diff --git a/apps/web/src/BasePlatform.ts b/apps/web/src/BasePlatform.ts index 822b282e25d..8f2ee414446 100644 --- a/apps/web/src/BasePlatform.ts +++ b/apps/web/src/BasePlatform.ts @@ -466,10 +466,9 @@ export default abstract class BasePlatform { * The URL to return to after a successful OIDC authentication */ public getOidcCallbackUrl(): URL { - const url = new URL(window.location.href); // The redirect URL has to exactly match that registered at the OIDC server, so - // ensure that the fragment part of the URL is empty. - url.hash = ""; + // build it from scratch to avoid leaking ephemeral query params (e.g. `updated`). + const url = new URL(window.location.origin + window.location.pathname); // Set no_universal_links=true to prevent the callback being handled by Element X installed on macOS Apple Silicon url.searchParams.set("no_universal_links", "true"); return url; diff --git a/apps/web/test/unit-tests/vector/platform/WebPlatform-test.ts b/apps/web/test/unit-tests/vector/platform/WebPlatform-test.ts index 3a85e263ba6..438968c78ab 100644 --- a/apps/web/test/unit-tests/vector/platform/WebPlatform-test.ts +++ b/apps/web/test/unit-tests/vector/platform/WebPlatform-test.ts @@ -264,4 +264,22 @@ describe("WebPlatform", () => { platform.setErrorStatus(true); expect(spy).toHaveBeenCalledWith(expect.anything(), { bgColor: "#f00" }); }); + + describe("getOidcCallbackUrl()", () => { + it("should not include the 'updated' query param in the redirect URI", () => { + Object.defineProperty(window, "location", { + value: { + href: "https://element.example.com/?updated=1.12.12", + origin: "https://element.example.com", + pathname: "/", + }, + writable: true, + }); + const platform = new WebPlatform(); + const url = platform.getOidcCallbackUrl(); + + expect(url.searchParams.has("updated")).toBe(false); + expect(url.searchParams.get("no_universal_links")).toEqual("true"); + }); + }); });