Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(redirects): lock down redirect attempts, fixes #619 #651

Merged
merged 1 commit into from
Sep 19, 2021
Merged

fix(redirects): lock down redirect attempts, fixes #619 #651

merged 1 commit into from
Sep 19, 2021

Conversation

MrSwitch
Copy link
Owner

@MrSwitch MrSwitch commented Sep 16, 2021
edited
Loading

Fixes #619
Closes #621

Place a constant on redirect.html page, before including hello.js

Something like ...

// Scope any redirect URL's to the current domain... this would prevent `page_uri` being used to redirect to another domain
var HELLOJS_REDIRECT_URL = window.location.origin;

// Disable any redirect
var HELLOJS_REDIRECT_URL = false;

Hellojs could then simply check !Object.prototype.hasOwnProperty.call(window, 'HELLOJS_REDIRECT_URL') || page_uri.match(window.HELLOJS_REDIRECT_URL), before allowing any redirect to occur.

@MrSwitch MrSwitch mentioned this pull request Sep 18, 2021
Closed
@MrSwitch MrSwitch merged commit 8200873 into master Sep 19, 2021
@MrSwitch MrSwitch deleted the 619-prevent-page-uri-redirects branch September 19, 2021 08:35
@github-actions
Copy link

🎉 This PR is included in version 1.19.5 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
released
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Page_uri => Vulnerability to open redirect attacks
1 participant
@MrSwitch