Method: ActionController::Redirecting#url_from

Defined in:: actionpack/lib/action_controller/metal/redirecting.rb

#url_from(location) ⇒ `Object`

Verifies the passed ‘location` is an internal URL that’s safe to redirect to and returns it, or nil if not. Useful to wrap a params provided redirect URL and fall back to an alternate URL to redirect to:

redirect_to url_from(params[:redirect_url]) || root_url

The ‘location` is considered internal, and safe, if it’s on the same host as ‘request.host`:

# If request.host is example.com:
url_from("https://example.com/profile") # => "https://example.com/profile"
url_from("http://example.com/profile")  # => "http://example.com/profile"
url_from("http://evil.com/profile")     # => nil

Subdomains are considered part of the host:

# If request.host is on https://example.com or https://app.example.com, you'd get:
url_from("https://dev.example.com/profile") # => nil

NOTE: there’s a similarity with [url_for](ActionDispatch::Routing::UrlFor#url_for), which generates an internal URL from various options from within the app, e.g. ‘url_for(@post)`. However, #url_from is meant to take an external parameter to verify as in `url_from(params)`.

# File 'actionpack/lib/action_controller/metal/redirecting.rb', line 203

def url_from(location)
  location = location.presence
  location if location && _url_host_allowed?(location)
end

Method: ActionController::Redirecting#url_from

#url_from(location) ⇒ Object

#url_from(location) ⇒ `Object`