Is using `window.location.origin` as a `redirect_uri` a security concern?

In the documentation for the Auth0Provider in auth0-react, examples show using window.location.origin as a value of the redirect_uri parameter:

  <MyApp />

I’m on a project that uses what is essentially that snippet and also runs runs Checkmarx security scanning, and it dinged this:

Use of window.location.origin in App.tsx on line 10
The application’s ReactDOM.render embeds untrusted data in the generated output with render, at line 10 of src\index.tsx. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.

However, the value of that redirect_uri is validated against the whitelisted callback urls that are registered with the auth0 application, so I think this is a false positive. I was hoping to either get reassurance or examples of how this is actually a potential vuln.

1 Like

I’m also interested in the answer to this question.
Is it a bad practice to rely on the contents of window.location.origin?