=1390801
[4]: https://wpdev.uservoice.com/forums/257854-microsoft-edge-developer/suggestions/33507907-support-feature-policy
[5]: https://developers.google.com/web/updates/2018/06/feature-policy

[Gannon McGibbon + Josh Cheek]

Since Rails 6.0 will support Ruby 2.4.1 or higher
`# frozen_string_literal: true` magic comment is enough to make string object frozen.
This magic comment is enabled by `Style/FrozenStringLiteralComment` cop.

* Exclude these files not to auto correct false positive `Regexp#freeze`
 - 'actionpack/lib/action_dispatch/journey/router/utils.rb'
 - 'activerecord/lib/active_record/connection_adapters/sqlite3_adapter.rb'

It has been fixed by https://github.com/rubocop-hq/rubocop/pull/6333
Once the newer version of RuboCop released and available at Code Climate these exclude entries should be removed.

* Replace `String#freeze` with `String#-@` manually if explicit frozen string objects are required

 - 'actionpack/test/controller/test_case_test.rb'
 - 'activemodel/test/cases/type/string_test.rb'
 - 'activesupport/lib/active_support/core_ext/string/strip.rb'
 - 'activesupport/test/core_ext/string_ext_test.rb'
 - 'railties/test/generators/actions_test.rb'

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy

This basically reverts e9fca766, d08da958,
d1fe1dcf, and 68eaf7b4

When puma/puma#1403 is merged Puma will support the Early Hints status
code for sending assets before a request has finished.

While the Early Hints spec is still in draft, this PR prepares Rails to
allowing this status code.

If the proxy server supports Early Hints, it will send H2 pushes to the
client.

This PR adds a method for setting Early Hints Link headers via Rails,
and also automatically sends Early Hints if supported from the
`stylesheet_link_tag` and the `javascript_include_tag`.

Once puma supports Early Hints the `--early-hints` argument can be
passed to the server to enable this or set in the puma config with
`early_hints(true)`. Note that for Early Hints to work
in the browser the requirements are 1) a proxy that can handle H2,
and 2) HTTPS.

To start the server with Early Hints enabled pass `--early-hints` to
`rails s`.

This has been verified to work with h2o, Puma, and Rails with Chrome.

The commit adds a new option to the rails server to enable early hints
for Puma.

Early Hints spec:
https://tools.ietf.org/html/draft-ietf-httpbis-early-hints-04

[Eileen M. Uchitelle, Aaron Patterson]

This commit changes the behavior such the path_params now default to
UTF8 just like regular parameters. This also changes the behavior such
that if a path parameter contains invalid UTF8 it returns a 400 bad
request. Previously the behavior was to encode the path params as binary
but that's not the same as query params.

So this commit makes path params behave the same as query params.

It's important to test with a path that's encoded as binary because
that's how paths are encoded from the socket. The test that was altered
was changed to make the behavior for bad encoding the same as query
params. We want to treat path params the same as query params. The params
in the test are invalid UTF8 so they should return a bad request.

Fixes #29669

*Eileen M. Uchitelle, Aaron Patterson, & Tsukuru Tanimichi*

This reverts commit 3420a145, reversing
changes made to afb66a5a.

Documentation for ActionDispatch::Request#key? [ci skip]

Update request.rb --ci skip

Documentation for ActionDispatch::Request#key? [ci skip]
Also made change after the  review by @rafaelfranca .

Update request.rb --ci skip

Documentation for ActionDispatch::Request#key? [ci skip]
Also made change after the  review by @rafaelfranca .

Update request.rb --ci skip

This commit changes `parameter_encoding` to `skip_parameter_encoding`.
`skip_parameter_encoding` will set encoding on all parameters to
ASCII-8BIT for a given action on a particular controller.  This allows
the controller to handle data when the encoding of that data is unknown,
for example file systems or truly binary parameters.

ActionDispatch::ParamsParser class was removed in favor of
ActionDispatch::Http::Parameters so it is better to move the error
constant to the new class.

Style/SpaceBeforeBlockBraces
Style/SpaceInsideBlockBraces
Style/SpaceInsideHashLiteralBraces

Fix all violations in the repository.

At GitHub we need to handle parameter encodings that are not UTF-8. This
patch allows us to specify encodings per parameter per action.

The current code base is not uniform. After some discussion,
we have chosen to go with double quotes by default.

Check for any non-UTF8 characters in path parameters at the point they're
set in `env`. Previously they were checked for when used to get a controller
class, but this meant routes that went directly to a Rack app, or skipped
controller instantiation for some other reason, had to defend against
non-UTF8 characters themselves.

Due to that `ActionDispatch::Flash` (the flash API's middleware) is not
included for API controllers, the `request.reset_session` method, which
relies on there being a `flash=` method which is in fact defined by the
middleware, was previously breaking. Similarly to how
add46482 created a method to be
overridden by the flash middleware in order to ensure non-breakage, this
is how flashes are now reset.

Fixes #24222

This bug affects `wss://` requests when running Action Cable in-app.
Fixes #23620.

Converting nbsp(\u{00A0}) to the normal ASCII space(\u{0020})
[ci skip]