6 files changed, 40 insertions, 39 deletions

diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md
index fd8b38054e..880263ce87 100644
--- a/actionpack/CHANGELOG.md
+++ b/actionpack/CHANGELOG.md
@@ -1,5 +1,11 @@
 ## Rails 4.0.0 (unreleased) ##
 
+*   Add 'X-Frame-Options' => 'SAMEORIGIN' and
+    'X-XSS-Protection' => '1; mode=block'
+    as default headers.
+
+    *Egor Homakov*
+
 *   Allow data attributes to be set as a first-level option for form_for, so you can write `form_for @record, data: { behavior: 'autosave' }` instead of `form_for @record, html: { data: { behavior: 'autosave' } }` *DHH*
 
 *   Deprecate `button_to_function` and `link_to_function` helpers.
diff --git a/actionpack/lib/action_controller/metal/url_for.rb b/actionpack/lib/action_controller/metal/url_for.rb
index dd5ceb3478..0cdd17bc2e 100644
--- a/actionpack/lib/action_controller/metal/url_for.rb
+++ b/actionpack/lib/action_controller/metal/url_for.rb
@@ -30,9 +30,15 @@ module ActionController
         :_recall => request.symbolized_path_parameters
       ).freeze
 
-      if _routes.equal?(env["action_dispatch.routes"])
+      if (same_origin = _routes.equal?(env["action_dispatch.routes"])) ||
+         (script_name = env["ROUTES_#{_routes.object_id}_SCRIPT_NAME"]) ||
+         (original_script_name = env['SCRIPT_NAME'])
         @_url_options.dup.tap do |options|
-          options[:script_name] = request.script_name.dup
+          if original_script_name
+            options[:original_script_name] = original_script_name
+          else
+            options[:script_name] = same_origin ? request.script_name.dup : script_name
+          end
           options.freeze
         end
       else
diff --git a/actionpack/lib/action_dispatch/railtie.rb b/actionpack/lib/action_dispatch/railtie.rb
index e7f3f07390..0dcf1fc4fe 100644
--- a/actionpack/lib/action_dispatch/railtie.rb
+++ b/actionpack/lib/action_dispatch/railtie.rb
@@ -19,6 +19,11 @@ module ActionDispatch
       :verbose => false
     }
 
+    config.action_dispatch.default_headers = {
+      'X-Frame-Options' => 'SAMEORIGIN',
+      'X-XSS-Protection' => '1; mode=block'
+    }
+
     initializer "action_dispatch.configure" do |app|
       ActionDispatch::Http::URL.tld_length = app.config.action_dispatch.tld_length
       ActionDispatch::Request.ignore_accept_header = app.config.action_dispatch.ignore_accept_header
diff --git a/actionpack/lib/action_dispatch/routing/route_set.rb b/actionpack/lib/action_dispatch/routing/route_set.rb
index 62c921ff97..32d267d1d6 100644
--- a/actionpack/lib/action_dispatch/routing/route_set.rb
+++ b/actionpack/lib/action_dispatch/routing/route_set.rb
@@ -163,9 +163,9 @@ module ActionDispatch
         private
 
           def define_named_route_methods(name, route)
-            define_url_helper route, :"#{name}_path", 
+            define_url_helper route, :"#{name}_path",
               route.defaults.merge(:use_route => name, :only_path => true)
-            define_url_helper route, :"#{name}_url", 
+            define_url_helper route, :"#{name}_url",
               route.defaults.merge(:use_route => name, :only_path => false)
           end
 
@@ -226,7 +226,7 @@ module ActionDispatch
 
       attr_accessor :formatter, :set, :named_routes, :default_scope, :router
       attr_accessor :disable_clear_and_finalize, :resources_path_names
-      attr_accessor :default_url_options, :request_class, :valid_conditions
+      attr_accessor :default_url_options, :request_class
 
       alias :routes :set
 
@@ -238,13 +238,7 @@ module ActionDispatch
         self.named_routes = NamedRouteCollection.new
         self.resources_path_names = self.class.default_resources_path_names.dup
         self.default_url_options = {}
-
         self.request_class = request_class
-        @valid_conditions = { :controller => true, :action => true }
-        request_class.public_instance_methods.each { |m|
-          @valid_conditions[m] = true
-        }
-        @valid_conditions.delete(:id)
 
         @append                     = []
         @prepend                    = []
@@ -375,7 +369,7 @@ module ActionDispatch
         raise ArgumentError, "Invalid route name: '#{name}'" unless name.blank? || name.to_s.match(/^[_a-z]\w*$/i)
 
         path = build_path(conditions.delete(:path_info), requirements, SEPARATORS, anchor)
-        conditions = build_conditions(conditions, valid_conditions, path.names.map { |x| x.to_sym })
+        conditions = build_conditions(conditions, path.names.map { |x| x.to_sym })
 
         route = @set.add_route(app, path, conditions, defaults, name)
         named_routes[name] = route if name && !named_routes[name]
@@ -412,21 +406,22 @@ module ActionDispatch
       end
       private :build_path
 
-      def build_conditions(current_conditions, req_predicates, path_values)
+      def build_conditions(current_conditions, path_values)
         conditions = current_conditions.dup
 
-        verbs = conditions[:request_method] || []
-
         # Rack-Mount requires that :request_method be a regular expression.
         # :request_method represents the HTTP verb that matches this route.
         #
         # Here we munge values before they get sent on to rack-mount.
+        verbs = conditions[:request_method] || []
         unless verbs.empty?
           conditions[:request_method] = %r[^#{verbs.join('|')}$]
         end
-        conditions.delete_if { |k,v| !(req_predicates.include?(k) || path_values.include?(k)) }
 
-        conditions
+        conditions.keep_if do |k, _|
+          k == :action || k == :controller ||
+            @request_class.public_method_defined?(k) || path_values.include?(k)
+        end
       end
       private :build_conditions
 
@@ -468,7 +463,7 @@ module ActionDispatch
         def use_recall_for(key)
           if @recall[key] && (!@options.key?(key) || @options[key] == @recall[key])
             if !named_route_exists? || segment_keys.include?(key)
-              @options[key] = @recall.delete(key) 
+              @options[key] = @recall.delete(key)
             end
           end
         end
@@ -577,7 +572,8 @@ module ActionDispatch
       end
 
       RESERVED_OPTIONS = [:host, :protocol, :port, :subdomain, :domain, :tld_length,
-                          :trailing_slash, :anchor, :params, :only_path, :script_name]
+                          :trailing_slash, :anchor, :params, :only_path, :script_name,
+                          :original_script_name]
 
       def mounted?
         false
@@ -597,7 +593,13 @@ module ActionDispatch
 
         user, password = extract_authentication(options)
         recall  = options.delete(:_recall)
-        script_name    = options.delete(:script_name).presence || _generate_prefix(options)
+
+        original_script_name = options.delete(:original_script_name).presence
+        script_name = options.delete(:script_name).presence || _generate_prefix(options)
+
+        if script_name && original_script_name
+          script_name = original_script_name + script_name
+        end
 
         path_options = options.except(*RESERVED_OPTIONS)
         path_options = yield(path_options) if block_given?
diff --git a/actionpack/test/dispatch/cookies_test.rb b/actionpack/test/dispatch/cookies_test.rb
index 2467654a70..347b3b3b5a 100644
--- a/actionpack/test/dispatch/cookies_test.rb
+++ b/actionpack/test/dispatch/cookies_test.rb
@@ -190,7 +190,7 @@ class CookiesTest < ActionController::TestCase
   def test_setting_the_same_value_to_permanent_cookie
     request.cookies[:user_name] = 'Jamie'
     get :set_permanent_cookie
-    assert response.cookies, 'user_name' => 'Jamie'
+    assert_equal response.cookies, 'user_name' => 'Jamie'
   end
 
   def test_setting_with_escapable_characters
diff --git a/actionpack/test/dispatch/prefix_generation_test.rb b/actionpack/test/dispatch/prefix_generation_test.rb
index ab2f7612ce..6d75c5ec7a 100644
--- a/actionpack/test/dispatch/prefix_generation_test.rb
+++ b/actionpack/test/dispatch/prefix_generation_test.rb
@@ -166,18 +166,6 @@ module TestGenerationPrefix
       assert_equal "/generate", last_response.body
     end
 
-    test "[ENGINE] generating application's url includes default_url_options[:script_name]" do
-      RailsApplication.routes.default_url_options = {:script_name => "/something"}
-      get "/pure-awesomeness/blog/url_to_application"
-      assert_equal "/something/generate", last_response.body
-    end
-
-    test "[ENGINE] generating application's url should give higher priority to default_url_options[:script_name]" do
-      RailsApplication.routes.default_url_options = {:script_name => "/something"}
-      get "/pure-awesomeness/blog/url_to_application", {}, 'SCRIPT_NAME' => '/foo'
-      assert_equal "/something/generate", last_response.body
-    end
-
     test "[ENGINE] generating engine's url with polymorphic path" do
       get "/pure-awesomeness/blog/polymorphic_path_for_engine"
       assert_equal "/pure-awesomeness/blog/posts/1", last_response.body
@@ -200,12 +188,6 @@ module TestGenerationPrefix
       assert_equal "/something/awesome/blog/posts/1", last_response.body
     end
 
-    test "[APP] generating engine's route should give higher priority to default_url_options[:script_name]" do
-      RailsApplication.routes.default_url_options = {:script_name => "/something"}
-      get "/generate", {}, 'SCRIPT_NAME' => "/foo"
-      assert_equal "/something/awesome/blog/posts/1", last_response.body
-    end
-
     test "[APP] generating engine's url with polymorphic path" do
       get "/polymorphic_path_for_engine"
       assert_equal "/awesome/blog/posts/1", last_response.body