I have a javascript which handles a "redirect after login" concern by setting
window.location = url;
where "url" is provided by a GET parameter. This sounds a bad practice because it allows to redirect outside of current domain.
So I would like to know how if there is an easy and safe way to check if "url" is an absolute url inside same domain and allow redirection only in this case. Currently I just check if url starts with "/" and doesn't contain "http" but I'm not sure it's enough to pletely protect against open redirections.
if (url[0] === '/' && url.indexOf('http') === -1)
{
window.location = url;
}
As I do this on client side I'm aware it's still not perfect but previously there were no protection at all.
I can use good old JS or jquery. I also have to support IE9.
late edit : maybe I didn't mentioned it clearly enough but the "url" should be an absolute url, without domain specification. For example I have this kind of address (full address with url parameter at end) : .aspx?ReturnUrl=%2fCheckout.aspx
I need to avoid : .aspx?ReturnUrl=http://otherdomain/badintention.aspx
This is why I told above I currently check if it starts by "/" but I'm not sure it's enough to get safe. So I can't use some of your suggestions.
Thanks
I have a javascript which handles a "redirect after login" concern by setting
window.location = url;
where "url" is provided by a GET parameter. This sounds a bad practice because it allows to redirect outside of current domain.
So I would like to know how if there is an easy and safe way to check if "url" is an absolute url inside same domain and allow redirection only in this case. Currently I just check if url starts with "/" and doesn't contain "http" but I'm not sure it's enough to pletely protect against open redirections.
if (url[0] === '/' && url.indexOf('http') === -1)
{
window.location = url;
}
As I do this on client side I'm aware it's still not perfect but previously there were no protection at all.
I can use good old JS or jquery. I also have to support IE9.
late edit : maybe I didn't mentioned it clearly enough but the "url" should be an absolute url, without domain specification. For example I have this kind of address (full address with url parameter at end) : http://example./Account/Login.aspx?ReturnUrl=%2fCheckout.aspx
I need to avoid : http://example./Account/Login.aspx?ReturnUrl=http://otherdomain/badintention.aspx
This is why I told above I currently check if it starts by "/" but I'm not sure it's enough to get safe. So I can't use some of your suggestions.
Thanks
Share Improve this question edited May 12, 2015 at 7:26 AFract asked May 11, 2015 at 16:35 AFractAFract 9,7307 gold badges55 silver badges80 bronze badges3 Answers
Reset to default 4You can use the (rather new) URL Api:
var redirUrl = "http://www.somewebsite./some/path";
var currentHost = location.host;
if (new URL(redirUrl).host != currentHost)
return false;
you can fetch the current domain name with window.document.domain and check if the url provided by GET operation has this?
Sorry it should ideally be a ment but do not have enough privileges.
Can you just issue an HTTP 307 temporary redirect from the server and not have to worry about client code? It seems more secure that way. http://en.wikipedia/wiki/URL_redirection
Otherwise, your javascript could also check against window.location.hostname.
EDIT: if you're only going to allow relative URLs, it seems like checking for '/' at the beginning should be fairly safe as long as you're 100% sure it's a URL, but you can probably even add the window.location.hostname to the beginning to be absolutely sure you're squashing the possibility of semantic trickery.