0

I have a site that when the user signs in; it opens a new window to github login to use it’s oauth flow. The user signs in, grants access, and is redirect back to the site. https://www.example.com?code=“code”. My site then attempts to parse the code out of window.location.search. However, when this occurs I am getting the following error:

DOMException: Permission denied to get property “href” on cross-origin object.

I am not sure what to do in this case? Any thoughts would be appreciated.

xjinx
  • 185
  • 8

1 Answers1

0

If you're trying to retrieve the value of window.location.search that appears in the new window from the original window, you need to make sure that both windows have the same origin (scheme, port and host, see more here: Same-origin Policy).

This is a security measure, otherwise a malicious site could initiate an OAuth flow and retrieve the authorization code in the popup window without controlling the redirect site.

Alternatively, you can just retrieve the code in the new window.

Trey Griffith
  • 499
  • 4
  • 8
  • Hi Trey, thanks for the response. Even if I open the new window in my domain, navigate to the oauth url, which then redirects back to my domain in the new window; it still fails. Adding a example of the code in another comment. – xjinx Oct 18 '20 at 14:28
  • const win = window.open('myUrl', this.id, this.windowOptions); win.location.replace(''github.com/oauthurl'); const p = new Promise((res, rej) => { win.setInternal(() => { if ( this.window.location.href === 'github.com/oauthurl' || this.window.location.pathname === 'blank' ) { return; } resolve(this.window.location.search); } } p.then(onSuccessCallback, onFailureCallback); – xjinx Oct 18 '20 at 14:28
  • What is the full origin of the redirect URL (the URL your new window is finally redirected to) vs the origin of your parent window? Scheme, host, and port all have to be identical. So `http://google.com` is not the same as `https://google.com` – Trey Griffith Oct 21 '20 at 20:20