Skip to content
This repository has been archived by the owner on Jan 29, 2019. It is now read-only.

Commit

Permalink
Check origin before redirecting users with default JS.
Browse files Browse the repository at this point in the history
  • Loading branch information
Michael Kelly committed Apr 15, 2014
1 parent fe9cedd commit 08c88d3
Showing 1 changed file with 20 additions and 2 deletions.
22 changes: 20 additions & 2 deletions django_browserid/static/browserid/browserid.js
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,18 @@
}
}

/**
* Compare the given URL to the current page's URL to see if they share the
* same origin.
*/
function matchesCurrentOrigin(url) {
var a = document.createElement('a');
a.href = url;
var hostMatch = !a.host || window.location.host === a.host;
var protocolMatch = !a.protocol || window.location.protocol === a.protocol;
return hostMatch && protocolMatch;
}

$(function() {
django_browserid.registerWatchHandlers(onAutoLogin);

Expand All @@ -32,7 +44,10 @@
window.sessionStorage.browseridLoginAttempt = 'true';
django_browserid.login().then(function(verifyResult) {
window.sessionStorage.browseridLoginAttempt = 'false';
window.location = $link.data('next') || verifyResult.redirect;
var redirect = $link.data('next') || verifyResult.redirect;
if (matchesCurrentOrigin(redirect)) {
window.location = redirect;
}
});
});

Expand All @@ -42,7 +57,10 @@
e.preventDefault();
var $link = $(this);
django_browserid.logout().then(function(logoutResult) {
window.location = $link.attr('next') || logoutResult.redirect;
var redirect = $link.attr('next') || logoutResult.redirect;
if (matchesCurrentOrigin(redirect)) {
window.location = redirect;
}
});
});
});
Expand Down

0 comments on commit 08c88d3

Please sign in to comment.