From 13fd5586cef628a71e0e2900820010742a911099 Mon Sep 17 00:00:00 2001 From: Derek Prior Date: Tue, 15 Dec 2015 20:17:32 -0500 Subject: Add `redirect_back` for safer referrer redirects `redirect_to :back` is a somewhat common pattern in Rails apps, but it is not completely safe. There are a number of circumstances where HTTP referrer information is not available on the request. This happens often with bot traffic and occasionally to user traffic depending on browser security settings. When there is no referrer available on the request, `redirect_to :back` will raise `ActionController::RedirectBackError`, usually resulting in an application error. `redirect_back` takes a required `fallback_location` keyword argument that specifies the redirect when the referrer information is not available. This prevents 500 errors caused by `ActionController::RedirectBackError`. --- guides/source/action_controller_overview.md | 2 +- guides/source/layouts_and_rendering.md | 8 ++++++++ 2 files changed, 9 insertions(+), 1 deletion(-) (limited to 'guides') diff --git a/guides/source/action_controller_overview.md b/guides/source/action_controller_overview.md index 7e43ba375a..6c622a3643 100644 --- a/guides/source/action_controller_overview.md +++ b/guides/source/action_controller_overview.md @@ -1150,7 +1150,7 @@ class ApplicationController < ActionController::Base def user_not_authorized flash[:error] = "You don't have access to this section." - redirect_to :back + redirect_back(fallback_location: root_path) end end diff --git a/guides/source/layouts_and_rendering.md b/guides/source/layouts_and_rendering.md index 71cc030f6a..779ba6e5e5 100644 --- a/guides/source/layouts_and_rendering.md +++ b/guides/source/layouts_and_rendering.md @@ -628,6 +628,14 @@ You can use `redirect_to` with any arguments that you could use with `link_to` o redirect_to :back ``` +This will raise `ActionController::RedirectBackError` if the request had no +`HTTP_REFERER` information set. To guard against this case, you can provide a +fall back redirect URL by using `redirect_back`: + +```ruby +redirect_back(fallback_location: root_path) +``` + #### Getting a Different Redirect Status Code Rails uses HTTP status code 302, a temporary redirect, when you call `redirect_to`. If you'd like to use a different status code, perhaps 301, a permanent redirect, you can use the `:status` option: -- cgit v1.2.3 From dc4429ca3b21005d0016fca78967c2ebbe9677c9 Mon Sep 17 00:00:00 2001 From: Derek Prior Date: Wed, 16 Dec 2015 09:41:47 -0500 Subject: Deprecate `redirect_to :back` Applications that use `redirect_to :back` can be forced to 500 by clients that do not send the HTTP `Referer` (sic) header. `redirect_back` requires the user to consider this possibility up front and avoids this trivially-caused application error. --- guides/source/layouts_and_rendering.md | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) (limited to 'guides') diff --git a/guides/source/layouts_and_rendering.md b/guides/source/layouts_and_rendering.md index 779ba6e5e5..4bb364c0f8 100644 --- a/guides/source/layouts_and_rendering.md +++ b/guides/source/layouts_and_rendering.md @@ -622,15 +622,10 @@ Another way to handle returning responses to an HTTP request is with `redirect_t redirect_to photos_url ``` -You can use `redirect_to` with any arguments that you could use with `link_to` or `url_for`. There's also a special redirect that sends the user back to the page they just came from: - -```ruby -redirect_to :back -``` - -This will raise `ActionController::RedirectBackError` if the request had no -`HTTP_REFERER` information set. To guard against this case, you can provide a -fall back redirect URL by using `redirect_back`: +You can use `redirect_back` to return the user to the page they just came from. +This location is pulled from the `HTTP_REFERER` header which is not guaranteed +to be set by the browser, so you must provide the `fallback_location` +to use in this case. ```ruby redirect_back(fallback_location: root_path) -- cgit v1.2.3