Introduce ExternalRedirectResponse that allows redirects to hosts that are not in the global redirect configuration allowlist. This would allow for more fine-grained allowlisting because you can specify additional allowed hosts on the response (e.g. in a controller) and no longer need to allow them all globally through the config.
Any allowed hosts passed to ExternalRedirectResponse would be allowed in addition to those in the configuration.
use Nelmio\SecurityBundle\ExternalRedirect\ExternalRedirectResponse;
// Will be allowed even if "foo.com" is not allowed globally through the config.
return new ExternalRedirectResponse('https://foo.com', ['foo.com', 'auth-provider.test']);
// Will not be allowed unless "https://not-allowed.com" is allowed through the global config.
return new ExternalRedirectResponse('https://not-allowed.com', ['foo.com', 'auth-provider.test']);
Introduce
ExternalRedirectResponse
that allows redirects to hosts that are not in the global redirect configuration allowlist. This would allow for more fine-grained allowlisting because you can specify additional allowed hosts on the response (e.g. in a controller) and no longer need to allow them all globally through the config.Any allowed hosts passed to
ExternalRedirectResponse
would be allowed in addition to those in the configuration.