11 files changed, 95 insertions, 31 deletions
diff --git a/actionpack/lib/action_controller/metal/force_ssl.rb b/actionpack/lib/action_controller/metal/force_ssl.rb
index 0ba1f9f783..7de500d119 100644
--- a/actionpack/lib/action_controller/metal/force_ssl.rb
+++ b/actionpack/lib/action_controller/metal/force_ssl.rb
@@ -39,7 +39,7 @@ module ActionController
       #     end
       #
       # ==== URL Options
-      # You can pass any of the following options to affect the redirect url
+      # You can pass any of the following options to affect the redirect URL
       # * <tt>host</tt>       - Redirect to a different host name
       # * <tt>subdomain</tt>  - Redirect to a different subdomain
       # * <tt>domain</tt>     - Redirect to a different domain
@@ -73,7 +73,7 @@ module ActionController
     # Redirect the existing request to use the HTTPS protocol.
     #
     # ==== Parameters
-    # * <tt>host_or_options</tt> - Either a host name or any of the url and
+    # * <tt>host_or_options</tt> - Either a host name or any of the URL and
     #   redirect options available to the <tt>force_ssl</tt> method.
     def force_ssl_redirect(host_or_options = nil)
       unless request.ssl?
diff --git a/actionpack/lib/action_controller/metal/request_forgery_protection.rb b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
index 767eddb361..0ab313e398 100644
--- a/actionpack/lib/action_controller/metal/request_forgery_protection.rb
+++ b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
@@ -3,6 +3,7 @@
 require "rack/session/abstract/id"
 require "action_controller/metal/exceptions"
 require "active_support/security_utils"
+require "active_support/core_ext/string/strip"
 
 module ActionController #:nodoc:
   class InvalidAuthenticityToken < ActionControllerError #:nodoc:
diff --git a/actionpack/lib/action_dispatch.rb b/actionpack/lib/action_dispatch.rb
index 6fed911d0a..0822cdc0a6 100644
--- a/actionpack/lib/action_dispatch.rb
+++ b/actionpack/lib/action_dispatch.rb
@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 #--
-# Copyright (c) 2004-2017 David Heinemeier Hansson
+# Copyright (c) 2004-2018 David Heinemeier Hansson
 #
 # Permission is hereby granted, free of charge, to any person obtaining
 # a copy of this software and associated documentation files (the
diff --git a/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb b/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb
index 4f69abfa6f..d1b4508378 100644
--- a/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb
+++ b/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb
@@ -25,6 +25,7 @@ module ActionDispatch
       "ActionView::MissingTemplate"         => "missing_template",
       "ActionController::RoutingError"      => "routing_error",
       "AbstractController::ActionNotFound"  => "unknown_action",
+      "ActiveRecord::StatementInvalid"      => "invalid_statement",
       "ActionView::Template::Error"         => "template_error"
     )
 
diff --git a/actionpack/lib/action_dispatch/middleware/templates/rescues/invalid_statement.html.erb b/actionpack/lib/action_dispatch/middleware/templates/rescues/invalid_statement.html.erb
new file mode 100644
index 0000000000..e1b129ccc5
--- /dev/null
+++ b/actionpack/lib/action_dispatch/middleware/templates/rescues/invalid_statement.html.erb
@@ -0,0 +1,21 @@
+<header>
+  <h1>
+    <%= @exception.class.to_s %>
+    <% if @request.parameters['controller'] %>
+      in <%= @request.parameters['controller'].camelize %>Controller<% if @request.parameters['action'] %>#<%= @request.parameters['action'] %><% end %>
+    <% end %>
+  </h1>
+</header>
+
+<div id="container">
+  <h2>
+    <%= h @exception.message %>
+    <% if @exception.message.match? %r{#{ActiveStorage::Blob.table_name}|#{ActiveStorage::Attachment.table_name}} %>
+      <br />To resolve this issue run: bin/rails active_storage:install
+    <% end %>
+  </h2>
+
+  <%= render template: "rescues/_source" %>
+  <%= render template: "rescues/_trace" %>
+  <%= render template: "rescues/_request_and_response" %>
+</div>
diff --git a/actionpack/lib/action_dispatch/middleware/templates/rescues/invalid_statement.text.erb b/actionpack/lib/action_dispatch/middleware/templates/rescues/invalid_statement.text.erb
new file mode 100644
index 0000000000..033518cf8a
--- /dev/null
+++ b/actionpack/lib/action_dispatch/middleware/templates/rescues/invalid_statement.text.erb
@@ -0,0 +1,13 @@
+<%= @exception.class.to_s %><%
+  if @request.parameters['controller']
+%> in <%= @request.parameters['controller'].camelize %>Controller<% if @request.parameters['action'] %>#<%= @request.parameters['action'] %><% end %>
+<% end %>
+
+<%= @exception.message %>
+<% if @exception.message.match? %r{#{ActiveStorage::Blob.table_name}|#{ActiveStorage::Attachment.table_name}} %>
+To resolve this issue run: bin/rails active_storage:install
+<% end %>
+
+<%= render template: "rescues/_source" %>
+<%= render template: "rescues/_trace" %>
+<%= render template: "rescues/_request_and_response" %>
diff --git a/actionpack/lib/action_dispatch/railtie.rb b/actionpack/lib/action_dispatch/railtie.rb
index 95e99987a0..eb6fbca6ba 100644
--- a/actionpack/lib/action_dispatch/railtie.rb
+++ b/actionpack/lib/action_dispatch/railtie.rb
@@ -28,7 +28,8 @@ module ActionDispatch
       "X-XSS-Protection" => "1; mode=block",
       "X-Content-Type-Options" => "nosniff",
       "X-Download-Options" => "noopen",
-      "X-Permitted-Cross-Domain-Policies" => "none"
+      "X-Permitted-Cross-Domain-Policies" => "none",
+      "Referrer-Policy" => "strict-origin-when-cross-origin"
     }
 
     config.action_dispatch.cookies_rotations = ActiveSupport::Messages::RotationConfiguration.new
diff --git a/actionpack/lib/action_dispatch/system_test_case.rb b/actionpack/lib/action_dispatch/system_test_case.rb
index 393141535b..f85f816bb9 100644
--- a/actionpack/lib/action_dispatch/system_test_case.rb
+++ b/actionpack/lib/action_dispatch/system_test_case.rb
@@ -6,6 +6,7 @@ require "capybara/dsl"
 require "capybara/minitest"
 require "action_controller"
 require "action_dispatch/system_testing/driver"
+require "action_dispatch/system_testing/browser"
 require "action_dispatch/system_testing/server"
 require "action_dispatch/system_testing/test_helpers/screenshot_helper"
 require "action_dispatch/system_testing/test_helpers/setup_and_teardown"
diff --git a/actionpack/lib/action_dispatch/system_testing/browser.rb b/actionpack/lib/action_dispatch/system_testing/browser.rb
new file mode 100644
index 0000000000..10e6888ab3
--- /dev/null
+++ b/actionpack/lib/action_dispatch/system_testing/browser.rb
@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+
+module ActionDispatch
+  module SystemTesting
+    class Browser # :nodoc:
+      attr_reader :name
+
+      def initialize(name)
+        @name = name
+      end
+
+      def type
+        case name
+        when :headless_chrome
+          :chrome
+        when :headless_firefox
+          :firefox
+        else
+          name
+        end
+      end
+
+      def options
+        case name
+        when :headless_chrome
+          headless_chrome_browser_options
+        when :headless_firefox
+          headless_firefox_browser_options
+        end
+      end
+
+      private
+        def headless_chrome_browser_options
+          options = Selenium::WebDriver::Chrome::Options.new
+          options.args << "--headless"
+          options.args << "--disable-gpu"
+
+          options
+        end
+
+        def headless_firefox_browser_options
+          options = Selenium::WebDriver::Firefox::Options.new
+          options.args << "-headless"
+
+          options
+        end
+    end
+  end
+end
diff --git a/actionpack/lib/action_dispatch/system_testing/driver.rb b/actionpack/lib/action_dispatch/system_testing/driver.rb
index 280989a146..5252ff6746 100644
--- a/actionpack/lib/action_dispatch/system_testing/driver.rb
+++ b/actionpack/lib/action_dispatch/system_testing/driver.rb
@@ -5,7 +5,7 @@ module ActionDispatch
     class Driver # :nodoc:
       def initialize(name, **options)
         @name = name
-        @browser = options[:using]
+        @browser = Browser.new(options[:using])
         @screen_size = options[:screen_size]
         @options = options[:options]
       end
@@ -32,34 +32,11 @@ module ActionDispatch
         end
 
         def browser_options
-          if @browser == :headless_chrome
-            browser_options = Selenium::WebDriver::Chrome::Options.new
-            browser_options.args << "--headless"
-            browser_options.args << "--disable-gpu"
-
-            @options.merge(options: browser_options)
-          elsif @browser == :headless_firefox
-            browser_options = Selenium::WebDriver::Firefox::Options.new
-            browser_options.args << "-headless"
-
-            @options.merge(options: browser_options)
-          else
-            @options
-          end
-        end
-
-        def browser
-          if @browser == :headless_chrome
-            :chrome
-          elsif @browser == :headless_firefox
-            :firefox
-          else
-            @browser
-          end
+          @options.merge(options: @browser.options).compact
         end
 
         def register_selenium(app)
-          Capybara::Selenium::Driver.new(app, { browser: browser }.merge(browser_options)).tap do |driver|
+          Capybara::Selenium::Driver.new(app, { browser: @browser.type }.merge(browser_options)).tap do |driver|
             driver.browser.manage.window.size = Selenium::WebDriver::Dimension.new(*@screen_size)
           end
         end
diff --git a/actionpack/lib/action_pack.rb b/actionpack/lib/action_pack.rb
index 95fdd3affb..3f69109633 100644
--- a/actionpack/lib/action_pack.rb
+++ b/actionpack/lib/action_pack.rb
@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 #--
-# Copyright (c) 2004-2017 David Heinemeier Hansson
+# Copyright (c) 2004-2018 David Heinemeier Hansson
 #
 # Permission is hereby granted, free of charge, to any person obtaining
 # a copy of this software and associated documentation files (the