docs(controller): add ctx.redirect (#2373)

eggjs · Apr 12, 2018 · cd418f5 · cd418f5
1 parent 2fafb16
commit cd418f5
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 0 deletions.
diff --git a/docs/source/en/basics/controller.md b/docs/source/en/basics/controller.md
@@ -920,3 +920,22 @@ class ProxyController extends Controller {
  }
 }
 ```
+
+### Redirect
+
+The framework overwrites koa's native `ctx.redirect` implementation with a security plugin to provide a more secure redirect.
+
+
+* `ctx.redirect(url)` Forbids redirect if it is not in the configured whitelist domain name.
+* `ctx.unsafeRedirect(url)` does not determine the domain name and redirect directly. Generally, it is not recommended to use it. Use it after clearly understanding the possible risks.
+
+If you use the `ctx.redirect` method, you need to configure the application configuration file as follows:
+
+```js
+// config/config.default.js
+exports.security = {
+ domainWhiteList:['.domain.com'], // Security whitelist, starts with `.`
+};
+```
+
+If the user does not configure the `domainWhiteList` or the `domainWhiteList` array to be empty, then all redirect requests will be released by default, which is equivalent to `ctx.unsafeRedirect(url)`.
diff --git a/docs/source/zh-cn/basics/controller.md b/docs/source/zh-cn/basics/controller.md
@@ -923,3 +923,21 @@ class ProxyController extends Controller {
  }
 };
 ```
+
+### 重定向
+
+框架通过 security 插件覆盖了 koa 原生的 `ctx.redirect` 实现，以提供更加安全的重定向。
+
+* `ctx.redirect(url)` 如果不在配置的白名单域名内，则禁止跳转。
+* `ctx.unsafeRedirect(url)` 不判断域名，直接跳转，一般不建议使用，明确了解可能带来的风险后使用。
+
+用户如果使用`ctx.redirect`方法，需要在应用的配置文件中做如下配置：
+
+```js
+// config/config.default.js
+exports.security = {
+ domainWhiteList:['.domain.com'], // 安全白名单，以 . 开头
+};
+```
+
+若用户没有配置 `domainWhiteList` 或者 `domainWhiteList`数组内为空，则默认会对所有跳转请求放行，即等同于`ctx.unsafeRedirect(url)`