mirror of
https://github.com/nextcloud/all-in-one.git
synced 2026-05-30 23:40:08 +00:00
27 lines
1.2 KiB
JavaScript
27 lines
1.2 KiB
JavaScript
// This script is loaded after a successful token-based login.
|
|
// It replaces the browser's current history entry (stripping the token from the
|
|
// URL) before navigating to the main AIO page, so the token is never left in
|
|
// the browser history and cannot be accidentally exposed via the back-button.
|
|
//
|
|
// The target URL is passed via the script tag's data-target attribute.
|
|
// document.currentScript is only available during synchronous script execution
|
|
// (not with defer/async), so this script is loaded without those attributes.
|
|
//
|
|
// We replace with location.pathname only (no query string, no hash), which
|
|
// intentionally strips the ?token=… parameter and any hash fragment from the
|
|
// recorded history entry.
|
|
|
|
// Guard against environments where document.currentScript may be null.
|
|
if (!document.currentScript) {
|
|
window.location.replace('/');
|
|
} else {
|
|
const rawTarget = document.currentScript.dataset.target;
|
|
|
|
// Only accept the exact relative path we set server-side to prevent any
|
|
// potential open-redirect via a manipulated data-target value.
|
|
const target = rawTarget === '../../' ? rawTarget : '/';
|
|
|
|
history.replaceState(null, '', location.pathname);
|
|
window.location.replace(target);
|
|
}
|