SOLVED

JavaScript redirects security issue - how do I do this correctly?

Go to solution
CalparFF
Level 1

JavaScript redirects security issue - how do I do this correctly?

My web developer flagged this to me and I have never seen this from MKTO redirects. Anyone else experience this or have a solution? MKTO support wasn't very helpful on this one 😞

"Last week the security team flagged a couple of redirects associated with Marketo that can be escalated to XSS attacks."
 
1 ACCEPTED SOLUTION

Accepted Solutions
SanfordWhiteman
Level 10 - Community Moderator

Re: JavaScript redirects security issue - how do I do this correctly?

This merely means that you haven’t created your redirect page properly (it’s not the native Marketo redirect you’re using here, but rather bouncing people off your interstitial LP using custom JavaScript).

 

Whenever you do this, you must have an “allow list” of origins (protocols + hostnames):

    let allowedOrigins = [
         'http://pages.example.com',
         'http://www.example.com',
         'http://example.com'
        ];

 

You compare the redirect origin (i.e. the origin of the next-hop URL that’s being wrapped inside the query string) to the list of allowed origins.

 

If it’s not in the list, you don’t redirect. Simple as that.

View solution in original post

1 REPLY 1
SanfordWhiteman
Level 10 - Community Moderator

Re: JavaScript redirects security issue - how do I do this correctly?

This merely means that you haven’t created your redirect page properly (it’s not the native Marketo redirect you’re using here, but rather bouncing people off your interstitial LP using custom JavaScript).

 

Whenever you do this, you must have an “allow list” of origins (protocols + hostnames):

    let allowedOrigins = [
         'http://pages.example.com',
         'http://www.example.com',
         'http://example.com'
        ];

 

You compare the redirect origin (i.e. the origin of the next-hop URL that’s being wrapped inside the query string) to the list of allowed origins.

 

If it’s not in the list, you don’t redirect. Simple as that.