Sometimes apps have some functionality that introduces an open redirector, what I mean by that is that it will redirect to a URL supplied by the user in the parameters. This is unsafe for a number of reasons; phishing, XSS, see here: https://www.owasp.org/index.php/Ruby_on_Rails_Cheatsheet#Redirects_and_Forwards
The common solution is to have a whitelist of permitted hosts or URIs (as with OAuth 2.0 https://tools.ietf.org/html/rfc6819#section-5.2.3.5). Is this something that you might be interested having built into Rails if I was to submit a PR? I was thinking something along the lines of: config.whitelisted_redirect_hosts = %w{*.app.net auth.company.org} and then any time redirect_to is called the host is automatically validated against the whitelist and probably an error raised if validation fails? maybe some protocol validation too. The impotus behind bringing it into Rails would be to standardize on it, as it's security related, ensuring best practice for all users. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-core+unsubscr...@googlegroups.com. To post to this group, send email to rubyonrails-core@googlegroups.com. Visit this group at https://groups.google.com/group/rubyonrails-core. For more options, visit https://groups.google.com/d/optout.
