Hi! Our security team finds that the browser can redirect to any URL without restriction using the ‘next param’ when login hub.
For example, if I request such URL:
http://xxx.xxx.com/jupyterhub/hub/login?access_token=xxx.xxx&next=http://www.abc.com
The browser will redirect to http://www.abc.com if the access_token is valid.
Our security team worries that someone may use this mechanism to attack us. Therefore, I wonder if there exists any way to set a whitelist to restrict the redirect URL. Thanks!