Back redirect to the URL to referer. It validates that the Referer is same-origin to prevent open redirect attacks. If the Referer is missing, invalid, or cross-origin, the fallback URL is used.
(fallback ...string)
| 379 | // It validates that the Referer is same-origin to prevent open redirect attacks. |
| 380 | // If the Referer is missing, invalid, or cross-origin, the fallback URL is used. |
| 381 | func (r *Redirect) Back(fallback ...string) error { |
| 382 | location := r.c.Get(HeaderReferer) |
| 383 | if location != "" { |
| 384 | if !strings.HasPrefix(location, "/") || strings.HasPrefix(location, "//") { |
| 385 | parsed, err := url.Parse(location) |
| 386 | if err != nil || (parsed.Scheme != "" && parsed.Host == "") || (parsed.Host != "" && !schemehost.Match(parsed.Scheme, parsed.Host, r.c.Scheme(), r.c.Host())) { |
| 387 | location = "" // Reject invalid or cross-origin referrers |
| 388 | } |
| 389 | } |
| 390 | } |
| 391 | |
| 392 | if location == "" { |
| 393 | // Check fallback URL |
| 394 | if len(fallback) == 0 { |
| 395 | err := ErrRedirectBackNoFallback |
| 396 | r.c.Status(err.Code) |
| 397 | |
| 398 | return err |
| 399 | } |
| 400 | location = fallback[0] |
| 401 | } |
| 402 | |
| 403 | return r.To(location) |
| 404 | } |
| 405 | |
| 406 | // parseAndClearFlashMessages is a method to get flash messages before they are getting removed |
| 407 | func (r *Redirect) parseAndClearFlashMessages() { |