safe redirect_to (open redirector)

Sometimes apps have some functionality that introduces an open redirector, what I mean by that is that it will redirect to a URL supplied by the user in the parameters. This is unsafe for a number of reasons; phishing, XSS, see here: Redirecting…

The common solution is to have a whitelist of permitted hosts or URIs (as with OAuth 2.0 RFC 6819: OAuth 2.0 Threat Model and Security Considerations). Is this something that you might be interested having built into Rails if I was to submit a PR? I was thinking something along the lines of:

config.whitelisted_redirect_hosts = %w{*.app.net auth.company.org}

``

and then any time redirect_to is called the host is automatically validated against the whitelist and probably an error raised if validation fails? maybe some protocol validation too.

The impotus behind bringing it into Rails would be to standardize on it, as it’s security related, ensuring best practice for all users.