= New Features

* A conditional_sessions plugin has been added.  This allows you to
  only support sessions for a subset of the application's requests.
  You pass a block when loading the plugin, and sessions are only
  supported if the block returns truthy.  The block is evaluated
  in request scope.

  As an example, if you do not want to support sessions for request
  paths starting with /static, you could use:

    plugin :conditional_sessions, secret: ENV["SECRET"] do
      !path_info.start_with?('/static')
    end

  With this example, if the request path starts with /static:

  * The request methods +session+, +session_created_at+, and
    +session_updated_at+ all raise an exception.
  * The request +persist_session+ and route scope +clear_session+
    methods do nothing and return nil.

  Options passed when loading the plugin are passed to the sessions
  plugin.

* In the content_security_policy plugin, you can now call
  response.skip_content_security_policy! to skip the setting of the
  response header.

* In the permissions_policy plugin, you can now call
  response.skip_permissions_policy! to skip the setting of the
  response header.

= Other Improvements

* When using the autoload_hash_branches and/or autoload_named_routes
  plugins, Roda.freeze now works correctly if the Roda class is
  already frozen.
