1 min read

NO_ASSIGN_WINDOW_LOCATION

Prevent unsafe assignment to window.location.href in your application.
Table of Contents

Conformance is available on Enterprise plans

Direct assignments to "window.location.href" or "window.location" should be avoided due to possible XSS attacks that can occur from lack of sanitization of input to the "href".

The recommended approach for Next.js applications is to use a custom redirectTo function. This provides a clear way to use router.push() or window.location.href to provide an experience that is best for the user (client-side navigation only, or a full page refresh). Here's an example of how you might do this using Next.js:

Before:

my-site.js
windows.location.href = '/login';

After:

my-site.js
router.push('/login');
Last updated on February 21, 2024