You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If the expectation is that the developer should return an already properly encoded URI string, then the server path results in double encoding.
If the expectation is that the developer should be returning an unencoded string, the client path is relying on the URL constructor to tolerate unencoded URI strings. For the most part this works because the javascript engine bends over backwards, but can result in unintended results.
Example:
Say I have a /login page that accepts a previous query parameter[1] that should contain the path of where to send the user after login.
Pages behind a login wall that need to redirect unauthenticated users to the /login page with an appropriate previous query parameter.
A user visits /app?foo=bar&fizz=buzz while unauthenticated, and the login wall wants to send them to the login page
If the login-wall treats the redirect string as pre-encoded:
Describe the problem
The current documentation for the
redirect
output property of the loading function just says it should be:From what I can tell, this string is being treated with different expectations around encoding status depending on the current runtime location:
redirect
string intoencodeURI(redirect)
redirect
string intonew URL(redirect, current_url)
If the expectation is that the developer should return an already properly encoded URI string, then the server path results in double encoding.
If the expectation is that the developer should be returning an unencoded string, the client path is relying on the URL constructor to tolerate unencoded URI strings. For the most part this works because the javascript engine bends over backwards, but can result in unintended results.
Example:
/login
page that accepts aprevious
query parameter[1] that should contain the path of where to send the user after login./login
page with an appropriateprevious
query parameter./app?foo=bar&fizz=buzz
while unauthenticated, and the login wall wants to send them to the login pageIf the login-wall treats the
redirect
string as pre-encoded:Server side rendering will use a Location header of
And the client will use
If the login-wall treats the
redirect
string as unencoded:Server side rendering will use a Location header of
And the client will use
[1] Yes, I'm familiar with the problems of open redirects. This is a simplified example.
Describe the proposed solution
The
redirect
property should be treated as already encoded, and the documentation should reflect that.Alternatives considered
No response
Importance
would make my life easier
Additional Information
No response
The text was updated successfully, but these errors were encountered: