This repository has been archived by the owner on May 10, 2019. It is now read-only.
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fixupAbsolutePath: filter out scheme-relative URLs
The current check to ensure that only absolute paths are accepted fails to take into account scheme-relative URLs like "//foo.com". These URLs end up in fixupURL and get the origin prepended to them to something like "https://origin.example.com//foo.com", which is invalid but still follows our same-origin restrictions. So the solution is to require that the character after the leading slash be anything but a slash.
- Loading branch information