Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Detect cross-origin visit request attempts #325

Merged
merged 2 commits into from
Mar 28, 2024
Merged

Detect cross-origin visit request attempts #325

merged 2 commits into from
Mar 28, 2024

Conversation

jayohms
Copy link
Collaborator

@jayohms jayohms commented Mar 28, 2024
edited
Loading

The core turbo.js library does not permit cross-origin visit requests (i.e. a link that redirects to an external domain). These requests call the adapter method visitRequestFailedWithStatusCode(visit, statusCode) for all platforms.

To handle this in the browser adapter, non-HTTP status code failures update the window.location so the browser can handle the top-level redirect. The browser adapter does not actually know whether a cross-origin redirect was attempted, since the CORS policy restricts requests to the same-origin, but updating the window.location directly bypasses needing this knowledge.

The mobile adapters, however, can't just update the window.location — a new visit needs to be proposed so the native app can decide how to handle the external url request. This PR finds any potential cross-origin redirect locations when a visit request fails with a non-HTTP status code and proposes the external redirect location as a new visit.

Fixes #320

This was referenced Mar 28, 2024
Closed
Open
@hjhart
Copy link

hjhart commented Mar 28, 2024

I made a note in the corresponding issue here, but I've tested this locally and it works great. Thanks @jayohms!

@jayohms
Copy link
Collaborator Author

jayohms commented Mar 28, 2024

Perfect, I'll work on the corresponding turbo-ios version and can ship new releases soon.

jorgemanrubia
jorgemanrubia approved these changes Mar 28, 2024
View reviewed changes
Copy link
Member

@jorgemanrubia jorgemanrubia left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great fix @jayohms!

This was referenced Mar 28, 2024
Closed
Open
@jayohms jayohms merged commit f63e94f into main Mar 28, 2024
1 check passed
@jayohms jayohms deleted the cross-origin-redirect-2 branch March 28, 2024 18:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jorgemanrubia jorgemanrubia jorgemanrubia approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Access to fetch at external_redirect_url from origin our_url has been blocked due to CORS policy
3 participants
@jayohms @hjhart @jorgemanrubia