5 files changed, 44 insertions, 13 deletions

diff --git a/actionpack/lib/action_controller/metal/conditional_get.rb b/actionpack/lib/action_controller/metal/conditional_get.rb
index 89d589c486..d86a793e4c 100644
--- a/actionpack/lib/action_controller/metal/conditional_get.rb
+++ b/actionpack/lib/action_controller/metal/conditional_get.rb
@@ -66,7 +66,7 @@ module ActionController
     #
     # You can also pass an object that responds to +maximum+, such as a
     # collection of active records. In this case +last_modified+ will be set by
-    # calling +maximum(:updated_at)+ on the collection (the timestamp of the
+    # calling <tt>maximum(:updated_at)</tt> on the collection (the timestamp of the
     # most recently updated record) and the +etag+ by passing the object itself.
     #
     #   def index
diff --git a/actionpack/lib/action_controller/metal/exceptions.rb b/actionpack/lib/action_controller/metal/exceptions.rb
index 5260dc0336..5c0ada37be 100644
--- a/actionpack/lib/action_controller/metal/exceptions.rb
+++ b/actionpack/lib/action_controller/metal/exceptions.rb
@@ -3,12 +3,19 @@ module ActionController
   end
 
   class BadRequest < ActionControllerError #:nodoc:
-    attr_reader :original_exception
-
     def initialize(msg = nil, e = nil)
+      if e
+        ActiveSupport::Deprecation.warn("Passing #original_exception is deprecated and has no effect. " \
+                                        "Exceptions will automatically capture the original exception.", caller)
+      end
+
       super(msg)
-      @original_exception = e
-      set_backtrace e.backtrace if e
+      set_backtrace $!.backtrace if $!
+    end
+
+    def original_exception
+      ActiveSupport::Deprecation.warn("#original_exception is deprecated. Use #cause instead.", caller)
+      cause
     end
   end
 
diff --git a/actionpack/lib/action_controller/metal/request_forgery_protection.rb b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
index 64f6f7cf51..836ed892dc 100644
--- a/actionpack/lib/action_controller/metal/request_forgery_protection.rb
+++ b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
@@ -77,6 +77,10 @@ module ActionController #:nodoc:
       config_accessor :log_warning_on_csrf_failure
       self.log_warning_on_csrf_failure = true
 
+      # Controls whether the Origin header is checked in addition to the CSRF token.
+      config_accessor :forgery_protection_origin_check
+      self.forgery_protection_origin_check = false
+
       helper_method :form_authenticity_token
       helper_method :protect_against_forgery?
     end
@@ -257,8 +261,19 @@ module ActionController #:nodoc:
       # * Does the X-CSRF-Token header match the form_authenticity_token
       def verified_request?
         !protect_against_forgery? || request.get? || request.head? ||
-          valid_authenticity_token?(session, form_authenticity_param) ||
-          valid_authenticity_token?(session, request.headers['X-CSRF-Token'])
+          (valid_request_origin? && any_authenticity_token_valid?)
+      end
+
+      # Checks if any of the authenticity tokens from the request are valid.
+      def any_authenticity_token_valid?
+        request_authenticity_tokens.any? do |token|
+          valid_authenticity_token?(session, token)
+        end
+      end
+
+      # Possible authenticity tokens sent in the request.
+      def request_authenticity_tokens
+        [form_authenticity_param, request.x_csrf_token]
       end
 
       # Sets the token value for the current session.
@@ -336,5 +351,16 @@ module ActionController #:nodoc:
       def protect_against_forgery?
         allow_forgery_protection
       end
+
+      # Checks if the request originated from the same origin by looking at the
+      # Origin header.
+      def valid_request_origin?
+        if forgery_protection_origin_check
+          # We accept blank origin headers because some user agents don't send it.
+          request.origin.nil? || request.origin == request.base_url
+        else
+          true
+        end
+      end
   end
 end
diff --git a/actionpack/lib/action_controller/metal/rescue.rb b/actionpack/lib/action_controller/metal/rescue.rb
index 68cc9a9c9b..81b9a7b9ed 100644
--- a/actionpack/lib/action_controller/metal/rescue.rb
+++ b/actionpack/lib/action_controller/metal/rescue.rb
@@ -7,10 +7,8 @@ module ActionController #:nodoc:
     include ActiveSupport::Rescuable
 
     def rescue_with_handler(exception)
-      if (exception.respond_to?(:original_exception) &&
-          (orig_exception = exception.original_exception) &&
-          handler_for_rescue(orig_exception))
-        exception = orig_exception
+      if exception.cause && handler_for_rescue(exception.cause)
+        exception = exception.cause
       end
       super(exception)
     end
diff --git a/actionpack/lib/action_controller/test_case.rb b/actionpack/lib/action_controller/test_case.rb
index 698719377c..442ffd6d7c 100644
--- a/actionpack/lib/action_controller/test_case.rb
+++ b/actionpack/lib/action_controller/test_case.rb
@@ -210,11 +210,11 @@ module ActionController
   #       # Simulate a POST response with the given HTTP parameters.
   #       post(:create, params: { book: { title: "Love Hina" }})
   #
-  #       # Assert that the controller tried to redirect us to
+  #       # Asserts that the controller tried to redirect us to
   #       # the created book's URI.
   #       assert_response :found
   #
-  #       # Assert that the controller really put the book in the database.
+  #       # Asserts that the controller really put the book in the database.
   #       assert_not_nil Book.find_by(title: "Love Hina")
   #     end
   #   end