Skip to content

fix: set document.title during authentication redirects#8624

Open
sameerag wants to merge 13 commits into
devfrom
fix/set-document-title-on-redirect
Open

fix: set document.title during authentication redirects#8624
sameerag wants to merge 13 commits into
devfrom
fix/set-document-title-on-redirect

Conversation

@sameerag
Copy link
Copy Markdown
Member

@sameerag sameerag commented Jun 2, 2026

Description

Sets document.title to "Microsoft Authentication" across all redirect scenarios to prevent the browser from displaying raw URLs as the page title during authentication flows.

Changes

Scenario File Change
Hidden iframe SilentHandler.ts Added title attribute for accessibility (WCAG H64)
Popup PopupClient.ts Set document.title after window.open (with cross-origin try/catch)
Redirect bridge redirect_bridge/index.ts Set document.title at start of broadcastResponseToMainFrame
Redirect RedirectClient.ts Set title during handleRedirectPromise, restore original in finally

Motivation

When a user is redirected back to the application after authentication, the browser displays the raw URL (containing auth response parameters) as the document title. This is:

  • A poor user experience (confusing title in browser tab/history)
  • An accessibility concern for iframes (WCAG H64 requires iframe elements to have a title attribute)

sameerag and others added 5 commits June 2, 2026 13:17
@sameerag
fix: set document.title during authentication redirects
ff33eee 
Set document.title to 'Microsoft Authentication' across all redirect
scenarios (popup, iframe, redirect, and redirect bridge) to prevent
the browser from displaying raw URLs as the page title.

- Popup: set document.title after window.open (with cross-origin guard)
- Hidden iframe: add title attribute for accessibility (WCAG H64)
- Redirect bridge: set document.title at start of broadcastResponseToMainFrame
- RedirectClient: set title during handleRedirectPromise, restore in finally

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@sameerag
docs: add guidance for setting page title on redirect URI
c415a11 
Add documentation advising app developers to set a meaningful <title>
on their redirect bridge pages. Without an explicit title, browsers
display the raw redirect URL (containing auth codes/tokens) as the
tab title and history entry.

- Added 'Page Title' section to redirect-bridge.md
- Updated example HTML titles from 'Redirect' to 'Signing in'
- Added title as item #5 in login-user.md redirect page requirements

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@sameerag
test: add unit tests for document.title behavior
0b7a984 
- SilentHandler: verify iframe has title attribute set
- PopupClient: verify popup document.title is set; verify cross-origin
  access failure does not throw
- RedirectClient: verify title is restored after handleRedirectPromise
  completes (both with and without user-set title)
- Redirect bridge: verify document.title is set during processing

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@sameerag
chore: add beachball changefile for msal-browser patch
5ae5d65 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@sameerag
test: add URL-as-title test cases for redirect URI without title element
801a233 
Cover the scenario where document.title defaults to the raw redirect URL
(browser behavior when no <title> element is set on the page).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@sameerag sameerag marked this pull request as ready for review June 2, 2026 20:34
@sameerag sameerag requested a review from a team as a code owner June 2, 2026 20:34
Copilot AI review requested due to automatic review settings June 2, 2026 20:34
tnorling
tnorling previously approved these changes Jun 2, 2026
View reviewed changes
Copilot AI reviewed Jun 2, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates msal-browser redirect-related flows (redirect bridge, popup, redirect handling, and silent iframe) to set a consistent document.title/iframe title (“Microsoft Authentication”) to avoid browser tabs/history showing raw auth URLs during processing, and adds unit tests + docs to explain recommended redirect-page titles.

Changes:

  • Set document.title during redirect-bridge processing and RedirectClient.handleRedirectPromise (with restore in finally).
  • Set popup window document.title after window.open (guarded with try/catch) and set hidden iframe title attribute for accessibility.
  • Add/extend unit tests and documentation covering page title behavior and best practices.

Reviewed changes

Copilot reviewed 11 out of 11 changed files in this pull request and generated 4 comments.

Show a summary per file
File Description
lib/msal-browser/src/redirect_bridge/index.ts Sets document.title at the start of broadcastResponseToMainFrame.
lib/msal-browser/src/interaction_handler/SilentHandler.ts Adds iframe title attribute for the hidden silent iframe.
lib/msal-browser/src/interaction_client/PopupClient.ts Attempts to set popup window document.title after opening/focusing.
lib/msal-browser/src/interaction_client/RedirectClient.ts Sets document.title during redirect handling and restores original in finally.
lib/msal-browser/test/redirect_bridge/broadcastResponseToMainFrame.spec.ts Adds tests asserting document.title is set during redirect-bridge success paths.
lib/msal-browser/test/interaction_handler/SilentHandler.spec.ts Adds test asserting hidden iframe has the expected title.
lib/msal-browser/test/interaction_client/PopupClient.spec.ts Adds tests for popup title behavior and cross-origin safety.
lib/msal-browser/test/interaction_client/RedirectClient.spec.ts Adds tests asserting document.title is restored after handleRedirectPromise.
lib/msal-browser/docs/redirect-bridge.md Documents redirect-bridge page title recommendations and provides examples.
lib/msal-browser/docs/login-user.md Adds redirect page <title> guidance to redirectUri considerations.
change/@azure-msal-browser-03263af0-8b31-4553-a492-03ffe5f4f204.json Adds a patch changefile for the behavior change.

Comment thread lib/msal-browser/src/interaction_client/PopupClient.ts
Comment thread change/@azure-msal-browser-03263af0-8b31-4553-a492-03ffe5f4f204.json
Comment thread lib/msal-browser/docs/redirect-bridge.md Outdated
Comment thread lib/msal-browser/docs/login-user.md Outdated
@sameerag
Potential fix for pull request finding
aa7ecae 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
sameerag and others added 2 commits June 2, 2026 13:42
@sameerag
Potential fix for pull request finding
9cdfcba 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
chore: update changefile comment with PR number link
3b53059
@sameerag
Potential fix for pull request finding
5b6ac6e 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
peterzenz
peterzenz previously approved these changes Jun 2, 2026
View reviewed changes
Comment thread lib/msal-browser/docs/login-user.md Outdated
Comment thread lib/msal-browser/docs/redirect-bridge.md Outdated
@sameerag
docs: remove Contoso references from examples
c210cc7 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
peterzenz
peterzenz previously approved these changes Jun 2, 2026
View reviewed changes
tnorling
tnorling previously approved these changes Jun 2, 2026
View reviewed changes
@sameerag
style: fix formatting in RedirectClient
29de71a 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@sameerag sameerag dismissed stale reviews from tnorling and peterzenz via 29de71a June 2, 2026 21:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@tnorling tnorling tnorling left review comments

@peterzenz peterzenz peterzenz left review comments

+1 more reviewer

Copilot code review Copilot Copilot left review comments

Reviewers whose approvals may not affect merge requirements

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@sameerag @tnorling @peterzenz