When you access a Rails controller from another page, the originating URL is sent to the server as the
referrer. In previous versions of Rails, the
redirect_back query parameter with
allow_other_host set as
true could allow a vulnerability for an attacker to override this parameter and force the user to a malicious page.
Before Rails 7.0, the most common solution to this was to set the
1 2 3 4 5 # This will redirect back to the source page redirect_back(fallback_path: "/") # This will not redirect back to the source page redirect_back(fallback_path: "/", allow_other_host: false)
However, there still was a need to raise errors on unpermitted open redirects. With the Rails 7.0 ability to identify if the URL is internal and safe to redirect, the chance of compromising the
referrer has become low. This works best for authentication, as in previous versions a compromised
params[:return_to] could have led users to unsafe locations and provoked a credentials breach.
In Rails 7.0 the problem is solved by setting a
url_from method in private:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 class PostsController < ApplicationController def create @post = Post.new(post_params) if @post.save redirect_to return_url else render :new, status: :unprocessable_entity end end private def return_url url_from(params[:return_to]) || @post end def post_params params.require(:post).permit(:title, :body) end end
url_from method is new in Rails 7 and should not be confused with
url_for which generates an internal URL from within the app.