Use config.load_defaults for rails 7 with overrides

https://github.com/rails/rails/blob/d437ae311f1b9dc40b442e40eb602e020cec4e49/railties/lib/rails/application/configuration.rb#L92
* belongs_to_required_by_default must be overridden or seeding fails
* Partial inserts cause test failures in ui-classic, content, and amazon provider
* Once we remove unsafe-inline, then we can set this to the default, 0. Since we still use unsafe-inline, we still use X-XSS-Protection.
* Allow deprecations to be found and fixed

Fixes #23172

Author: jrafanie

config/application.rb

@@ -86,6 +86,10 @@ class Application < Rails::Application
 
     # Disable ActionCable's request forgery protection
     # This is basically matching a set of allowed origins which is not good for us
+    # Note, similarly named forgery protections in action controller are set to true
+    # https://github.com/rails/rails/blob/d437ae311f1b9dc40b442e40eb602e020cec4e49/railties/lib/rails/application/configuration.rb#L115C12-L115C69
+    # 5.0 sets: action_controller.forgery_protection_origin_check = true
+    # 5.2 sets: action_controller.default_protect_from_forgery = true
     config.action_cable.disable_request_forgery_protection = false
     # Matching the origin against the HOST header is much more convenient
     config.action_cable.allow_same_origin_as_host = true
@@ -106,8 +110,23 @@ class Application < Rails::Application
 
     config.autoload_paths += config.eager_load_paths
 
-    # config.load_defaults 6.1
-    # Disable defaults as ActiveRecord::Base.belongs_to_required_by_default = true causes MiqRegion.seed to fail validation on belongs_to maintenance zone
+    # FYI, this is where load_defaults is defined as of 7.2:
+    # https://github.com/rails/rails/blob/d437ae311f1b9dc40b442e40eb602e020cec4e49/railties/lib/rails/application/configuration.rb#L92
+    config.load_defaults 7.0
+
+    # TODO: this is the only change we had from defaults in 7.0.  See secure_headers.rb.  It's 0 in defaults.
+    config.action_dispatch.default_headers["X-XSS-Protection"] = "1; mode=block"
+
+    # TODO: Find and fixed any deprecated behavior.  Opt in later.
+    config.active_support.remove_deprecated_time_with_zone_name = false
+    config.active_support.disable_to_s_conversion = false
+
+    # TODO: If disabled, causes cross repo test failures in content, ui-classic and amazon provider
+    config.active_record.partial_inserts = true
+
+    # Disable this setting as it causes MiqRegion.seed to fail validation on belongs_to maintenance zone.
+    # TODO: We should fix this so we don't need to carry this override.
+    config.active_record.belongs_to_required_by_default = false
 
     # NOTE:  If you are going to make changes to autoload_paths, please make
     # sure they are all strings.  Rails will push these paths into the

config/initializers/secure_headers.rb

@@ -10,6 +10,15 @@
     config.x_content_type_options = "nosniff"
     # X-XSS-Protection
     # X-Permitted-Cross-Domain-Policies
+
+    # TODO: This was deprecated and disabled in rails 7.  Using content security policy is the desired behavior going forward:
+    # https://github.com/rails/rails/commit/1f4714c3f798df227222f531141880b8e1b4170a
+    # https://github.com/rails/rails/blob/d437ae311f1b9dc40b442e40eb602e020cec4e49/railties/lib/rails/application/configuration.rb#L227
+    # Once we remove unsafe-inline, then we can set this to the default, 0. Since we still use unsafe-inline, we still use X-XSS-Protection.
+    # From: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
+    # "The HTTP X-XSS-Protection response header was a feature of Internet Explorer, Chrome and Safari that stopped pages from loading when
+    # they detected reflected cross-site scripting (XSS) attacks. These protections are largely unnecessary in modern browsers when sites
+    # implement a strong Content-Security-Policy that disables the use of inline JavaScript ('unsafe-inline')."
     config.x_xss_protection = "1; mode=block"
     config.referrer_policy = "no-referrer-when-downgrade"
     # Content-Security-Policy