Limit the possibilities of open redirects

The function [`respondToExitIframeRequest`](https://github.com/Shopify/shopify-app-js/blob/7404f41d8542957f5f577055c4bab0e6a0adb767/packages/apps/shopify-app-remix/src/server/authenticate/admin/authenticate.ts#L71) will redirect to any URL passed in the `exitIframe` parameter.

We could simply check that the `exitIframe` parameter starts with `/auth?` to limit the possibilities of open redirects.

Note: I didn't report this as a security vulnerability as open redirects [are ineligible](https://www.shopify.com/bugbounty/criteria?q=ineligible-issues).

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Limit the possibilities of open redirects #2180

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Limit the possibilities of open redirects #2180

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions