diff --git a/exec/handlers/login.php b/exec/handlers/login.php index c19c13b..6df9672 100644 --- a/exec/handlers/login.php +++ b/exec/handlers/login.php @@ -53,7 +53,7 @@ return static function (): void { 'event' => 'create_login_url', 'result' => 'success', ]); - Http::redirectNoStore($url); + Http::browserRedirectNoStore($url); } catch (Throwable $e) { AuditLog::append(Settings::AUDIT_LOG, $auditBase + [ 'event' => 'create_login_url', diff --git a/exec/lib/Http.php b/exec/lib/Http.php index 6e37102..e1fd460 100644 --- a/exec/lib/Http.php +++ b/exec/lib/Http.php @@ -45,6 +45,37 @@ final class Http exit; } + public static function browserRedirectNoStore(string $url): void + { + header('Content-Type: text/html; charset=UTF-8'); + header('Cache-Control: no-store, private'); + header('Pragma: no-cache'); + header('Referrer-Policy: no-referrer'); + header('X-Content-Type-Options: nosniff'); + header("Content-Security-Policy: default-src 'none'; script-src 'unsafe-inline'; style-src 'unsafe-inline'; base-uri 'none'; form-action 'none'"); + echo self::redirectPageHtml($url); + exit; + } + + public static function redirectPageHtml(string $url): string + { + $safeUrl = htmlspecialchars($url, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8'); + $jsonUrl = json_encode($url, JSON_UNESCAPED_SLASHES | JSON_HEX_TAG | JSON_HEX_AMP | JSON_HEX_APOS | JSON_HEX_QUOT); + if (!is_string($jsonUrl)) { + $jsonUrl = '"/"'; + } + + return '
' + . '' + . '' + . '