Is using `window.location.origin` as a `redirect_uri` a security concern?

grahamalama · August 13, 2021, 3:31pm

In the documentation for the Auth0Provider in auth0-react, examples show using window.location.origin as a value of the redirect_uri parameter:

<Auth0Provider
  domain={domain}
  clientId={clientId}
  redirectUri={window.location.origin}>
  <MyApp />
</Auth0Provider>

I’m on a project that uses what is essentially that snippet and also runs runs Checkmarx security scanning, and it dinged this:

Use of window.location.origin in App.tsx on line 10
The application’s ReactDOM.render embeds untrusted data in the generated output with render, at line 10 of src\index.tsx. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.

However, the value of that redirect_uri is validated against the whitelisted callback urls that are registered with the auth0 application, so I think this is a false positive. I was hoping to either get reassurance or examples of how this is actually a potential vuln.

paolo.dipasquale · November 11, 2022, 12:20pm

I’m also interested in the answer to this question.
Is it a bad practice to rely on the contents of window.location.origin?

Topic		Replies	Views
How to maintain app page/location on browser refresh? Help auth0-react	6	7087	August 31, 2022
Auth0 ignores redirect_uri param when used as SAML SP Help sso , application	1	912	December 7, 2024
Can I use wildcards in redirect_uri after login? Help login-experience , new-universal-login-experience	3	651	February 20, 2024
Origin_mismatch, "the redirect The redirectUri's origin Help jwt , auth0	4	4642	August 9, 2019
Creating a redirect for new users Help	9	6935	July 8, 2019

Is using `window.location.origin` as a `redirect_uri` a security concern?

Related topics