@@ -26,11 +26,40 @@ def redirect_script() -> str:
2626const thisUrl = new URL(window.location.href);
2727const params = new URLSearchParams(thisUrl.search)
2828
29+ function sameHostnameDifferentPort(one, two) {{
30+ const hostnameOne = one.hostname;
31+ const hostnameTwo = two.hostname;
32+ const partsOne = hostnameOne.split(".");
33+ const partsTwo = hostnameTwo.split(".");
34+ if (partsOne.length !== partsTwo.length) {{ return false; }}
35+ for (let i = 1; i < partsOne.length; i++) {{
36+ if (partsOne[i] !== partsTwo[i]) {{ return false; }}
37+ }}
38+ const uniqueNameOne = partsOne[0];
39+ const uniqueNameTwo = partsTwo[0];
40+ const uniqueNamePartsOne = uniqueNameOne.split("-");
41+ const uniqueNamePartsTwo = uniqueNameTwo.split("-");
42+ if (uniqueNamePartsOne.length !== uniqueNamePartsTwo.length) {{ return false; }}
43+ for (let i = 0; i < uniqueNamePartsOne.length - 1; i++) {{
44+ if (uniqueNamePartsOne[i] !== uniqueNamePartsTwo[i]) {{ return false; }}
45+ }}
46+ return true;
47+ }}
48+
2949function doRedirect(url) {{
3050 if (!window.sessionStorage.getItem("authenticated_github_codespaces")) {{
3151 const a = document.createElement("a");
3252 if (params.has("redirect_to")) {{
33- a.href = params.get("redirect_to")
53+ const redirect_to = new URL(params.get("redirect_to"));
54+ if (!sameHostnameDifferentPort(thisUrl, redirect_to)) {{
55+ console.warn("Reflex: Not redirecting to different hostname");
56+ return;
57+ }}
58+ if (!redirect_to.hostname.endsWith(".app.github.dev")) {{
59+ console.warn("Reflex: Not redirecting to non .app.github.dev hostname");
60+ return;
61+ }}
62+ a.href = redirect_to.href;
3463 }} else if (!window.location.href.startsWith(url)) {{
3564 a.href = url + `?redirect_to=${{window.location.href}}`
3665 }} else {{
0 commit comments