Index: application_controller.rb
===================================================================
--- application_controller.rb	(revision 16811)
+++ application_controller.rb	(working copy)
@@ -55,6 +55,8 @@
 
   rescue_from ::Unauthorized, :with => :deny_access
   rescue_from ::ActionView::MissingTemplate, :with => :missing_template
+  rescue_from ::ActionController::UnknownFormat, :with => :unknown_format
+  rescue_from ::ActionController::InvalidCrossOriginRequest, :with => :csrf_error
 
   include Redmine::Search::Controller
   include Redmine::MenuManager::MenuController
@@ -508,6 +510,23 @@
     render_404
   end
 
+  def unknown_format(exception)
+    if Rails.application.config.consider_all_requests_local
+      raise exception
+    else
+      head 406
+    end
+  end
+
+  def csrf_error(exception)
+    if Rails.application.config.consider_all_requests_local
+      raise exception
+    else
+      self.response_body = nil
+      head 400
+    end
+  end
+
   # Filter for actions that provide an API response
   # but have no HTML representation for non admin users
   def require_admin_or_api_request