5 files changed, 32 insertions, 9 deletions

diff --git a/actionpack/lib/action_controller/metal/request_forgery_protection.rb b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
index 04fadc90e2..767eddb361 100644
--- a/actionpack/lib/action_controller/metal/request_forgery_protection.rb
+++ b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
@@ -415,11 +415,21 @@ module ActionController #:nodoc:
         allow_forgery_protection
       end
 
+      NULL_ORIGIN_MESSAGE = <<-MSG.strip_heredoc
+        The browser returned a 'null' origin for a request with origin-based forgery protection turned on. This usually
+        means you have the 'no-referrer' Referrer-Policy header enabled, or that you the request came from a site that
+        refused to give its origin. This makes it impossible for Rails to verify the source of the requests. Likely the
+        best solution is to change your referrer policy to something less strict like same-origin or strict-same-origin.
+        If you cannot change the referrer policy, you can disable origin checking with the
+        Rails.application.config.action_controller.forgery_protection_origin_check setting.
+      MSG
+
       # Checks if the request originated from the same origin by looking at the
       # Origin header.
       def valid_request_origin? # :doc:
         if forgery_protection_origin_check
           # We accept blank origin headers because some user agents don't send it.
+          raise InvalidAuthenticityToken, NULL_ORIGIN_MESSAGE if request.origin == "null"
           request.origin.nil? || request.origin == request.base_url
         else
           true
diff --git a/actionpack/lib/action_controller/metal/strong_parameters.rb b/actionpack/lib/action_controller/metal/strong_parameters.rb
index ef7c4c4c16..a56ac749f8 100644
--- a/actionpack/lib/action_controller/metal/strong_parameters.rb
+++ b/actionpack/lib/action_controller/metal/strong_parameters.rb
@@ -335,7 +335,7 @@ module ActionController
     # the same way as <tt>Hash#each_pair</tt>.
     def each_pair(&block)
       @parameters.each_pair do |key, value|
-        yield key, convert_hashes_to_parameters(key, value)
+        yield [key, convert_hashes_to_parameters(key, value)]
       end
     end
     alias_method :each, :each_pair
diff --git a/actionpack/lib/action_dispatch/http/content_security_policy.rb b/actionpack/lib/action_dispatch/http/content_security_policy.rb
index d10d4faf3d..4883e23d24 100644
--- a/actionpack/lib/action_dispatch/http/content_security_policy.rb
+++ b/actionpack/lib/action_dispatch/http/content_security_policy.rb
@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+require "active_support/core_ext/object/deep_dup"
+
 module ActionDispatch #:nodoc:
   class ContentSecurityPolicy
     class Middleware
@@ -110,7 +112,7 @@ module ActionDispatch #:nodoc:
     end
 
     def initialize_copy(other)
-      @directives = copy_directives(other.directives)
+      @directives = other.directives.deep_dup
     end
 
     DIRECTIVES.each do |name, directive|
@@ -174,10 +176,6 @@ module ActionDispatch #:nodoc:
     end
 
     private
-      def copy_directives(directives)
-        directives.transform_values { |sources| sources.map(&:dup) }
-      end
-
       def apply_mappings(sources)
         sources.map do |source|
           case source
diff --git a/actionpack/lib/action_dispatch/system_test_case.rb b/actionpack/lib/action_dispatch/system_test_case.rb
index 7246e01cff..99d0c06751 100644
--- a/actionpack/lib/action_dispatch/system_test_case.rb
+++ b/actionpack/lib/action_dispatch/system_test_case.rb
@@ -121,11 +121,15 @@ module ActionDispatch
     #
     #   driven_by :poltergeist
     #
-    #   driven_by :selenium, using: :firefox
+    #   driven_by :selenium, screen_size: [800, 800]
+    #
+    #   driven_by :selenium, using: :chrome
     #
     #   driven_by :selenium, using: :headless_chrome
     #
-    #   driven_by :selenium, screen_size: [800, 800]
+    #   driven_by :selenium, using: :firefox
+    #
+    #   driven_by :selenium, using: :headless_firefox
     def self.driven_by(driver, using: :chrome, screen_size: [1400, 1400], options: {})
       self.driver = SystemTesting::Driver.new(driver, using: using, screen_size: screen_size, options: options)
     end
diff --git a/actionpack/lib/action_dispatch/system_testing/driver.rb b/actionpack/lib/action_dispatch/system_testing/driver.rb
index 2687772b4b..280989a146 100644
--- a/actionpack/lib/action_dispatch/system_testing/driver.rb
+++ b/actionpack/lib/action_dispatch/system_testing/driver.rb
@@ -38,13 +38,24 @@ module ActionDispatch
             browser_options.args << "--disable-gpu"
 
             @options.merge(options: browser_options)
+          elsif @browser == :headless_firefox
+            browser_options = Selenium::WebDriver::Firefox::Options.new
+            browser_options.args << "-headless"
+
+            @options.merge(options: browser_options)
           else
             @options
           end
         end
 
         def browser
-          @browser == :headless_chrome ? :chrome : @browser
+          if @browser == :headless_chrome
+            :chrome
+          elsif @browser == :headless_firefox
+            :firefox
+          else
+            @browser
+          end
         end
 
         def register_selenium(app)