Change record status: 
Project: 
Introduced in branch: 
8.0.x
Description: 

For better security the RedirectResponse object now per default does NOT allow external redirects.

In case you actively want to redirect to an external URL use \Drupal\Core\Routing\TrustedRedirectResponse

before


use Symfony\Component\HttpFoundation\RedirectResponse;

public function myController() {
  return new RedirectResponse('http://example.com/foo/bar/');
}

after


use Drupal\Core\Routing\TrustedRedirectResponse;

public function myController() {
  return new TrustedRedirectResponse('http://example.com/foo/bar/');
}

Do not use TrustedRedirectResponse with user submitted data, use a normal RedirectResponse for that case.

Impacts: 
Module developers
Updates Done (doc team, etc.)
Online documentation: 
Not done
Theming guide: 
Not done
Module developer documentation: 
Not done
Examples project: 
Not done
Coder Review: 
Not done
Coder Upgrade: 
Not done
Other: 
Other updates done

Comments

Chetabahana’s picture

Just installing one of my site using the version 8.0.1 on Amazon AWS Linux.
Everything seems to work properly but each time a form is submitted I got always the following message:

"Redirects to external URLs are not allowed by default, use \Drupal\Core\Routing\TrustedRedirectResponse for it."

How to fix this '\Drupal\Core\Routing\TrustedRedirectResponse'?
Would be great if some one advise me or if there is a correct patch file. Thanks.

stephen Piscura’s picture

https://www.drupal.org/node/2612160#comment-10637490

This did the trick for me. Keep an eye on the thread though as it may have security implications.

shotsy247’s picture

Did you find out how to fix this? I'm getting this error as well, except only on a site where drupal is not installed at the root level.

_t

stephen Piscura’s picture

I'm hitting the same problem in my shared hosting environment. Drupal not at the root and i'm seeing the same error all the time.

jonathanshaw’s picture

This means that to redirect a form to an external url, you need to use $form_state->setRedirectResponse() not $form_state->setRedirectUrl().