-
Alex authored
Consider a controller that does this: ```ruby begin redirect_to "http://www.rubyonrails.org/", allow_other_host: false rescue ActionController::Redirecting::UnsafeRedirectError render plain: "caught error" end ``` The `redirect_to` will raise and the `rescue` will execute. But currently, the response status will still be changed (to 302). So even if you render something, we will return to the browser a 302 response code, with no response location. This is not a valid response. This PR fixes this, by only setting the status once the location has been verified. Note: I came across this issue while trying to work around https://github.com/rails/rails/issues/53464, but it's not dependent on that issue.Alex authoredConsider a controller that does this: ```ruby begin redirect_to "http://www.rubyonrails.org/", allow_other_host: false rescue ActionController::Redirecting::UnsafeRedirectError render plain: "caught error" end ``` The `redirect_to` will raise and the `rescue` will execute. But currently, the response status will still be changed (to 302). So even if you render something, we will return to the browser a 302 response code, with no response location. This is not a valid response. This PR fixes this, by only setting the status once the location has been verified. Note: I came across this issue while trying to work around https://github.com/rails/rails/issues/53464, but it's not dependent on that issue.
Loading