@@ -25,7 +25,9 @@ internal static class OpaqueRedirection
2525 // returns a regular 301/302/etc. To handle this,
2626 //
2727 // - If it's redirected to an internal URL, the browser will just follow the redirection automatically
28- // and client-side code simply updates the client-side URL to match
28+ // and client-side code will then:
29+ // - Check if it went to a Blazor endpoint, and if so, simply update the client-side URL to match
30+ // - Or if it's a non-Blazor endpoint, behaves like "external URL" below
2931 // - If it's to an external URL:
3032 // - If it's a GET request, the client-side code will retry as a non-enhanced request
3133 // - For other request types, we have to let it fail as it would be unsafe to retry
@@ -35,11 +37,6 @@ internal static class OpaqueRedirection
3537
3638 public static string CreateProtectedRedirectionUrl ( HttpContext httpContext , string destinationUrl )
3739 {
38- // For consistency with how 'fetch' works, we don't want to disclose the redirection URL to JS code, even if
39- // it's an internal URL (e.g., if the redirection chain is A->B->C, we don't want JS to be able to see B).
40- // This is even more important if it's an external URL, since it could be an auth endpoint with sensitive
41- // info inside it. So, we supply the URL to a framework endpoint that will perform the redirection, and
42- // the client-side code and navigate to this.
4340 var protector = CreateProtector ( httpContext ) ;
4441 var protectedUrl = protector . Protect ( destinationUrl , TimeSpan . FromSeconds ( 10 ) ) ;
4542 return $ "{ RedirectionEndpointBaseRelativeUrl } ?url={ UrlEncoder . Default . Encode ( protectedUrl ) } ";
0 commit comments