JavaScript redirects security issue - how do I do this correctly?

Question

My web developer flagged this to me and I have never seen this from MKTO redirects. Anyone else experience this or have a solution? MKTO support wasn't very helpful on this one &#128542;"Last week the security team flagged a couple of redirects associated with Marketo that can be escalated to XSS attacks."
 
erp.financialforce.com/redirect?url=https://www.google.combackoffice.financialforce.com/app/redirect?url=https://www.google.combackoffice.financialforce.com/redirect?url=https://google.comerp.financialforce.com/redirect#?url=https://www.google.com

SanfordWhiteman · Accepted Answer

This merely means that you haven’t created your redirect page properly (it’s not the native Marketo redirect you’re using here, but rather bouncing people off your interstitial LP using custom JavaScript).

Whenever you do this, you must have an “allow list” of origins (protocols + hostnames):

    let allowedOrigins = [
         'http://pages.example.com',
         'http://www.example.com',
         'http://example.com'
        ];

You compare the redirect origin (i.e. the origin of the next-hop URL that’s being wrapped inside the query string) to the list of allowed origins.

If it’s not in the list, you don’t redirect. Simple as that.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded