Background information

This was originally reported as a private security issue, but has been approved for handling in the public queue by the Drupal Security Team.

Problem/Motivation

RedirectResponseSubscriber prevents redirect responses from redirecting to untrusted URLs.
For example this is not allowed:

  public function test() {
    return new RedirectResponse('http://example.com');
  }

But this works:

  public function test() {
    $response = new AjaxResponse();
    $response->addCommand(new RedirectCommand('http://example.com'));

    return $response;
  }

Steps to reproduce

Proposed resolution

Remaining tasks

User interface changes

Introduced terminology

API changes

Data model changes

Release notes snippet

Comments

prudloff created an issue.