diff options
author | Chirag Singhal <chirag.singhal@sumerusolutions.com> | 2016-02-28 15:56:12 +0530 |
---|---|---|
committer | Chirag Singhal <chirag.singhal@sumerusolutions.com> | 2016-08-22 10:53:41 +0530 |
commit | 64f9802e90369bcf8bb906a8c7b01212e02b0e39 (patch) | |
tree | 2c5139c9aedbbfd35877ee25dd11c905f1510a46 /actionpack/test/dispatch | |
parent | 9ef56e51624ca7056599115eee3b43e248354bf7 (diff) | |
download | rails-64f9802e90369bcf8bb906a8c7b01212e02b0e39.tar.gz rails-64f9802e90369bcf8bb906a8c7b01212e02b0e39.tar.bz2 rails-64f9802e90369bcf8bb906a8c7b01212e02b0e39.zip |
Return 307 status instead of 301 when rerouting POST requests to SSL
When `config.force_ssl` is set to `true`, any POST/PUT/DELETE requests coming in to non-secure url are being redirected with a 301 status.
However, when that happens, the request is converted to a GET request and ends up hitting a different action on the controller.
Since we can not do non-GET redirects, we can instead redirect with a 307 status code instead to indicate to the caller that a fresh request should be tried preserving the original request method.
`rack-ssl` gem which was used to achieve this before we had this middleware directly baked into Rails also used to do the same, ref: https://github.com/josh/rack-ssl/blob/master/lib/rack/ssl.rb#L54
This would be specially important for any apps switching from older version of Rails or apps which expose an API through Rails.
Diffstat (limited to 'actionpack/test/dispatch')
-rw-r--r-- | actionpack/test/dispatch/ssl_test.rb | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/actionpack/test/dispatch/ssl_test.rb b/actionpack/test/dispatch/ssl_test.rb index ccddb90bb5..71b274bf1e 100644 --- a/actionpack/test/dispatch/ssl_test.rb +++ b/actionpack/test/dispatch/ssl_test.rb @@ -38,6 +38,16 @@ class RedirectSSLTest < SSLTest assert_equal redirect[:body].join, @response.body end + def assert_post_redirected(redirect: {}, from: "http://a/b?c=d", + to: from.sub("http", "https")) + + self.app = build_app ssl_options: { redirect: redirect } + + post from + assert_response redirect[:status] || 307 + assert_redirected_to to + end + test "exclude can avoid redirect" do excluding = { exclude: -> request { request.path =~ /healthcheck/ } } @@ -57,6 +67,10 @@ class RedirectSSLTest < SSLTest assert_redirected end + test "http POST is redirected to https with status 307" do + assert_post_redirected + end + test "redirect with non-301 status" do assert_redirected redirect: { status: 307 } end |