Code leaked cacheability metadata

I just started coming across this problem as of 3.10. It pops up when using a link with the 'destination' parameter, as in this twig template snippet:
<a href="/saml/login?destination={{ path('<current>') }}">Website Login</a>

With 📌 Correctly handle cache data instead of throwing an Exception in EarlyRenderingControllerWrapperSubscriber() Fixed maybe this isn't a problem anymore? Or rather, the problem is no longer an exception?

Embarrassingly, 3.x-1.10 itself contains an error that triggered the warning and therefore should be fixed. Your issue is probably fixed with 🐛 Cacheability Metadata Leakage Error on SAML Login with Samlauth and r4032 Redirect Module Active . 8.x-3.11 is out now.

Just reporting that I am still seeing this error, even in 3.11.

But I would really rather that people fix their sites and post known patches here

Yes, I can do that! I can verify the following:

- Using Samlauth 3.11 on its own does not trigger this warning for multiple sites I tested
- Using the Metatag module (see #6 and #8 above) does not trigger this warning, at least not with the configuration we have.
- What *is* triggering this warning is a custom implementation of hook_user_login() that modifies the destination parameter, passing a Drupal Url object as the parameter WITHOUT SPECIFYING that the metadata should bubble:

From Core's API, the Url::fromRoute->toString() method takes an optional parameter that defaults to FALSE:

public function toString($collect_bubbleable_metadata = FALSE) {

In the case of my custom code, this change suppressed the warning:

/**
 * Implements hook_user_login().
 */
function mymodule_user_login($account) {
  $param = \Drupal::request()->query->all();
  if (!$param || !isset($param['destination'])) {
    // For every user but "user 1", redirect to /dashboard upon login.
    if ($account->id() != 1) {
-      \Drupal::service('request_stack')->getCurrentRequest()->query->set('destination', Url::fromRoute('MYMODULE.ROUTE')->toString());
+      \Drupal::service('request_stack')->getCurrentRequest()->query->set('destination', Url::fromRoute('MYMODULE.ROUTE')->toString(TRUE)->getGeneratedUrl());
    }
  }
}

My conclusion is that for the majority of folks coming to this issue, the problem is probably in custom code that implements hook_user_login()

Thanks for the pointer @mark_fullmer!

I did had the custom code in the hook_user_login() that did a "destination" based redirect to the Url::fromRoute()->toString(), and it did produced the warning for every log in.

I've tried to use suggested Url::fromRoute()->toString(TRUE)->getGeneratedUrl() and it did got rid of the warning.
That made me wonder and I started digging.

The Url::fromRoute()->toString() bubbles metadata by default, but only if called in the render context and everything generated from the controllers is renderer with the render context that is the request that the controller is responding to. See \Drupal\Core\Render\Renderer::getCurrentRenderContext() and the comment in the \Drupal\Core\Render\MetadataBubblingUrlGenerator::bubble() method body ( provided below ):

Bubbling metadata makes sense only if the code is executed inside a render context. All code running outside controllers has no render context by default, so URLs used there are not supposed to affect the response cacheability.

Posting this as a reminder to myself and anyone else confused like me - if you are not rendering anything in your controller, it doesn't mean that there is no render context involved!