Drupal.urlIsLocal returns incorrect result if site URL contains authentication part

Created on 11 April 2017, about 7 years ago
Updated 20 October 2023, 7 months ago

Problem/Motivation

Open https://www.drupal.org/ β†’ in browser.
In the browser console, see the result of Drupal.urlIsLocal('/views/ajax');

Open https://1:1@www.drupal.org/ in browser.
In the browser console, see the result of Drupal.urlIsLocal('/views/ajax');

The first result is true.
The second result is false.

So such URLs are rejected by AJAX system, and the error is shown:
The callback URL is not local and not trusted: /views/ajax

Drupal.urlIsLocal() must support the case when Drupal.absoluteUrl() returns URLs with authentication parts (user:password@).

Steps to reproduce

Proposed resolution

Filter the absolute URL in drupal.js with a regular expression to remove the authentication details.

Remaining tasks

User interface changes

NA

API changes

NA

Data model changes

NA

Release notes snippet

NA

πŸ› Bug report
Status

Needs work

Version

11.0 πŸ”₯

Component
AjaxΒ  β†’

Last updated about 19 hours ago

Created by

πŸ‡·πŸ‡ΊRussia maximpodorov

Live updates comments and jobs are added and updated live.
  • Novice

    It would make a good project for someone who is new to the Drupal contribution process. It's preferred over Newbie.

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Production build 0.69.0 2024