fix(clerk-js): Validate protocol on window navigation

.changeset/unlucky-pumpkins-learn.md

@@ -0,0 +1,5 @@
+---
+'@clerk/clerk-js': patch
+---
+
+Validate protocol on window navigation

packages/clerk-js/src/core/clerk.ts

@@ -780,7 +780,13 @@ export class Clerk implements ClerkInterface {
       return;
     }
 
-    const toURL = new URL(to, window.location.href);
+    let toURL = new URL(to, window.location.href);
+
+    if (toURL.protocol !== 'http:' && toURL.protocol !== 'https:') {
+      console.warn('Clerk: Not a valid protocol. Redirecting to /');
+      toURL = new URL('/', window.location.href);
+    }
+
     const customNavigate =
       options?.replace && this.#options.routerReplace ? this.#options.routerReplace : this.#options.routerPush;
 

packages/clerk-js/src/utils/windowNavigate.ts

@@ -1,6 +1,13 @@
 export const CLERK_BEFORE_UNLOAD_EVENT = 'clerk:beforeunload';
 
 export function windowNavigate(to: URL | string): void {
+  let toURL = new URL(to, window.location.href);
+
+  if (toURL.protocol !== 'http:' && toURL.protocol !== 'https:') {
+    console.warn('Clerk: Not a valid protocol. Redirecting to /');
+    toURL = new URL('/', window.location.href);
+  }
+
   window.dispatchEvent(new CustomEvent(CLERK_BEFORE_UNLOAD_EVENT));
-  window.location.href = typeof to === 'string' ? to : to.href;
+  window.location.href = toURL.href;
 }