File tree Expand file tree Collapse file tree
app/src/lib/policies/github Expand file tree Collapse file tree Original file line number Diff line number Diff line change @@ -159,12 +159,21 @@ export async function completeGithubPkceCallback(url: URL): Promise<GithubPkceCa
159159 safeRemoveLocalStorage ( sessionKey ) ;
160160 }
161161
162- const availability = getGithubPkceAvailability ( ) ;
163- if ( ! availability . supported ) return { ok : false , errorKey : 'errors.githubPkceUnsupported' } ;
164- if ( normalizeRedirectUri ( availability . redirectUri ) !== normalizeRedirectUri ( session . redirectUri ) ) {
162+ // State-keyed session storage already provides CSRF protection.
163+ // Additional redirect_uri equality checks are brittle on GitHub Pages (base path + caching + 404 fallback).
164+ // We only require same-origin to avoid mixing sessions across sites.
165+ try {
166+ const expectedOrigin = window . location . origin ;
167+ if ( new URL ( session . redirectUri ) . origin !== expectedOrigin ) {
168+ return { ok : false , errorKey : 'errors.githubStateValidation' } ;
169+ }
170+ } catch {
165171 return { ok : false , errorKey : 'errors.githubStateValidation' } ;
166172 }
167173
174+ const availability = getGithubPkceAvailability ( ) ;
175+ if ( ! availability . supported ) return { ok : false , errorKey : 'errors.githubPkceUnsupported' } ;
176+
168177 try {
169178 const proxyUrl = getOauthProxyUrl ( ) ;
170179 if ( ! proxyUrl ) {
You can’t perform that action at this time.
0 commit comments