mirror of
https://github.com/nextcloud/all-in-one.git
synced 2026-05-30 23:40:08 +00:00
79e05f33cd
Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/f1016d36-0771-46e0-992c-95ce22594414 Co-authored-by: szaimen <42591237+szaimen@users.noreply.github.com>
21 lines
1.0 KiB
JavaScript
21 lines
1.0 KiB
JavaScript
// This script is loaded after a successful token-based login.
|
|
// It replaces the browser's current history entry (stripping the token from the
|
|
// URL) before navigating to the main AIO page, so the token is never left in
|
|
// the browser history and cannot be accidentally exposed via the back-button.
|
|
//
|
|
// The target URL is passed via the script tag's data-target attribute.
|
|
// document.currentScript is only available during synchronous script execution
|
|
// (not with defer/async), so this script is loaded without those attributes.
|
|
//
|
|
// We replace with location.pathname only (no query string, no hash), which
|
|
// intentionally strips the ?token=… parameter and any hash fragment from the
|
|
// recorded history entry.
|
|
const rawTarget = document.currentScript.dataset.target;
|
|
|
|
// Only accept the exact relative path we set server-side to prevent any
|
|
// potential open-redirect via a manipulated data-target value.
|
|
const target = rawTarget === '../../' ? rawTarget : '/';
|
|
|
|
history.replaceState(null, '', location.pathname);
|
|
window.location.replace(target);
|