Making WordPress.org


Ignore:
Timestamp:
06/15/2020 07:19:57 AM (4 years ago)
Author:
dd32
Message:

SSO: When determining the login url, always include a redirect_to if the host is not under the wordpress.org domain.

This prevents login failures with browsers that don't send http referers cross-origin, such as the Brave browser.

See #5239.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • sites/trunk/common/includes/wporg-sso/class-wporg-sso.php

    r9941 r9961  
    7878            $login_url = $this->sso_login_url;
    7979
     80            if ( ! preg_match( '!wordpress\.org$!', $this->host ) ) {
     81                $login_url = add_query_arg( 'from', $this->host, $login_url );
     82
     83                // Not all browsers send referers cross-origin, ensure that a redirect_to is set for this hostname.
     84                if ( empty( $redirect_to ) ) {
     85                    $redirect_to = 'https://' . $this->host . $_SERVER['REQUEST_URI'];
     86                }
     87            }
     88
    8089            if ( ! empty( $redirect_to ) && $this->_is_valid_targeted_domain( $redirect_to ) ) {
    8190                $redirect_to = preg_replace( '/\/wp-(login|signup)\.php\??.*$/', '/', $redirect_to );
    8291                $login_url = add_query_arg( 'redirect_to', urlencode( $redirect_to ), $login_url );
    83             }
    84 
    85             if ( ! preg_match( '!wordpress\.org$!', $this->host ) ) {
    86                 $login_url = add_query_arg( 'from', $this->host, $login_url );
    8792            }
    8893
Note: See TracChangeset for help on using the changeset viewer.