FEATURE: Site setting for blocking onebox of URLs that redirect (#16881)

Meta topic: https://meta.discourse.org/t/prevent-to-linkify-when-there-is-a-redirect/226964/2?u=osama. This commit adds a new site setting `block_onebox_on_redirect` (default off) for blocking oneboxes (full and inline) of URLs that redirect. Note that an initial http → https redirect is still allowed if the redirect location is identical to the source (minus the scheme of course). For example, if a user includes a link to `http://example.com/page` and the link resolves to `https://example.com/page`, then the link will onebox (assuming it can be oneboxed) even if the setting is enabled. The reason for this is a user may type out a URL (i.e. the URL is short and memorizable) with http and since a lot of sites support TLS with http traffic automatically redirected to https, so we should still allow the URL to onebox.
2025-06-05 14:07:30 +08:00 · 2022-05-23 13:52:06 +03:00
parent a03ae9b323
commit d15867463f
8 changed files with 206 additions and 21 deletions
--- a/spec/lib/inline_oneboxer_spec.rb
+++ b/spec/lib/inline_oneboxer_spec.rb
@ -265,5 +265,53 @@ describe InlineOneboxer do
        expect(onebox[:title]).to be_blank
      end
    end
+
+    context "when block_onebox_on_redirect is enabled" do
+      before do
+        SiteSetting.block_onebox_on_redirect = true
+      end
+
+      after do
+        FinalDestination.clear_https_cache!("redirects.com")
+      end
+
+      it "doesn't onebox if the URL redirects" do
+        stub_request(:get, "https://redirects.com/blah/gg")
+          .to_return(
+            status: 301,
+            body: "",
+            headers: { "location" => "https://redirects.com/blah/gg/redirect" }
+          )
+        onebox = InlineOneboxer.lookup("https://redirects.com/blah/gg", skip_cache: true)
+        expect(onebox[:title]).to be_blank
+      end
+
+      it "allows an initial http -> https redirect if the redirect URL is identical to the original" do
+        stub_request(:get, "http://redirects.com/blah/gg")
+          .to_return(
+            status: 301,
+            body: "",
+            headers: { "location" => "https://redirects.com/blah/gg" }
+          )
+        stub_request(:get, "https://redirects.com/blah/gg")
+          .to_return(
+            status: 200,
+            body: "<html><head><title>The Redirects Website</title></head></html>"
+          )
+        onebox = InlineOneboxer.lookup("http://redirects.com/blah/gg", skip_cache: true)
+        expect(onebox[:title]).to eq("The Redirects Website")
+      end
+
+      it "doesn't allow an initial http -> https redirect if the redirect URL is different to the original" do
+        stub_request(:get, "http://redirects.com/blah/gg")
+          .to_return(
+            status: 301,
+            body: "",
+            headers: { "location" => "https://redirects.com/blah/gg/2" }
+          )
+        onebox = InlineOneboxer.lookup("http://redirects.com/blah/gg", skip_cache: true)
+        expect(onebox[:title]).to be_blank
+      end
+    end
  end
 end