6 files changed, 55 insertions, 17 deletions

diff --git a/actionpack/lib/action_controller/metal/conditional_get.rb b/actionpack/lib/action_controller/metal/conditional_get.rb
index d86a793e4c..f8e0d9cf6c 100644
--- a/actionpack/lib/action_controller/metal/conditional_get.rb
+++ b/actionpack/lib/action_controller/metal/conditional_get.rb
@@ -228,7 +228,7 @@ module ActionController
       expires_in 100.years, public: public
 
       yield if stale?(etag: "#{version}-#{request.fullpath}",
-                      last_modified: Time.parse('2011-01-01').utc,
+                      last_modified: Time.new(2011, 1, 1).utc,
                       public: public)
     end
 
diff --git a/actionpack/lib/action_controller/metal/renderers.rb b/actionpack/lib/action_controller/metal/renderers.rb
index 22e0bb5955..1f77f9ecaa 100644
--- a/actionpack/lib/action_controller/metal/renderers.rb
+++ b/actionpack/lib/action_controller/metal/renderers.rb
@@ -26,6 +26,40 @@ module ActionController
     end
 
     module ClassMethods
+
+      # Adds, by name, a renderer or renderers to the +_renderers+ available
+      # to call within controller actions.
+      #
+      # It is useful when rendering from an <tt>ActionController::Metal</tt> controller or
+      # otherwise to add an available renderer proc to a specific controller.
+      #
+      # Both <tt>ActionController::Base</tt> and <tt>ActionController::API</tt>
+      # include <tt>ActionController::Renderers::All</tt>, making all renderers
+      # avaialable in the controller. See <tt>Renderers::RENDERERS</tt> and <tt>Renderers.add</tt>.
+      #
+      # Since <tt>ActionController::Metal</tt> controllers cannot render, the controller
+      # must include <tt>AbstractController::Rendering</tt>, <tt>ActionController::Rendering</tt>,
+      # and <tt>ActionController::Renderers</tt>, and have at lest one renderer.
+      #
+      # Rather than including <tt>ActionController::Renderers::All</tt> and including all renderers,
+      # you may specify which renderers to include by passing the renderer name or names to
+      # +use_renderers+. For example, a controller that includes only the <tt>:json</tt> renderer
+      # (+_render_with_renderer_json+) might look like:
+      #
+      #   class MetalRenderingController < ActionController::Metal
+      #     include AbstractController::Rendering
+      #     include ActionController::Rendering
+      #     include ActionController::Renderers
+      #
+      #     use_renderers :json
+      #
+      #     def show
+      #       render json: record
+      #     end
+      #   end
+      #
+      # You must specify a +use_renderer+, else the +controller.renderer+ and
+      # +controller._renderers+ will be <tt>nil</tt>, and the action will fail.
       def use_renderers(*args)
         renderers = _renderers + args
         self._renderers = renderers.freeze
diff --git a/actionpack/lib/action_controller/metal/strong_parameters.rb b/actionpack/lib/action_controller/metal/strong_parameters.rb
index 7e2745c75a..4cd67a85cc 100644
--- a/actionpack/lib/action_controller/metal/strong_parameters.rb
+++ b/actionpack/lib/action_controller/metal/strong_parameters.rb
@@ -176,7 +176,7 @@ module ActionController
     #   safe_params.to_h # => {"name"=>"Senjougahara Hitagi"}
     def to_h
       if permitted?
-        convert_parameters_to_hashes(@parameters)
+        convert_parameters_to_hashes(@parameters, :to_h)
       else
         slice(*self.class.always_permitted_parameters).permit!.to_h
       end
@@ -186,7 +186,7 @@ module ActionController
     # <tt>ActiveSupport::HashWithIndifferentAccess</tt> representation of this
     # parameter.
     def to_unsafe_h
-      convert_parameters_to_hashes(@parameters)
+      convert_parameters_to_hashes(@parameters, :to_unsafe_h)
     end
     alias_method :to_unsafe_hash, :to_unsafe_h
 
@@ -595,16 +595,16 @@ module ActionController
         end
       end
 
-      def convert_parameters_to_hashes(value)
+      def convert_parameters_to_hashes(value, using)
         case value
         when Array
-          value.map { |v| convert_parameters_to_hashes(v) }
+          value.map { |v| convert_parameters_to_hashes(v, using) }
         when Hash
           value.transform_values do |v|
-            convert_parameters_to_hashes(v)
+            convert_parameters_to_hashes(v, using)
           end.with_indifferent_access
         when Parameters
-          value.to_h
+          value.send(using)
         else
           value
         end
diff --git a/actionpack/lib/action_dispatch.rb b/actionpack/lib/action_dispatch.rb
index f6336c8c7a..7bc6575ccd 100644
--- a/actionpack/lib/action_dispatch.rb
+++ b/actionpack/lib/action_dispatch.rb
@@ -1,5 +1,5 @@
 #--
-# Copyright (c) 2004-2015 David Heinemeier Hansson
+# Copyright (c) 2004-2016 David Heinemeier Hansson
 #
 # Permission is hereby granted, free of charge, to any person obtaining
 # a copy of this software and associated documentation files (the
diff --git a/actionpack/lib/action_dispatch/middleware/ssl.rb b/actionpack/lib/action_dispatch/middleware/ssl.rb
index 8f8f1bab8b..735b5939dd 100644
--- a/actionpack/lib/action_dispatch/middleware/ssl.rb
+++ b/actionpack/lib/action_dispatch/middleware/ssl.rb
@@ -4,16 +4,18 @@ module ActionDispatch
   # requests:
   #
   #   1. TLS redirect: Permanently redirects http:// requests to https://
-  #      with the same URL host, path, etc. This is always enabled. Set
-  #      `config.ssl_options` to modify the destination URL
-  #      (e.g. `redirect: { host: "secure.widgets.com", port: 8080 }`)
+  #      with the same URL host, path, etc. Enabled by default. Set `config.ssl_options`
+  #      to modify the destination URL
+  #      (e.g. `redirect: { host: "secure.widgets.com", port: 8080 }`), or set
+  #      `redirect: false` to disable this feature.
   #
   #   2. Secure cookies: Sets the `secure` flag on cookies to tell browsers they
-  #      mustn't be sent along with http:// requests. This is always enabled.
+  #      mustn't be sent along with http:// requests. Enabled by default. Set
+  #      `config.ssl_options` with `secure_cookies: false` to disable this feature.
   #
   #   3. HTTP Strict Transport Security (HSTS): Tells the browser to remember
   #      this site as TLS-only and automatically redirect non-TLS requests.
-  #      Enabled by default. Pass `hsts: false` to disable.
+  #      Enabled by default. Configure `config.ssl_options` with `hsts: false` to disable.
   #
   # Set `config.ssl_options` with `hsts: { … }` to configure HSTS:
   #   * `expires`: How long, in seconds, these settings will stick. Defaults to
@@ -41,7 +43,7 @@ module ActionDispatch
       { expires: HSTS_EXPIRES_IN, subdomains: false, preload: false }
     end
 
-    def initialize(app, redirect: {}, hsts: {}, **options)
+    def initialize(app, redirect: {}, hsts: {}, secure_cookies: true, **options)
       @app = app
 
       if options[:host] || options[:port]
@@ -54,6 +56,7 @@ module ActionDispatch
         @redirect = redirect
       end
 
+      @secure_cookies = secure_cookies
       @hsts_header = build_hsts_header(normalize_hsts_options(hsts))
     end
 
@@ -63,10 +66,11 @@ module ActionDispatch
       if request.ssl?
         @app.call(env).tap do |status, headers, body|
           set_hsts_header! headers
-          flag_cookies_as_secure! headers
+          flag_cookies_as_secure! headers if @secure_cookies
         end
       else
-        redirect_to_https request
+        return redirect_to_https request if @redirect
+        @app.call(env)
       end
     end
 
diff --git a/actionpack/lib/action_pack.rb b/actionpack/lib/action_pack.rb
index f664dab620..941877d10d 100644
--- a/actionpack/lib/action_pack.rb
+++ b/actionpack/lib/action_pack.rb
@@ -1,5 +1,5 @@
 #--
-# Copyright (c) 2004-2015 David Heinemeier Hansson
+# Copyright (c) 2004-2016 David Heinemeier Hansson
 #
 # Permission is hereby granted, free of charge, to any person obtaining
 # a copy of this software and associated documentation files (the