Merge pull request rails#50277 from skipkayhil/hm-nfd-open-redirects

skipkayhil · web-flow · commit c057edaaadbe · 2023-12-05T17:38:31.000-05:00
Improve doc for raise_on_open_redirects [ci-skip]
diff --git a/guides/source/configuring.md b/guides/source/configuring.md
@@ -1769,7 +1769,14 @@ Raises an `AbstractController::ActionNotFound` when the action specified in call
 
 #### `config.action_controller.raise_on_open_redirects`
 
-Raises an `ActionController::Redirecting::UnsafeRedirectError` when an unpermitted open redirect occurs.
+Protect an application from unintentionally redirecting to an external host
+(also known as an "open redirect") by making external redirects opt-in.
+
+When this configuration is set to `true`, an
+`ActionController::Redirecting::UnsafeRedirectError` will be raised when a URL
+with an external host is passed to [redirect_to][]. If an open redirect should
+be allowed, then `allow_other_host: true` can be added to the call to
+`redirect_to`.
 
 The default value depends on the `config.load_defaults` target version:
 
@@ -1778,6 +1785,8 @@ The default value depends on the `config.load_defaults` target version:
 | (original)            | `false`              |
 | 7.0                   | `true`               |
 
+[redirect_to]: https://api.rubyonrails.org/classes/ActionController/Redirecting.html#method-i-redirect_to
+
 #### `config.action_controller.log_query_tags_around_actions`
 
 Determines whether controller context for query tags will be automatically
