diff --git a/plugins/core/package-lock.json b/plugins/core/package-lock.json
index 749f2d9826..ca56160dc6 100644
--- a/plugins/core/package-lock.json
+++ b/plugins/core/package-lock.json
@@ -1,12 +1,12 @@
 {
    "name": "@scrypted/core",
-   "version": "0.1.142",
+   "version": "0.1.143",
    "lockfileVersion": 2,
    "requires": true,
    "packages": {
       "": {
          "name": "@scrypted/core",
-         "version": "0.1.142",
+         "version": "0.1.143",
          "license": "Apache-2.0",
          "dependencies": {
             "@scrypted/common": "file:../../common",
diff --git a/plugins/core/package.json b/plugins/core/package.json
index a59e6a5d02..0832c910c2 100644
--- a/plugins/core/package.json
+++ b/plugins/core/package.json
@@ -1,6 +1,6 @@
 {
    "name": "@scrypted/core",
-   "version": "0.1.142",
+   "version": "0.1.143",
    "description": "Scrypted Core plugin. Provides the UI, websocket, and engine.io APIs.",
    "author": "Scrypted",
    "license": "Apache-2.0",
diff --git a/plugins/core/ui/src/Login.vue b/plugins/core/ui/src/Login.vue
index bf2957421f..90de9daeb4 100644
--- a/plugins/core/ui/src/Login.vue
+++ b/plugins/core/ui/src/Login.vue
@@ -112,6 +112,16 @@ export default {
         try {
           const redirect_uri = new URL(window.location).searchParams.get('redirect_uri');
           if (redirect_uri) {
+            try {
+              const parsed = new URL(redirect_uri);
+              // allow everything but javascript evaluation within this browser (ie, custom uri handlers, https, etc are all valid)
+              if (parsed.protocol === 'javascript:') {
+                window.location = '/';
+                return;
+              }
+            }
+            catch (e) {
+            }
             window.location = redirect_uri;
             return;
           }