diff options
author | Chirag Singhal <chirag.singhal@sumerusolutions.com> | 2016-02-28 15:56:12 +0530 |
---|---|---|
committer | Chirag Singhal <chirag.singhal@sumerusolutions.com> | 2016-08-22 10:53:41 +0530 |
commit | 64f9802e90369bcf8bb906a8c7b01212e02b0e39 (patch) | |
tree | 2c5139c9aedbbfd35877ee25dd11c905f1510a46 /actionpack/CHANGELOG.md | |
parent | 9ef56e51624ca7056599115eee3b43e248354bf7 (diff) | |
download | rails-64f9802e90369bcf8bb906a8c7b01212e02b0e39.tar.gz rails-64f9802e90369bcf8bb906a8c7b01212e02b0e39.tar.bz2 rails-64f9802e90369bcf8bb906a8c7b01212e02b0e39.zip |
Return 307 status instead of 301 when rerouting POST requests to SSL
When `config.force_ssl` is set to `true`, any POST/PUT/DELETE requests coming in to non-secure url are being redirected with a 301 status.
However, when that happens, the request is converted to a GET request and ends up hitting a different action on the controller.
Since we can not do non-GET redirects, we can instead redirect with a 307 status code instead to indicate to the caller that a fresh request should be tried preserving the original request method.
`rack-ssl` gem which was used to achieve this before we had this middleware directly baked into Rails also used to do the same, ref: https://github.com/josh/rack-ssl/blob/master/lib/rack/ssl.rb#L54
This would be specially important for any apps switching from older version of Rails or apps which expose an API through Rails.
Diffstat (limited to 'actionpack/CHANGELOG.md')
-rw-r--r-- | actionpack/CHANGELOG.md | 20 |
1 files changed, 20 insertions, 0 deletions
diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md index 9dab1cc76a..d1a2b9b827 100644 --- a/actionpack/CHANGELOG.md +++ b/actionpack/CHANGELOG.md @@ -1,3 +1,23 @@ +* SSL: Changes redirect behavior for all non-GET and non-HEAD requests + (like POST/PUT/PATCH etc) to `http://` resources to redirect to `https://` + with a [307 status code](http://tools.ietf.org/html/rfc7231#section-6.4.7) instead of [301 status code](http://tools.ietf.org/html/rfc7231#section-6.4.2). + + 307 status code instructs the HTTP clients to preserve the original + request method while redirecting. It has been part of HTTP RFC since + 1999 and is implemented/recognized by most (if not all) user agents. + + # Before + POST http://example.com/articles (i.e. ArticlesContoller#create) + redirects to + GET https://example.com/articles (i.e. ArticlesContoller#index) + + # After + POST http://example.com/articles (i.e. ArticlesContoller#create) + redirects to + POST https://example.com/articles (i.e. ArticlesContoller#create) + + *Chirag Singhal* + * Add `:as` option to `ActionController:TestCase#process` and related methods. Specifying `as: mime_type` allows the `CONTENT_TYPE` header to be specified |