about summary refs log tree commit diff
diff options
context:
space:
mode:
-rw-r--r--.travis.yml2
-rw-r--r--Gemfile60
-rw-r--r--Gemfile.lock374
-rw-r--r--app/controllers/api/web/push_subscriptions_controller.rb25
-rw-r--r--app/controllers/settings/follower_domains_controller.rb2
-rw-r--r--app/javascript/flavours/glitch/styles/components/media.scss12
-rw-r--r--app/models/account.rb4
-rw-r--r--app/models/notification.rb2
-rw-r--r--app/models/status.rb2
-rwxr-xr-xbin/bundle2
-rwxr-xr-xbin/setup3
-rwxr-xr-xbin/update6
-rwxr-xr-xbin/webpack14
-rwxr-xr-xbin/webpack-dev-server14
-rwxr-xr-xbin/yarn11
-rw-r--r--config/application.rb16
-rw-r--r--config/boot.rb2
-rw-r--r--config/deploy.rb2
-rw-r--r--config/environments/development.rb3
-rw-r--r--config/environments/production.rb4
-rw-r--r--config/environments/test.rb2
-rw-r--r--config/initializers/content_security_policy.rb20
-rw-r--r--config/initializers/cors.rb30
-rw-r--r--db/schema.rb1
24 files changed, 340 insertions, 273 deletions
diff --git a/.travis.yml b/.travis.yml
index d5efd9703..238b9a3f6 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -48,7 +48,7 @@ install:
   - yarn install
 
 before_script:
-  - ./bin/rails parallel:create parallel:load_schema parallel:prepare assets:precompile
+  - travis_wait ./bin/rails parallel:create parallel:load_schema parallel:prepare assets:precompile
 
 script:
   - travis_retry bundle exec parallel_test spec/ --group-by filesize --type rspec
diff --git a/Gemfile b/Gemfile
index e677b3580..068b4874d 100644
--- a/Gemfile
+++ b/Gemfile
@@ -5,12 +5,12 @@ ruby '>= 2.3.0', '< 2.6.0'
 
 gem 'pkg-config', '~> 1.2'
 
-gem 'puma', '~> 3.10'
-gem 'rails', '~> 5.1.4'
+gem 'puma', '~> 3.11'
+gem 'rails', '~> 5.2.0'
 
 gem 'hamlit-rails', '~> 0.2'
-gem 'pg', '~> 0.20'
-gem 'pghero', '~> 1.7'
+gem 'pg', '~> 1.0'
+gem 'pghero', '~> 2.1'
 gem 'dotenv-rails', '~> 2.2'
 
 gem 'aws-sdk-s3', '~> 1.8', require: false
@@ -24,14 +24,14 @@ gem 'streamio-ffmpeg', '~> 3.0'
 
 gem 'active_model_serializers', '~> 0.10'
 gem 'addressable', '~> 2.5'
-gem 'bootsnap'
+gem 'bootsnap', '~> 1.3'
 gem 'browser'
 gem 'charlock_holmes', '~> 0.7.6'
 gem 'iso-639'
 gem 'chewy', '~> 5.0'
 gem 'cld3', '~> 3.2.0'
 gem 'devise', '~> 4.4'
-gem 'devise-two-factor', '~> 3.0'
+gem 'devise-two-factor', '~> 3.0', git: 'https://github.com/ykzts/devise-two-factor.git', branch: 'rails-5.2'
 
 group :pam_authentication, optional: true do
   gem 'devise_pam_authenticatable2', '~> 9.1'
@@ -42,7 +42,7 @@ gem 'omniauth-cas', '~> 1.1'
 gem 'omniauth-saml', '~> 1.10'
 gem 'omniauth', '~> 1.2'
 
-gem 'doorkeeper', '~> 4.2'
+gem 'doorkeeper', '~> 4.3'
 gem 'fast_blank', '~> 1.0'
 gem 'fastimage'
 gem 'goldfinger', '~> 2.1'
@@ -52,50 +52,50 @@ gem 'html2text'
 gem 'htmlentities', '~> 4.3'
 gem 'http', '~> 3.0'
 gem 'http_accept_language', '~> 2.1'
-gem 'httplog', '~> 0.99'
+gem 'httplog', '~> 1.0'
 gem 'idn-ruby', require: 'idn'
 gem 'kaminari', '~> 1.1'
 gem 'link_header', '~> 0.0'
 gem 'mime-types', '~> 3.1'
 gem 'nokogiri', '~> 1.8'
 gem 'nsa', '~> 0.2'
-gem 'oj', '~> 3.3'
+gem 'oj', '~> 3.4'
 gem 'ostatus2', '~> 2.0'
 gem 'ox', '~> 2.8'
 gem 'pundit', '~> 1.1'
 gem 'premailer-rails'
-gem 'rack-attack', '~> 5.0'
-gem 'rack-cors', '~> 0.4', require: 'rack/cors'
+gem 'rack-attack', '~> 5.2'
+gem 'rack-cors', '~> 1.0', require: 'rack/cors'
 gem 'rack-timeout', '~> 0.4'
-gem 'rails-i18n', '~> 5.0'
+gem 'rails-i18n', '~> 5.1'
 gem 'rails-settings-cached', '~> 0.6'
-gem 'redis', '~> 3.3', require: ['redis', 'redis/connection/hiredis']
+gem 'redis', '~> 4.0', require: ['redis', 'redis/connection/hiredis']
 gem 'mario-redis-lock', '~> 1.2', require: 'redis_lock'
 gem 'rqrcode', '~> 0.10'
 gem 'ruby-oembed', '~> 0.12', require: 'oembed'
 gem 'ruby-progressbar', '~> 1.4'
-gem 'sanitize', '~> 4.6.4'
-gem 'sidekiq', '~> 5.0'
-gem 'sidekiq-scheduler', '~> 2.1'
+gem 'sanitize', '~> 4.6'
+gem 'sidekiq', '~> 5.1'
+gem 'sidekiq-scheduler', '~> 2.2'
 gem 'sidekiq-unique-jobs', '~> 5.0'
 gem 'sidekiq-bulk', '~>0.1.1'
 gem 'simple-navigation', '~> 4.0'
-gem 'simple_form', '~> 3.4'
+gem 'simple_form', '~> 4.0'
 gem 'sprockets-rails', '~> 3.2', require: 'sprockets/railtie'
 gem 'stoplight', '~> 2.1.3'
-gem 'strong_migrations'
+gem 'strong_migrations', '~> 0.2'
 gem 'tty-command'
 gem 'tty-prompt'
 gem 'twitter-text', '~> 1.14'
-gem 'tzinfo-data', '~> 1.2017'
-gem 'webpacker', '~> 3.0'
+gem 'tzinfo-data', '~> 1.2018'
+gem 'webpacker', '~> 3.4'
 gem 'webpush'
 
-gem 'json-ld-preloaded', '~> 2.2.1'
-gem 'rdf-normalize', '~> 0.3.1'
+gem 'json-ld-preloaded', '~> 2.2'
+gem 'rdf-normalize', '~> 0.3'
 
 group :development, :test do
-  gem 'fabrication', '~> 2.18'
+  gem 'fabrication', '~> 2.20'
   gem 'fuubar', '~> 2.2'
   gem 'i18n-tasks', '~> 0.9', require: false
   gem 'pry-rails', '~> 0.3'
@@ -107,15 +107,15 @@ group :production, :test do
 end
 
 group :test do
-  gem 'capybara', '~> 2.15'
+  gem 'capybara', '~> 2.18'
   gem 'climate_control', '~> 0.2'
-  gem 'faker', '~> 1.7'
+  gem 'faker', '~> 1.8'
   gem 'microformats', '~> 4.0'
   gem 'rails-controller-testing', '~> 1.0'
   gem 'rspec-sidekiq', '~> 3.0'
   gem 'simplecov', '~> 0.14', require: false
-  gem 'webmock', '~> 3.0'
-  gem 'parallel_tests', '~> 2.17'
+  gem 'webmock', '~> 3.3'
+  gem 'parallel_tests', '~> 2.21'
 end
 
 group :development do
@@ -123,12 +123,12 @@ group :development do
   gem 'annotate', '~> 2.7'
   gem 'better_errors', '~> 2.4'
   gem 'binding_of_caller', '~> 0.7'
-  gem 'bullet', '~> 5.5'
+  gem 'bullet', '~> 5.7'
   gem 'letter_opener', '~> 1.4'
   gem 'letter_opener_web', '~> 1.3'
   gem 'memory_profiler'
   gem 'rubocop', require: false
-  gem 'brakeman', '~> 4.0', require: false
+  gem 'brakeman', '~> 4.2', require: false
   gem 'bundler-audit', '~> 0.6', require: false
   gem 'scss_lint', '~> 0.55', require: false
 
@@ -139,6 +139,6 @@ group :development do
 end
 
 group :production do
-  gem 'lograge', '~> 0.7'
+  gem 'lograge', '~> 0.9'
   gem 'redis-rails', '~> 5.0'
 end
diff --git a/Gemfile.lock b/Gemfile.lock
index c81249411..09ee34f89 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -1,25 +1,37 @@
+GIT
+  remote: https://github.com/ykzts/devise-two-factor.git
+  revision: f60492b29c174d4c959ac02406392f8eb9c4d374
+  branch: rails-5.2
+  specs:
+    devise-two-factor (3.0.2)
+      activesupport (< 5.3)
+      attr_encrypted (>= 1.3, < 4, != 2)
+      devise (~> 4.0)
+      railties (< 5.3)
+      rotp (~> 2.0)
+
 GEM
   remote: https://rubygems.org/
   specs:
-    actioncable (5.1.4)
-      actionpack (= 5.1.4)
+    actioncable (5.2.0)
+      actionpack (= 5.2.0)
       nio4r (~> 2.0)
-      websocket-driver (~> 0.6.1)
-    actionmailer (5.1.4)
-      actionpack (= 5.1.4)
-      actionview (= 5.1.4)
-      activejob (= 5.1.4)
+      websocket-driver (>= 0.6.1)
+    actionmailer (5.2.0)
+      actionpack (= 5.2.0)
+      actionview (= 5.2.0)
+      activejob (= 5.2.0)
       mail (~> 2.5, >= 2.5.4)
       rails-dom-testing (~> 2.0)
-    actionpack (5.1.4)
-      actionview (= 5.1.4)
-      activesupport (= 5.1.4)
+    actionpack (5.2.0)
+      actionview (= 5.2.0)
+      activesupport (= 5.2.0)
       rack (~> 2.0)
       rack-test (>= 0.6.3)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.0, >= 1.0.2)
-    actionview (5.1.4)
-      activesupport (= 5.1.4)
+    actionview (5.2.0)
+      activesupport (= 5.2.0)
       builder (~> 3.1)
       erubi (~> 1.4)
       rails-dom-testing (~> 2.0)
@@ -30,18 +42,22 @@ GEM
       case_transform (>= 0.2)
       jsonapi-renderer (>= 0.1.1.beta1, < 0.3)
     active_record_query_trace (1.5.4)
-    activejob (5.1.4)
-      activesupport (= 5.1.4)
+    activejob (5.2.0)
+      activesupport (= 5.2.0)
       globalid (>= 0.3.6)
-    activemodel (5.1.4)
-      activesupport (= 5.1.4)
-    activerecord (5.1.4)
-      activemodel (= 5.1.4)
-      activesupport (= 5.1.4)
-      arel (~> 8.0)
-    activesupport (5.1.4)
+    activemodel (5.2.0)
+      activesupport (= 5.2.0)
+    activerecord (5.2.0)
+      activemodel (= 5.2.0)
+      activesupport (= 5.2.0)
+      arel (>= 9.0)
+    activestorage (5.2.0)
+      actionpack (= 5.2.0)
+      activerecord (= 5.2.0)
+      marcel (~> 0.3.1)
+    activesupport (5.2.0)
       concurrent-ruby (~> 1.0, >= 1.0.2)
-      i18n (~> 0.7)
+      i18n (>= 0.7, < 2)
       minitest (~> 5.1)
       tzinfo (~> 1.1)
     addressable (2.5.2)
@@ -51,9 +67,9 @@ GEM
     annotate (2.7.2)
       activerecord (>= 3.2, < 6.0)
       rake (>= 10.4, < 13.0)
-    arel (8.0.0)
-    ast (2.3.0)
-    attr_encrypted (3.0.3)
+    arel (9.0.0)
+    ast (2.4.0)
+    attr_encrypted (3.1.0)
       encryptor (~> 3.0.0)
     av (0.9.0)
       cocaine (~> 0.5.3)
@@ -77,18 +93,18 @@ GEM
       rack (>= 0.9.0)
     binding_of_caller (0.8.0)
       debug_inspector (>= 0.0.1)
-    bootsnap (1.1.5)
+    bootsnap (1.3.0)
       msgpack (~> 1.0)
-    brakeman (4.0.1)
+    brakeman (4.2.1)
     browser (2.5.2)
     builder (3.2.3)
-    bullet (5.6.1)
+    bullet (5.7.5)
       activesupport (>= 3.0.0)
-      uniform_notifier (~> 1.10.0)
+      uniform_notifier (~> 1.11.0)
     bundler-audit (0.6.0)
       bundler (~> 1.2)
       thor (~> 0.18)
-    capistrano (3.10.0)
+    capistrano (3.10.1)
       airbrussh (>= 1.0.0)
       i18n
       rake (>= 10.0.0)
@@ -104,13 +120,13 @@ GEM
       sshkit (~> 1.3)
     capistrano-yarn (2.0.2)
       capistrano (~> 3.0)
-    capybara (2.16.1)
+    capybara (2.18.0)
       addressable
       mini_mime (>= 0.1.3)
       nokogiri (>= 1.3.3)
       rack (>= 1.0.0)
       rack-test (>= 0.5.4)
-      xpath (~> 2.0)
+      xpath (>= 2.0, < 4.0)
     case_transform (0.2)
       activesupport
     charlock_holmes (0.7.6)
@@ -118,7 +134,7 @@ GEM
       activesupport (>= 4.0)
       elasticsearch (>= 2.0.0)
       elasticsearch-dsl
-    chunky_png (1.3.8)
+    chunky_png (1.3.10)
     cld3 (3.2.2)
       ffi (>= 1.1.0, < 1.10.0)
     climate_control (0.2.0)
@@ -130,22 +146,16 @@ GEM
     connection_pool (2.2.1)
     crack (0.4.3)
       safe_yaml (~> 1.0.0)
-    crass (1.0.3)
+    crass (1.0.4)
     css_parser (1.6.0)
       addressable
     debug_inspector (0.0.3)
-    devise (4.4.0)
+    devise (4.4.3)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
-      railties (>= 4.1.0, < 5.2)
+      railties (>= 4.1.0, < 6.0)
       responders
       warden (~> 1.2.3)
-    devise-two-factor (3.0.2)
-      activesupport (< 5.2)
-      attr_encrypted (>= 1.3, < 4, != 2)
-      devise (~> 4.0)
-      railties (< 5.2)
-      rotp (~> 2.0)
     devise_pam_authenticatable2 (9.1.0)
       devise (>= 4.0.0)
       rpam2 (~> 4.0)
@@ -153,14 +163,13 @@ GEM
     docile (1.1.5)
     domain_name (0.5.20170404)
       unf (>= 0.0.5, < 1.0.0)
-    doorkeeper (4.2.6)
+    doorkeeper (4.3.2)
       railties (>= 4.2)
-    dotenv (2.2.1)
-    dotenv-rails (2.2.1)
-      dotenv (= 2.2.1)
-      railties (>= 3.2, < 5.2)
-    easy_translate (0.5.0)
-      json
+    dotenv (2.2.2)
+    dotenv-rails (2.2.2)
+      dotenv (= 2.2.2)
+      railties (>= 3.2, < 6.0)
+    easy_translate (0.5.1)
       thread
       thread_safe
     elasticsearch (6.0.1)
@@ -174,18 +183,18 @@ GEM
       multi_json
     encryptor (3.0.0)
     equatable (0.5.0)
-    erubi (1.7.0)
-    et-orbi (1.0.8)
+    erubi (1.7.1)
+    et-orbi (1.0.9)
       tzinfo
-    excon (0.59.0)
-    fabrication (2.18.0)
-    faker (1.8.4)
-      i18n (~> 0.5)
+    excon (0.60.0)
+    fabrication (2.20.1)
+    faker (1.8.7)
+      i18n (>= 0.7)
     faraday (0.14.0)
       multipart-post (>= 1.2, < 3)
     fast_blank (1.0.0)
     fastimage (2.1.1)
-    ffi (1.9.18)
+    ffi (1.9.21)
     fog-core (1.45.0)
       builder
       excon (~> 0.58)
@@ -195,12 +204,12 @@ GEM
       multi_json (~> 1.10)
     fog-local (0.4.0)
       fog-core (~> 1.27)
-    fog-openstack (0.1.22)
-      fog-core (>= 1.40)
+    fog-openstack (0.1.23)
+      fog-core (~> 1.40)
       fog-json (>= 1.0)
       ipaddress (>= 0.8)
     formatador (0.2.5)
-    fuubar (2.2.0)
+    fuubar (2.3.1)
       rspec-core (~> 3.0)
       ruby-progressbar (~> 1.4)
     globalid (0.4.1)
@@ -210,7 +219,7 @@ GEM
       http (~> 3.0)
       nokogiri (~> 1.8)
       oj (~> 3.0)
-    hamlit (2.8.5)
+    hamlit (2.8.8)
       temple (>= 0.8.0)
       thor
       tilt
@@ -240,33 +249,33 @@ GEM
     http-form_data (2.0.0)
     http_accept_language (2.1.1)
     http_parser.rb (0.6.0)
-    httplog (0.99.7)
-      colorize
-      rack
-    i18n (0.9.5)
+    httplog (1.0.2)
+      colorize (~> 0.8)
+      rack (>= 1.0)
+    i18n (1.0.0)
       concurrent-ruby (~> 1.0)
-    i18n-tasks (0.9.19)
+    i18n-tasks (0.9.21)
       activesupport (>= 4.0.2)
       ast (>= 2.1.0)
-      easy_translate (>= 0.5.0)
+      easy_translate (>= 0.5.1)
       erubi
       highline (>= 1.7.3)
       i18n
       parser (>= 2.2.3.0)
-      rainbow (~> 2.2)
+      rainbow (>= 2.2.2, < 4.0)
       terminal-table (>= 1.5.1)
     idn-ruby (0.1.0)
     ipaddress (0.8.3)
     iso-639 (0.2.8)
     jmespath (1.3.1)
     json (2.1.0)
-    json-ld (2.1.7)
+    json-ld (2.2.1)
+      multi_json (~> 1.12)
+      rdf (>= 2.2.8, < 4.0)
+    json-ld-preloaded (2.2.3)
+      json-ld (>= 2.2, < 4.0)
       multi_json (~> 1.12)
-      rdf (~> 2.2, >= 2.2.8)
-    json-ld-preloaded (2.2.2)
-      json-ld (~> 2.1, >= 2.1.5)
-      multi_json (~> 1.11)
-      rdf (~> 2.2)
+      rdf (>= 2.2, < 4.0)
     jsonapi-renderer (0.2.0)
     jwt (2.1.0)
     kaminari (1.1.1)
@@ -283,25 +292,27 @@ GEM
     kaminari-core (1.1.1)
     launchy (2.4.3)
       addressable (~> 2.3)
-    letter_opener (1.4.1)
+    letter_opener (1.6.0)
       launchy (~> 2.2)
-    letter_opener_web (1.3.1)
+    letter_opener_web (1.3.4)
       actionmailer (>= 3.2)
       letter_opener (~> 1.0)
       railties (>= 3.2)
     link_header (0.0.8)
-    lograge (0.7.1)
-      actionpack (>= 4, < 5.2)
-      activesupport (>= 4, < 5.2)
-      railties (>= 4, < 5.2)
+    lograge (0.9.0)
+      actionpack (>= 4)
+      activesupport (>= 4)
+      railties (>= 4)
       request_store (~> 1.0)
-    loofah (2.2.1)
+    loofah (2.2.2)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
     mail (2.7.0)
       mini_mime (>= 0.1.1)
-    mario-redis-lock (1.2.0)
-      redis (~> 3, >= 3.0.5)
+    marcel (0.3.2)
+      mimemagic (~> 0.3.2)
+    mario-redis-lock (1.2.1)
+      redis (>= 3.0.5)
     memory_profiler (0.9.10)
     method_source (0.9.0)
     microformats (4.0.7)
@@ -314,15 +325,15 @@ GEM
     mini_mime (1.0.0)
     mini_portile2 (2.3.0)
     minitest (5.11.3)
-    msgpack (1.1.0)
-    multi_json (1.12.2)
+    msgpack (1.2.4)
+    multi_json (1.13.1)
     multipart-post (2.0.0)
     necromancer (0.4.0)
     net-ldap (0.16.1)
     net-scp (1.2.1)
       net-ssh (>= 2.6.5)
     net-ssh (4.2.0)
-    nio4r (2.1.0)
+    nio4r (2.3.0)
     nokogiri (1.8.2)
       mini_portile2 (~> 2.3.0)
     nokogumbo (1.5.0)
@@ -332,7 +343,7 @@ GEM
       concurrent-ruby (~> 1.0.0)
       sidekiq (>= 3.5.0)
       statsd-ruby (~> 1.2.0)
-    oj (3.3.10)
+    oj (3.4.0)
     omniauth (1.8.1)
       hashie (>= 3.4.6, < 3.6.0)
       rack (>= 1.6.2, < 3)
@@ -358,25 +369,25 @@ GEM
     paperclip-av-transcoder (0.6.4)
       av (~> 0.9.0)
       paperclip (>= 2.5.2)
-    parallel (1.12.0)
-    parallel_tests (2.19.0)
+    parallel (1.12.1)
+    parallel_tests (2.21.1)
       parallel
-    parser (2.4.0.2)
-      ast (~> 2.3)
+    parser (2.5.1.0)
+      ast (~> 2.4.0)
     pastel (0.7.2)
       equatable (~> 0.5.0)
       tty-color (~> 0.4.0)
-    pg (0.21.0)
-    pghero (1.7.0)
+    pg (1.0.0)
+    pghero (2.1.0)
       activerecord
-    pkg-config (1.2.8)
+    pkg-config (1.2.9)
     posix-spawn (0.3.13)
     powerpack (0.1.1)
     premailer (1.11.1)
       addressable
       css_parser (>= 1.6.0)
       htmlentities (>= 4.0.0)
-    premailer-rails (1.10.1)
+    premailer-rails (1.10.2)
       actionmailer (>= 3, < 6)
       premailer (~> 1.7, >= 1.7.9)
     private_address_check (0.4.1)
@@ -385,32 +396,33 @@ GEM
       method_source (~> 0.9.0)
     pry-rails (0.3.6)
       pry (>= 0.10.4)
-    public_suffix (3.0.1)
-    puma (3.11.0)
+    public_suffix (3.0.2)
+    puma (3.11.3)
     pundit (1.1.0)
       activesupport (>= 3.0.0)
-    rack (2.0.3)
-    rack-attack (5.0.1)
+    rack (2.0.4)
+    rack-attack (5.2.0)
       rack
-    rack-cors (0.4.1)
-    rack-protection (2.0.0)
+    rack-cors (1.0.2)
+    rack-protection (2.0.1)
       rack
-    rack-proxy (0.6.2)
+    rack-proxy (0.6.4)
       rack
-    rack-test (0.8.2)
+    rack-test (1.0.0)
       rack (>= 1.0, < 3)
     rack-timeout (0.4.2)
-    rails (5.1.4)
-      actioncable (= 5.1.4)
-      actionmailer (= 5.1.4)
-      actionpack (= 5.1.4)
-      actionview (= 5.1.4)
-      activejob (= 5.1.4)
-      activemodel (= 5.1.4)
-      activerecord (= 5.1.4)
-      activesupport (= 5.1.4)
+    rails (5.2.0)
+      actioncable (= 5.2.0)
+      actionmailer (= 5.2.0)
+      actionpack (= 5.2.0)
+      actionview (= 5.2.0)
+      activejob (= 5.2.0)
+      activemodel (= 5.2.0)
+      activerecord (= 5.2.0)
+      activestorage (= 5.2.0)
+      activesupport (= 5.2.0)
       bundler (>= 1.3.0)
-      railties (= 5.1.4)
+      railties (= 5.2.0)
       sprockets-rails (>= 2.0.0)
     rails-controller-testing (1.0.2)
       actionpack (~> 5.x, >= 5.0.1)
@@ -419,31 +431,30 @@ GEM
     rails-dom-testing (2.0.3)
       activesupport (>= 4.2.0)
       nokogiri (>= 1.6)
-    rails-html-sanitizer (1.0.3)
-      loofah (~> 2.0)
-    rails-i18n (5.0.4)
-      i18n (~> 0.7)
-      railties (~> 5.0)
+    rails-html-sanitizer (1.0.4)
+      loofah (~> 2.2, >= 2.2.2)
+    rails-i18n (5.1.1)
+      i18n (>= 0.7, < 2)
+      railties (>= 5.0, < 6)
     rails-settings-cached (0.6.6)
       rails (>= 4.2.0)
-    railties (5.1.4)
-      actionpack (= 5.1.4)
-      activesupport (= 5.1.4)
+    railties (5.2.0)
+      actionpack (= 5.2.0)
+      activesupport (= 5.2.0)
       method_source
       rake (>= 0.8.7)
       thor (>= 0.18.1, < 2.0)
-    rainbow (2.2.2)
-      rake
-    rake (12.3.0)
+    rainbow (3.0.0)
+    rake (12.3.1)
     rb-fsevent (0.10.2)
     rb-inotify (0.9.10)
       ffi (>= 0.5.0, < 2)
-    rdf (2.2.12)
+    rdf (3.0.1)
       hamster (~> 3.0)
       link_header (~> 0.0, >= 0.0.8)
-    rdf-normalize (0.3.2)
-      rdf (~> 2.0)
-    redis (3.3.5)
+    rdf-normalize (0.3.3)
+      rdf (>= 2.2, < 4.0)
+    redis (4.0.1)
     redis-actionpack (5.0.2)
       actionpack (>= 4.0, < 6)
       redis-rack (>= 1, < 3)
@@ -453,7 +464,7 @@ GEM
       redis-store (>= 1.3, < 2)
     redis-namespace (1.6.0)
       redis (>= 3.0.4)
-    redis-rack (2.0.3)
+    redis-rack (2.0.4)
       rack (>= 1.5, < 3)
       redis-store (>= 1.2, < 2)
     redis-rails (5.0.2)
@@ -462,7 +473,8 @@ GEM
       redis-store (>= 1.2, < 2)
     redis-store (1.4.1)
       redis (>= 2.2, < 5)
-    request_store (1.3.2)
+    request_store (1.4.0)
+      rack (>= 1.4)
     responders (2.4.0)
       actionpack (>= 4.2.0, < 5.3)
       railties (>= 4.2.0, < 5.3)
@@ -470,7 +482,7 @@ GEM
     rpam2 (4.0.2)
     rqrcode (0.10.1)
       chunky_png (~> 1.0)
-    rspec-core (3.7.0)
+    rspec-core (3.7.1)
       rspec-support (~> 3.7.0)
     rspec-expectations (3.7.0)
       diff-lcs (>= 1.2.0, < 2.0)
@@ -489,12 +501,12 @@ GEM
     rspec-sidekiq (3.0.3)
       rspec-core (~> 3.0, >= 3.0.0)
       sidekiq (>= 2.4.0)
-    rspec-support (3.7.0)
-    rubocop (0.51.0)
+    rspec-support (3.7.1)
+    rubocop (0.52.1)
       parallel (~> 1.10)
-      parser (>= 2.3.3.1, < 3.0)
+      parser (>= 2.4.0.2, < 3.0)
       powerpack (~> 0.1)
-      rainbow (>= 2.2.2, < 3.0)
+      rainbow (>= 2.2.2, < 4.0)
       ruby-progressbar (~> 1.7)
       unicode-display_width (~> 1.0, >= 1.0.1)
     ruby-oembed (0.12.0)
@@ -508,7 +520,7 @@ GEM
       crass (~> 1.0.2)
       nokogiri (>= 1.4.4)
       nokogumbo (~> 1.4)
-    sass (3.5.3)
+    sass (3.5.5)
       sass-listen (~> 4.0.0)
     sass-listen (4.0.0)
       rb-fsevent (~> 0.9, >= 0.9.4)
@@ -516,15 +528,15 @@ GEM
     scss_lint (0.56.0)
       rake (>= 0.9, < 13)
       sass (~> 3.5.3)
-    sidekiq (5.0.5)
+    sidekiq (5.1.3)
       concurrent-ruby (~> 1.0)
       connection_pool (~> 2.2, >= 2.2.0)
       rack-protection (>= 1.5.0)
-      redis (>= 3.3.4, < 5)
+      redis (>= 3.3.5, < 5)
     sidekiq-bulk (0.1.1)
       activesupport
       sidekiq
-    sidekiq-scheduler (2.1.10)
+    sidekiq-scheduler (2.2.1)
       redis (>= 3, < 5)
       rufus-scheduler (~> 3.2)
       sidekiq (>= 3)
@@ -534,9 +546,9 @@ GEM
       thor (~> 0)
     simple-navigation (4.0.5)
       activesupport (>= 2.3.2)
-    simple_form (3.5.0)
-      actionpack (> 4, < 5.2)
-      activemodel (> 4, < 5.2)
+    simple_form (4.0.0)
+      actionpack (> 4)
+      activemodel (> 4)
     simplecov (0.15.1)
       docile (~> 1.1.0)
       json (>= 1.8, < 3)
@@ -549,14 +561,14 @@ GEM
       actionpack (>= 4.0)
       activesupport (>= 4.0)
       sprockets (>= 3.0.0)
-    sshkit (1.15.1)
+    sshkit (1.16.0)
       net-scp (>= 1.1.2)
       net-ssh (>= 2.8.0)
     statsd-ruby (1.2.1)
     stoplight (2.1.3)
     streamio-ffmpeg (3.0.2)
       multi_json (~> 1.8)
-    strong_migrations (0.1.9)
+    strong_migrations (0.2.2)
       activerecord (>= 3.2.0)
     temple (0.8.0)
     terminal-table (1.8.0)
@@ -588,32 +600,32 @@ GEM
       unf (~> 0.1.0)
     tzinfo (1.2.5)
       thread_safe (~> 0.1)
-    tzinfo-data (1.2017.3)
+    tzinfo-data (1.2018.4)
       tzinfo (>= 1.0.0)
     unf (0.1.4)
       unf_ext
-    unf_ext (0.0.7.4)
+    unf_ext (0.0.7.5)
     unicode-display_width (1.3.0)
-    uniform_notifier (1.10.0)
+    uniform_notifier (1.11.0)
     warden (1.2.7)
       rack (>= 1.0)
-    webmock (3.1.1)
+    webmock (3.3.0)
       addressable (>= 2.3.6)
       crack (>= 0.3.2)
       hashdiff
-    webpacker (3.0.2)
+    webpacker (3.4.3)
       activesupport (>= 4.2)
       rack-proxy (>= 0.6.1)
       railties (>= 4.2)
     webpush (0.3.3)
       hkdf (~> 0.2)
       jwt (~> 2.0)
-    websocket-driver (0.6.5)
+    websocket-driver (0.7.0)
       websocket-extensions (>= 0.1.0)
     websocket-extensions (0.1.3)
     wisper (2.0.0)
-    xpath (2.1.0)
-      nokogiri (~> 1.3)
+    xpath (3.0.0)
+      nokogiri (~> 1.8)
 
 PLATFORMS
   ruby
@@ -626,27 +638,27 @@ DEPENDENCIES
   aws-sdk-s3 (~> 1.8)
   better_errors (~> 2.4)
   binding_of_caller (~> 0.7)
-  bootsnap
-  brakeman (~> 4.0)
+  bootsnap (~> 1.3)
+  brakeman (~> 4.2)
   browser
-  bullet (~> 5.5)
+  bullet (~> 5.7)
   bundler-audit (~> 0.6)
   capistrano (~> 3.10)
   capistrano-rails (~> 1.3)
   capistrano-rbenv (~> 2.1)
   capistrano-yarn (~> 2.0)
-  capybara (~> 2.15)
+  capybara (~> 2.18)
   charlock_holmes (~> 0.7.6)
   chewy (~> 5.0)
   cld3 (~> 3.2.0)
   climate_control (~> 0.2)
   devise (~> 4.4)
-  devise-two-factor (~> 3.0)
+  devise-two-factor (~> 3.0)!
   devise_pam_authenticatable2 (~> 9.1)
-  doorkeeper (~> 4.2)
+  doorkeeper (~> 4.3)
   dotenv-rails (~> 2.2)
-  fabrication (~> 2.18)
-  faker (~> 1.7)
+  fabrication (~> 2.20)
+  faker (~> 1.8)
   fast_blank (~> 1.0)
   fastimage
   fog-core (~> 1.45)
@@ -660,16 +672,16 @@ DEPENDENCIES
   htmlentities (~> 4.3)
   http (~> 3.0)
   http_accept_language (~> 2.1)
-  httplog (~> 0.99)
+  httplog (~> 1.0)
   i18n-tasks (~> 0.9)
   idn-ruby
   iso-639
-  json-ld-preloaded (~> 2.2.1)
+  json-ld-preloaded (~> 2.2)
   kaminari (~> 1.1)
   letter_opener (~> 1.4)
   letter_opener_web (~> 1.3)
   link_header (~> 0.0)
-  lograge (~> 0.7)
+  lograge (~> 0.9)
   mario-redis-lock (~> 1.2)
   memory_profiler
   microformats (~> 4.0)
@@ -677,7 +689,7 @@ DEPENDENCIES
   net-ldap (~> 0.10)
   nokogiri (~> 1.8)
   nsa (~> 0.2)
-  oj (~> 3.3)
+  oj (~> 3.4)
   omniauth (~> 1.2)
   omniauth-cas (~> 1.1)
   omniauth-saml (~> 1.10)
@@ -685,25 +697,25 @@ DEPENDENCIES
   ox (~> 2.8)
   paperclip (~> 6.0)
   paperclip-av-transcoder (~> 0.6)
-  parallel_tests (~> 2.17)
-  pg (~> 0.20)
-  pghero (~> 1.7)
+  parallel_tests (~> 2.21)
+  pg (~> 1.0)
+  pghero (~> 2.1)
   pkg-config (~> 1.2)
   posix-spawn
   premailer-rails
   private_address_check (~> 0.4.1)
   pry-rails (~> 0.3)
-  puma (~> 3.10)
+  puma (~> 3.11)
   pundit (~> 1.1)
-  rack-attack (~> 5.0)
-  rack-cors (~> 0.4)
+  rack-attack (~> 5.2)
+  rack-cors (~> 1.0)
   rack-timeout (~> 0.4)
-  rails (~> 5.1.4)
+  rails (~> 5.2.0)
   rails-controller-testing (~> 1.0)
-  rails-i18n (~> 5.0)
+  rails-i18n (~> 5.1)
   rails-settings-cached (~> 0.6)
-  rdf-normalize (~> 0.3.1)
-  redis (~> 3.3)
+  rdf-normalize (~> 0.3)
+  redis (~> 4.0)
   redis-namespace (~> 1.5)
   redis-rails (~> 5.0)
   rqrcode (~> 0.10)
@@ -712,25 +724,25 @@ DEPENDENCIES
   rubocop
   ruby-oembed (~> 0.12)
   ruby-progressbar (~> 1.4)
-  sanitize (~> 4.6.4)
+  sanitize (~> 4.6)
   scss_lint (~> 0.55)
-  sidekiq (~> 5.0)
+  sidekiq (~> 5.1)
   sidekiq-bulk (~> 0.1.1)
-  sidekiq-scheduler (~> 2.1)
+  sidekiq-scheduler (~> 2.2)
   sidekiq-unique-jobs (~> 5.0)
   simple-navigation (~> 4.0)
-  simple_form (~> 3.4)
+  simple_form (~> 4.0)
   simplecov (~> 0.14)
   sprockets-rails (~> 3.2)
   stoplight (~> 2.1.3)
   streamio-ffmpeg (~> 3.0)
-  strong_migrations
+  strong_migrations (~> 0.2)
   tty-command
   tty-prompt
   twitter-text (~> 1.14)
-  tzinfo-data (~> 1.2017)
-  webmock (~> 3.0)
-  webpacker (~> 3.0)
+  tzinfo-data (~> 1.2018)
+  webmock (~> 3.3)
+  webpacker (~> 3.4)
   webpush
 
 RUBY VERSION
diff --git a/app/controllers/api/web/push_subscriptions_controller.rb b/app/controllers/api/web/push_subscriptions_controller.rb
index 68ccbd5e2..c611031ab 100644
--- a/app/controllers/api/web/push_subscriptions_controller.rb
+++ b/app/controllers/api/web/push_subscriptions_controller.rb
@@ -7,9 +7,6 @@ class Api::Web::PushSubscriptionsController < Api::BaseController
   protect_from_forgery with: :exception
 
   def create
-    params.require(:subscription).require(:endpoint)
-    params.require(:subscription).require(:keys).require([:auth, :p256dh])
-
     active_session = current_session
 
     unless active_session.web_push_subscription.nil?
@@ -29,12 +26,12 @@ class Api::Web::PushSubscriptionsController < Api::BaseController
       },
     }
 
-    data.deep_merge!(params[:data]) if params[:data]
+    data.deep_merge!(data_params) if params[:data]
 
     web_subscription = ::Web::PushSubscription.create!(
-      endpoint: params[:subscription][:endpoint],
-      key_p256dh: params[:subscription][:keys][:p256dh],
-      key_auth: params[:subscription][:keys][:auth],
+      endpoint: subscription_params[:endpoint],
+      key_p256dh: subscription_params[:keys][:p256dh],
+      key_auth: subscription_params[:keys][:auth],
       data: data
     )
 
@@ -44,12 +41,22 @@ class Api::Web::PushSubscriptionsController < Api::BaseController
   end
 
   def update
-    params.require([:id, :data])
+    params.require([:id])
 
     web_subscription = ::Web::PushSubscription.find(params[:id])
 
-    web_subscription.update!(data: params[:data])
+    web_subscription.update!(data: data_params)
 
     render json: web_subscription.as_payload
   end
+
+  private
+
+  def subscription_params
+    @subscription_params ||= params.require(:subscription).permit(:endpoint, keys: [:auth, :p256dh])
+  end
+
+  def data_params
+    @data_params ||= params.require(:data).permit(:alerts)
+  end
 end
diff --git a/app/controllers/settings/follower_domains_controller.rb b/app/controllers/settings/follower_domains_controller.rb
index 141b2270d..02533b81a 100644
--- a/app/controllers/settings/follower_domains_controller.rb
+++ b/app/controllers/settings/follower_domains_controller.rb
@@ -5,7 +5,7 @@ require 'sidekiq-bulk'
 class Settings::FollowerDomainsController < Settings::BaseController
   def show
     @account = current_account
-    @domains = current_account.followers.reorder('MIN(follows.id) DESC').group('accounts.domain').select('accounts.domain, count(accounts.id) as accounts_from_domain').page(params[:page]).per(10)
+    @domains = current_account.followers.reorder(Arel.sql('MIN(follows.id) DESC')).group('accounts.domain').select('accounts.domain, count(accounts.id) as accounts_from_domain').page(params[:page]).per(10)
   end
 
   def update
diff --git a/app/javascript/flavours/glitch/styles/components/media.scss b/app/javascript/flavours/glitch/styles/components/media.scss
index 8bff42538..e62f64176 100644
--- a/app/javascript/flavours/glitch/styles/components/media.scss
+++ b/app/javascript/flavours/glitch/styles/components/media.scss
@@ -161,6 +161,12 @@
   max-width: 100vw;
   max-height: 100vh;
   position: relative;
+}
+
+.media-modal {
+  width: 100%;
+  height: 100%;
+  position: relative;
 
   .extended-video-player {
     width: 100%;
@@ -176,12 +182,6 @@
   }
 }
 
-.media-modal {
-  width: 100%;
-  height: 100%;
-  position: relative;
-}
-
 .media-modal__closer {
   position: absolute;
   top: 0;
diff --git a/app/models/account.rb b/app/models/account.rb
index 1be2f2da6..dd8bad585 100644
--- a/app/models/account.rb
+++ b/app/models/account.rb
@@ -247,11 +247,11 @@ class Account < ApplicationRecord
     end
 
     def domains
-      reorder(nil).pluck('distinct accounts.domain')
+      reorder(nil).pluck(Arel.sql('distinct accounts.domain'))
     end
 
     def inboxes
-      urls = reorder(nil).where(protocol: :activitypub).pluck("distinct coalesce(nullif(accounts.shared_inbox_url, ''), accounts.inbox_url)")
+      urls = reorder(nil).where(protocol: :activitypub).pluck(Arel.sql("distinct coalesce(nullif(accounts.shared_inbox_url, ''), accounts.inbox_url)"))
       DeliveryFailureTracker.filter(urls)
     end
 
diff --git a/app/models/notification.rb b/app/models/notification.rb
index be9964087..0b0f01aa8 100644
--- a/app/models/notification.rb
+++ b/app/models/notification.rb
@@ -81,8 +81,6 @@ class Notification < ApplicationRecord
       end
     end
 
-    private
-
     def activity_types_from_types(types)
       types.map { |type| TYPE_CLASS_MAP[type.to_sym] }.compact
     end
diff --git a/app/models/status.rb b/app/models/status.rb
index 34b41d347..5d309546f 100644
--- a/app/models/status.rb
+++ b/app/models/status.rb
@@ -355,7 +355,7 @@ class Status < ApplicationRecord
       self.in_reply_to_account_id = carried_over_reply_to_account_id
       self.conversation_id        = thread.conversation_id if conversation_id.nil?
     elsif conversation_id.nil?
-      create_conversation
+      self.conversation = Conversation.new
     end
   end
 
diff --git a/bin/bundle b/bin/bundle
index 66e9889e8..f19acf5b5 100755
--- a/bin/bundle
+++ b/bin/bundle
@@ -1,3 +1,3 @@
 #!/usr/bin/env ruby
-ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../../Gemfile', __FILE__)
+ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../Gemfile', __dir__)
 load Gem.bin_path('bundler', 'bundle')
diff --git a/bin/setup b/bin/setup
index 72b62a028..fc77b0809 100755
--- a/bin/setup
+++ b/bin/setup
@@ -1,10 +1,9 @@
 #!/usr/bin/env ruby
-require 'pathname'
 require 'fileutils'
 include FileUtils
 
 # path to your application root.
-APP_ROOT = Pathname.new File.expand_path('../../', __FILE__)
+APP_ROOT = File.expand_path('..', __dir__)
 
 def system!(*args)
   system(*args) || abort("\n== Command #{args} failed ==")
diff --git a/bin/update b/bin/update
index a8e4462f2..6d73559a3 100755
--- a/bin/update
+++ b/bin/update
@@ -1,10 +1,9 @@
 #!/usr/bin/env ruby
-require 'pathname'
 require 'fileutils'
 include FileUtils
 
 # path to your application root.
-APP_ROOT = Pathname.new File.expand_path('../../', __FILE__)
+APP_ROOT = File.expand_path('..', __dir__)
 
 def system!(*args)
   system(*args) || abort("\n== Command #{args} failed ==")
@@ -18,6 +17,9 @@ chdir APP_ROOT do
   system! 'gem install bundler --conservative'
   system('bundle check') || system!('bundle install')
 
+  # Install JavaScript dependencies if using Yarn
+  system('bin/yarn')
+
   puts "\n== Updating database =="
   system! 'bin/rails db:migrate'
 
diff --git a/bin/webpack b/bin/webpack
index 9d3800c74..0869ad277 100755
--- a/bin/webpack
+++ b/bin/webpack
@@ -1,11 +1,7 @@
 #!/usr/bin/env ruby
-# frozen_string_literal: true
-#
-# This file was generated by Bundler.
-#
-# The application 'webpack' is installed as part of a gem, and
-# this file is here to facilitate running it.
-#
+
+ENV["RAILS_ENV"] ||= ENV["RACK_ENV"] || "development"
+ENV["NODE_ENV"]  ||= ENV["NODE_ENV"] || "development"
 
 require "pathname"
 ENV["BUNDLE_GEMFILE"] ||= File.expand_path("../../Gemfile",
@@ -14,4 +10,6 @@ ENV["BUNDLE_GEMFILE"] ||= File.expand_path("../../Gemfile",
 require "rubygems"
 require "bundler/setup"
 
-load Gem.bin_path("webpacker", "webpack")
+require "webpacker"
+require "webpacker/webpack_runner"
+Webpacker::WebpackRunner.run(ARGV)
diff --git a/bin/webpack-dev-server b/bin/webpack-dev-server
index cf701102a..251f65e8e 100755
--- a/bin/webpack-dev-server
+++ b/bin/webpack-dev-server
@@ -1,11 +1,7 @@
 #!/usr/bin/env ruby
-# frozen_string_literal: true
-#
-# This file was generated by Bundler.
-#
-# The application 'webpack-dev-server' is installed as part of a gem, and
-# this file is here to facilitate running it.
-#
+
+ENV["RAILS_ENV"] ||= ENV["RACK_ENV"] || "development"
+ENV["NODE_ENV"]  ||= ENV["NODE_ENV"] || "development"
 
 require "pathname"
 ENV["BUNDLE_GEMFILE"] ||= File.expand_path("../../Gemfile",
@@ -14,4 +10,6 @@ ENV["BUNDLE_GEMFILE"] ||= File.expand_path("../../Gemfile",
 require "rubygems"
 require "bundler/setup"
 
-load Gem.bin_path("webpacker", "webpack-dev-server")
+require "webpacker"
+require "webpacker/dev_server_runner"
+Webpacker::DevServerRunner.run(ARGV)
diff --git a/bin/yarn b/bin/yarn
new file mode 100755
index 000000000..8c1535a78
--- /dev/null
+++ b/bin/yarn
@@ -0,0 +1,11 @@
+#!/usr/bin/env ruby
+APP_ROOT = File.expand_path('..', __dir__)
+Dir.chdir(APP_ROOT) do
+  begin
+    exec "yarnpkg #{ARGV.join(' ')}" unless Dir.exist?('node_modules')
+  rescue Errno::ENOENT
+    $stderr.puts "Yarn executable was not detected in the system."
+    $stderr.puts "Download Yarn at https://yarnpkg.com/en/docs/install"
+    exit 1
+  end
+end
diff --git a/config/application.rb b/config/application.rb
index c0899ad70..fdb534343 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -24,7 +24,7 @@ require_relative '../lib/mastodon/redis_config'
 module Mastodon
   class Application < Rails::Application
     # Initialize configuration defaults for originally generated Rails version.
-    config.load_defaults 5.1
+    config.load_defaults 5.2
 
     # Settings in config/environments/* take precedence over those specified here.
     # Application configuration should go into files in config/initializers
@@ -86,20 +86,6 @@ module Mastodon
 
     config.active_job.queue_adapter = :sidekiq
 
-    #config.middleware.insert_before 0, Rack::Cors, debug: true, logger: (-> { Rails.logger }) do
-    config.middleware.insert_before 0, Rack::Cors do
-      allow do
-        origins  '*'
-        resource '/@:username',  headers: :any, methods: [:get], credentials: false
-        resource '/api/*',       headers: :any, methods: [:post, :put, :delete, :get, :patch, :options], credentials: false, expose: ['Link', 'X-RateLimit-Reset', 'X-RateLimit-Limit', 'X-RateLimit-Remaining', 'X-Request-Id']
-        resource '/oauth/token', headers: :any, methods: [:post], credentials: false
-        resource '/assets/*', headers: :any, methods: [:get, :head, :options]
-        resource '/stylesheets/*', headers: :any, methods: [:get, :head, :options]
-        resource '/javascripts/*', headers: :any, methods: [:get, :head, :options]
-        resource '/packs/*', headers: :any, methods: [:get, :head, :options]
-      end
-    end
-
     config.middleware.use Rack::Attack
     config.middleware.use Rack::Deflater
 
diff --git a/config/boot.rb b/config/boot.rb
index 703738b76..0a3cd4ebe 100644
--- a/config/boot.rb
+++ b/config/boot.rb
@@ -1,7 +1,7 @@
 ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../Gemfile', __dir__)
 
 require 'bundler/setup' # Set up gems listed in the Gemfile.
-require 'bootsnap'
+require 'bootsnap' # Speed up boot time by caching expensive operations.
 
 Bootsnap.setup(
   cache_dir:            'tmp/cache',
diff --git a/config/deploy.rb b/config/deploy.rb
index 3fd149f21..180dd1c2a 100644
--- a/config/deploy.rb
+++ b/config/deploy.rb
@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-lock '3.10.0'
+lock '3.10.1'
 
 set :repo_url, ENV.fetch('REPO', 'https://github.com/tootsuite/mastodon.git')
 set :branch, ENV.fetch('BRANCH', 'master')
diff --git a/config/environments/development.rb b/config/environments/development.rb
index 285fea8b8..b6478f16e 100644
--- a/config/environments/development.rb
+++ b/config/environments/development.rb
@@ -13,13 +13,14 @@ Rails.application.configure do
   config.consider_all_requests_local = true
 
   # Enable/disable caching. By default caching is disabled.
+  # Run rails dev:cache to toggle caching.
   if Rails.root.join('tmp/caching-dev.txt').exist?
     config.action_controller.perform_caching = true
 
     config.cache_store = :redis_store, ENV['REDIS_URL'], REDIS_CACHE_PARAMS
 
     config.public_file_server.headers = {
-      'Cache-Control' => "public, max-age=#{2.days.seconds.to_i}",
+      'Cache-Control' => "public, max-age=#{2.days.to_i}",
     }
   else
     config.action_controller.perform_caching = false
diff --git a/config/environments/production.rb b/config/environments/production.rb
index 7a800db19..2c8471ddd 100644
--- a/config/environments/production.rb
+++ b/config/environments/production.rb
@@ -15,6 +15,10 @@ Rails.application.configure do
   config.action_controller.perform_caching = true
   config.action_controller.asset_host      = ENV['CDN_HOST'] if ENV.key?('CDN_HOST')
 
+  # Ensures that a master key has been made available in either ENV["RAILS_MASTER_KEY"]
+  # or in config/master.key. This key is used to decrypt credentials (and other encrypted files).
+  # config.require_master_key = true
+
   # Disable serving static files from the `/public` folder by default since
   # Apache or NGINX already handles this.
   config.public_file_server.enabled = ENV['RAILS_SERVE_STATIC_FILES'].present?
diff --git a/config/environments/test.rb b/config/environments/test.rb
index 122634d5b..1c1891561 100644
--- a/config/environments/test.rb
+++ b/config/environments/test.rb
@@ -15,7 +15,7 @@ Rails.application.configure do
   # Configure public file server for tests with Cache-Control for performance.
   config.public_file_server.enabled = true
   config.public_file_server.headers = {
-    'Cache-Control' => "public, max-age=#{1.hour.seconds.to_i}"
+    'Cache-Control' => "public, max-age=#{1.hour.to_i}"
   }
   config.assets.digest = false
 
diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb
new file mode 100644
index 000000000..37f2c0d45
--- /dev/null
+++ b/config/initializers/content_security_policy.rb
@@ -0,0 +1,20 @@
+# Define an application-wide content security policy
+# For further information see the following documentation
+# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
+
+# Rails.application.config.content_security_policy do |p|
+#   p.default_src :self, :https
+#   p.font_src    :self, :https, :data
+#   p.img_src     :self, :https, :data
+#   p.object_src  :none
+#   p.script_src  :self, :https
+#   p.style_src   :self, :https, :unsafe_inline
+#
+#   # Specify URI for violation reports
+#   # p.report_uri "/csp-violation-report-endpoint"
+# end
+
+# Report CSP violations to a specified URI
+# For further information see the following documentation:
+# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
+# Rails.application.config.content_security_policy_report_only = true
diff --git a/config/initializers/cors.rb b/config/initializers/cors.rb
new file mode 100644
index 000000000..36e2694e3
--- /dev/null
+++ b/config/initializers/cors.rb
@@ -0,0 +1,30 @@
+# Be sure to restart your server when you modify this file.
+
+# Avoid CORS issues when API is called from the frontend app.
+# Handle Cross-Origin Resource Sharing (CORS) in order to accept cross-origin AJAX requests.
+
+# Read more: https://github.com/cyu/rack-cors
+
+Rails.application.config.middleware.insert_before 0, Rack::Cors do
+  allow do
+    origins '*'
+
+    resource '/@:username',
+      headers: :any,
+      methods: [:get],
+      credentials: false
+    resource '/api/*',
+      headers: :any,
+      methods: [:post, :put, :delete, :get, :patch, :options],
+      credentials: false,
+      expose: ['Link', 'X-RateLimit-Reset', 'X-RateLimit-Limit', 'X-RateLimit-Remaining', 'X-Request-Id']
+    resource '/oauth/token',
+      headers: :any,
+      methods: [:post],
+      credentials: false
+    resource '/assets/*', headers: :any, methods: [:get, :head, :options]
+    resource '/stylesheets/*', headers: :any, methods: [:get, :head, :options]
+    resource '/javascripts/*', headers: :any, methods: [:get, :head, :options]
+    resource '/packs/*', headers: :any, methods: [:get, :head, :options]
+  end
+end
diff --git a/db/schema.rb b/db/schema.rb
index 2cf6db773..7796600d7 100644
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -13,6 +13,7 @@
 ActiveRecord::Schema.define(version: 20180410220657) do
 
   # These are extensions that must be enabled in order to support this database
+  enable_extension "pg_stat_statements"
   enable_extension "plpgsql"
 
   create_table "account_domain_blocks", force: :cascade do |t|