-
-
Notifications
You must be signed in to change notification settings - Fork 10.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix absolute redirect detection #9689
Fix absolute redirect detection #9689
Conversation
🦋 Changeset detectedLatest commit: 55776c4 The changes in this PR will be included in the next version bump. This PR includes changesets to release 5 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
// Check if this an external redirect that goes to a new origin | ||
let currentUrl = new URL(request.url); | ||
let currentOrigin = currentUrl.origin; | ||
let newOrigin = new URL(location, currentOrigin).origin; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
let newOrigin = new URL(location, currentOrigin).origin; | ||
let external = newOrigin !== currentOrigin; | ||
let isAbsolute = | ||
/^[a-z+]+:\/\//i.test(location) || location.startsWith("//"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Instead we'll just look for the presence of a leading protocol or a protocol-less URL to determine if we can skip relative routing logic
if ( | ||
redirect.external && | ||
typeof window !== "undefined" && | ||
typeof window.location !== "undefined" | ||
) { | ||
if (replace) { | ||
window.location.replace(redirect.location); | ||
} else { | ||
window.location.assign(redirect.location); | ||
// Check if this an external redirect that goes to a new origin | ||
if (typeof window?.location !== "undefined") { | ||
let newOrigin = createClientSideURL(redirect.location).origin; | ||
if (window.location.origin !== newOrigin) { | ||
if (replace) { | ||
window.location.replace(redirect.location); | ||
} else { | ||
window.location.assign(redirect.location); | ||
} | ||
return; | ||
} | ||
return; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Got rid of the redirect.external
flag in favor of just doing the external detection here in client-side only code.
This is a follow up to the initial fix for remix-run/remix#4740 |
Ran into issues with our
URL
creation fix with Remix integration tests using atest://test.com
base, so re-thought the approach a bit. We were sort of conflating 2 things - whether a redirect was external and whether it was absolute. In both cases we want to skip the relative redirect logic, but we do not need to check for external on the server since the browser will handle redirecting to the external domain. Instead, we can do a simplerisAbsolute
check in shared code (noURL
creation required) and limit ourisExternal
check to client side code where we can more reliably create URLs withwindow.location.origin
Follow up to #9682
Closes remix-run/remix#4740