This repository was archived by the owner on Jan 29, 2019. It is now read-only.
File tree Expand file tree Collapse file tree 1 file changed +20
-2
lines changed
django_browserid/static/browserid Expand file tree Collapse file tree 1 file changed +20
-2
lines changed Original file line number Diff line number Diff line change 2121 }
2222 }
2323
24+ /**
25+ * Compare the given URL to the current page's URL to see if they share the
26+ * same origin.
27+ */
28+ function matchesCurrentOrigin ( url ) {
29+ var a = document . createElement ( 'a' ) ;
30+ a . href = url ;
31+ var hostMatch = ! a . host || window . location . host === a . host ;
32+ var protocolMatch = ! a . protocol || window . location . protocol === a . protocol ;
33+ return hostMatch && protocolMatch ;
34+ }
35+
2436 $ ( function ( ) {
2537 django_browserid . registerWatchHandlers ( onAutoLogin ) ;
2638
3244 window . sessionStorage . browseridLoginAttempt = 'true' ;
3345 django_browserid . login ( ) . then ( function ( verifyResult ) {
3446 window . sessionStorage . browseridLoginAttempt = 'false' ;
35- window . location = $link . data ( 'next' ) || verifyResult . redirect ;
47+ var redirect = $link . data ( 'next' ) || verifyResult . redirect ;
48+ if ( matchesCurrentOrigin ( redirect ) ) {
49+ window . location = redirect ;
50+ }
3651 } ) ;
3752 } ) ;
3853
4257 e . preventDefault ( ) ;
4358 var $link = $ ( this ) ;
4459 django_browserid . logout ( ) . then ( function ( logoutResult ) {
45- window . location = $link . attr ( 'next' ) || logoutResult . redirect ;
60+ var redirect = $link . attr ( 'next' ) || logoutResult . redirect ;
61+ if ( matchesCurrentOrigin ( redirect ) ) {
62+ window . location = redirect ;
63+ }
4664 } ) ;
4765 } ) ;
4866 } ) ;
You can’t perform that action at this time.
0 commit comments