Add a URL validation for the confirmation page

bakulf · bakulf · commit ea828d64b656 · 2026-04-07T13:19:54.000+02:00
diff --git a/src/_locales b/src/_locales
@@ -1 +1 @@
-Subproject commit 2d46101815d7a7f6d3b2f231b154dca1d37d5ac5
+Subproject commit 6ebfac702daeb8b3a43955902c43aeb10159f61c
diff --git a/src/js/confirm-page.js b/src/js/confirm-page.js
@@ -1,7 +1,22 @@
+function isSafeUrl(url) {
+  try {
+    const { protocol } = new URL(url);
+    return protocol === "http:" || protocol === "https:";
+  } catch (e) {
+    return false;
+  }
+}
+
 async function load() {
   const searchParams = new URL(window.location).searchParams;
   const redirectUrl = searchParams.get("url");
   const cookieStoreId = searchParams.get("cookieStoreId");
+
+  if (!isSafeUrl(redirectUrl)) {
+    window.close();
+    return;
+  }
+
   const currentCookieStoreId = searchParams.get("currentCookieStoreId");
   const redirectUrlElement = document.getElementById("redirect-url");
   redirectUrlElement.textContent = redirectUrl;
