An error occurred while fetching folder content.
Francois Marier
authored
The current check to ensure that only absolute paths are accepted fails to take into account scheme-relative URLs like "//foo.com". These URLs end up in fixupURL and get the origin prepended to them to something like "https://origin.example.com//foo.com", which is invalid but still follows our same-origin restrictions. So the solution is to require that the character after the leading slash be anything but a slash.
Name | Last commit | Last update |
---|---|---|
.. |