7 files changed, 28 insertions, 6 deletions

diff --git a/actionpack/lib/action_controller/metal/request_forgery_protection.rb b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
index 953f3c47ed..4bae795438 100644
--- a/actionpack/lib/action_controller/metal/request_forgery_protection.rb
+++ b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
@@ -275,7 +275,7 @@ module ActionController #:nodoc:
 
       # Check for cross-origin JavaScript responses.
       def non_xhr_javascript_response? # :doc:
-        content_type =~ %r(\Atext/javascript) && !request.xhr?
+        content_type =~ %r(\A(?:text|application)/javascript) && !request.xhr?
       end
 
       AUTHENTICITY_TOKEN_LENGTH = 32
diff --git a/actionpack/lib/action_controller/test_case.rb b/actionpack/lib/action_controller/test_case.rb
index 5d784ceb31..33b0bcbefe 100644
--- a/actionpack/lib/action_controller/test_case.rb
+++ b/actionpack/lib/action_controller/test_case.rb
@@ -109,7 +109,7 @@ module ActionController
           when :xml
             data = non_path_parameters.to_xml
           when :url_encoded_form
-            data = non_path_parameters.to_query
+            data = Rack::Utils.build_nested_query(non_path_parameters)
           else
             @custom_param_parsers[content_mime_type.symbol] = ->(_) { non_path_parameters }
             data = non_path_parameters.to_query
diff --git a/actionpack/lib/action_dispatch/journey/routes.rb b/actionpack/lib/action_dispatch/journey/routes.rb
index 639c063495..3ba8361d77 100644
--- a/actionpack/lib/action_dispatch/journey/routes.rb
+++ b/actionpack/lib/action_dispatch/journey/routes.rb
@@ -51,7 +51,7 @@ module ActionDispatch
       def ast
         @ast ||= begin
           asts = anchored_routes.map(&:ast)
-          Nodes::Or.new(asts) unless asts.empty?
+          Nodes::Or.new(asts)
         end
       end
 
diff --git a/actionpack/lib/action_dispatch/middleware/session/cookie_store.rb b/actionpack/lib/action_dispatch/middleware/session/cookie_store.rb
index 4ea96196d3..df680c1c5f 100644
--- a/actionpack/lib/action_dispatch/middleware/session/cookie_store.rb
+++ b/actionpack/lib/action_dispatch/middleware/session/cookie_store.rb
@@ -25,7 +25,7 @@ module ActionDispatch
     # goes a step further than signed cookies in that encrypted cookies cannot
     # be altered or read by users. This is the default starting in Rails 4.
     #
-    # Configure your session store in <tt>config/initializers/session_store.rb</tt>:
+    # Configure your session store in an initializer:
     #
     #   Rails.application.config.session_store :cookie_store, key: '_your_app_session'
     #
diff --git a/actionpack/test/controller/request_forgery_protection_test.rb b/actionpack/test/controller/request_forgery_protection_test.rb
index 7a02c27c99..ea94a3e048 100644
--- a/actionpack/test/controller/request_forgery_protection_test.rb
+++ b/actionpack/test/controller/request_forgery_protection_test.rb
@@ -521,6 +521,11 @@ module RequestForgeryProtectionTests
       get :negotiate_same_origin
     end
 
+    assert_cross_origin_blocked do
+      @request.accept = "application/javascript"
+      get :negotiate_same_origin
+    end
+
     assert_cross_origin_not_blocked { get :same_origin_js, xhr: true }
     assert_cross_origin_not_blocked { get :same_origin_js, xhr: true, format: "js" }
     assert_cross_origin_not_blocked do
diff --git a/actionpack/test/controller/test_case_test.rb b/actionpack/test/controller/test_case_test.rb
index 734da3de9c..d4620d085a 100644
--- a/actionpack/test/controller/test_case_test.rb
+++ b/actionpack/test/controller/test_case_test.rb
@@ -220,7 +220,15 @@ XML
     params = Hash[:page, { name: "page name" }, "some key", 123]
     post :render_raw_post, params: params.dup
 
-    assert_equal params.to_query, @response.body
+    assert_equal Rack::Utils.build_nested_query(params), @response.body
+  end
+
+  def test_params_round_trip
+    params = {"foo"=>{"contents"=>[{"name"=>"gorby", "id"=>"123"}, {"name"=>"puff", "d"=>"true"}]}}
+    post :test_params, params: params.dup
+
+    controller_info = { "controller" => "test_case_test/test", "action" => "test_params" }
+    assert_equal params.merge(controller_info), JSON.parse(@response.body)
   end
 
   def test_body_stream
@@ -228,7 +236,7 @@ XML
 
     post :render_body, params: params.dup
 
-    assert_equal params.to_query, @response.body
+    assert_equal Rack::Utils.build_nested_query(params), @response.body
   end
 
   def test_document_body_and_params_with_post
diff --git a/actionpack/test/journey/router_test.rb b/actionpack/test/journey/router_test.rb
index 183f421bcf..1f4e14aef6 100644
--- a/actionpack/test/journey/router_test.rb
+++ b/actionpack/test/journey/router_test.rb
@@ -493,6 +493,15 @@ module ActionDispatch
         assert_not called
       end
 
+      def test_eager_load_with_routes
+        get "/foo-bar", to: "foo#bar"
+        assert_nil router.eager_load!
+      end
+
+      def test_eager_load_without_routes
+        assert_nil router.eager_load!
+      end
+
       private
 
         def get(*args)