aarondl
commented
4 years ago This was left this way because it is not necessary that a backend and frontend reside on the same domain (though woe is the person who attempts this given how tight CORS is getting). If an Authboss server hosted on backend.company.com needed to redirect to some specific URL such as: www.company.com/authentication/confirm it wouldn't be possible without arbitrary URLs.
We could consider a domain whitelist (if empty it would strip domain from redirections as you suggest) perhaps. This would solve the issue but in a bit more flexible a manner.
It is a breaking change, but we may exercise our license to break when security issues crop up.
rbren
Authboss supports redirection using the
?redir=query parameter (which is great!). But it allows arbitrary URLs to be passed in, which can introduce security issues - see CWE-601I'm happy to submit a PR to fix this issue (by stripping the domain in URLs here), but wanted to check in here first.