jquery - javascript allow redirection only for urls inside same domain - Stack Overflow

admin管理员组

文章数量:1415673

I have a javascript which handles a "redirect after login" concern by setting

window.location = url;

where "url" is provided by a GET parameter. This sounds a bad practice because it allows to redirect outside of current domain.

So I would like to know how if there is an easy and safe way to check if "url" is an absolute url inside same domain and allow redirection only in this case. Currently I just check if url starts with "/" and doesn't contain "http" but I'm not sure it's enough to pletely protect against open redirections.

if (url[0] === '/' && url.indexOf('http') === -1)
{
    window.location = url;
} 

As I do this on client side I'm aware it's still not perfect but previously there were no protection at all.

I can use good old JS or jquery. I also have to support IE9.

late edit : maybe I didn't mentioned it clearly enough but the "url" should be an absolute url, without domain specification. For example I have this kind of address (full address with url parameter at end) : .aspx?ReturnUrl=%2fCheckout.aspx

I need to avoid : .aspx?ReturnUrl=http://otherdomain/badintention.aspx

This is why I told above I currently check if it starts by "/" but I'm not sure it's enough to get safe. So I can't use some of your suggestions.

Thanks

I have a javascript which handles a "redirect after login" concern by setting

window.location = url;

where "url" is provided by a GET parameter. This sounds a bad practice because it allows to redirect outside of current domain.

So I would like to know how if there is an easy and safe way to check if "url" is an absolute url inside same domain and allow redirection only in this case. Currently I just check if url starts with "/" and doesn't contain "http" but I'm not sure it's enough to pletely protect against open redirections.

if (url[0] === '/' && url.indexOf('http') === -1)
{
    window.location = url;
} 

As I do this on client side I'm aware it's still not perfect but previously there were no protection at all.

I can use good old JS or jquery. I also have to support IE9.

late edit : maybe I didn't mentioned it clearly enough but the "url" should be an absolute url, without domain specification. For example I have this kind of address (full address with url parameter at end) : http://example./Account/Login.aspx?ReturnUrl=%2fCheckout.aspx

I need to avoid : http://example./Account/Login.aspx?ReturnUrl=http://otherdomain/badintention.aspx

This is why I told above I currently check if it starts by "/" but I'm not sure it's enough to get safe. So I can't use some of your suggestions.

Thanks

• javascript
• jquery
• url
• http-redirect

Share Improve this question Follow edited May 12, 2015 at 7:26 AFract asked May 11, 2015 at 16:35 AFractAFract 9,73077 gold badges5555 silver badges8080 bronze badges

Add a ment  | 

3 Answers 3

Sorted by: Reset to default 4

You can use the (rather new) URL Api:

var redirUrl = "http://www.somewebsite./some/path";
var currentHost = location.host;

if (new URL(redirUrl).host != currentHost)
    return false;

you can fetch the current domain name with window.document.domain and check if the url provided by GET operation has this?

Sorry it should ideally be a ment but do not have enough privileges.

Can you just issue an HTTP 307 temporary redirect from the server and not have to worry about client code? It seems more secure that way. http://en.wikipedia/wiki/URL_redirection

Otherwise, your javascript could also check against window.location.hostname.

EDIT: if you're only going to allow relative URLs, it seems like checking for '/' at the beginning should be fairly safe as long as you're 100% sure it's a URL, but you can probably even add the window.location.hostname to the beginning to be absolutely sure you're squashing the possibility of semantic trickery.

本文标签： jqueryjavascript allow redirection only for urls inside same domainStack Overflow