Merge pull request #389 from Shopify/support-absolute-urls

Allow absolute URLs in ShopifyApp::LoginProtection.redirection_javascript
Shopify · Feb 27, 2017 · e435d9e · e435d9e
2 parents e38a0e2 + 1d050c0
commit e435d9e
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 2 deletions.
diff --git a/lib/shopify_app/login_protection.rb b/lib/shopify_app/login_protection.rb
@@ -79,9 +79,12 @@ def redirection_javascript(url)
 
               // If the current window is the 'child', change the parent's URL with postMessage
               } else {
+                normalizedLink = document.createElement('a');
+                normalizedLink.href = #{url.to_json};
+
                 data = JSON.stringify({
                   message: 'Shopify.API.remoteRedirect',
-                  data: { location: window.location.origin + #{url.to_json} }
+                  data: { location: normalizedLink.href }
                 });
                 window.parent.postMessage(data, "https://#{sanitized_shop_name}");
               }

diff --git a/test/controllers/sessions_controller_test.rb b/test/controllers/sessions_controller_test.rb
@@ -172,10 +172,12 @@ def assert_redirected_to_authentication(shop_domain, response)
       target_origin = "https://#{shop_domain}".to_json
 
       post_message_handle = "message: 'Shopify.API.remoteRedirect'"
-      post_message_data = "data: { location: window.location.origin + #{auth_url} }"
+      post_message_link = "normalizedLink.href = #{auth_url}"
+      post_message_data = "data: { location: normalizedLink.href }"
       post_message_call = "window.parent.postMessage(data, #{target_origin});"
 
       assert_includes response.body, post_message_handle
+      assert_includes response.body, post_message_link
       assert_includes response.body, post_message_data
       assert_includes response.body, post_message_call
     end