Request for Optional Setting to Not Encrypt exturl (targetUrl) in Exitscript

[jonnorth]

I am writing to bring attention to an important breaking change that occurred with the release of CDTS v5.0.0. In this version, Exitscript no longer contains an unencrypted targetUrl/exturl as part of the query string to pass the destination link. This change has significantly impacted our application, which serves as a framework used by multiple other web applications.

Our application relies on the exturl/targetUrl to perform several functions. When an external link is clicked, our application performs some session cleanup and then notifies the calling system that an external link has been detected. This gives the application using our system the opportunity to decide what to do with that external link.

However, since URLs are now encrypted on the client side, we no longer have the ability to perform these functions. This has been a significant breaking change for our system.

We understand that this change was made to prevent misuse of the targetUrl in regards to open-redirect attacks. However, our system was not susceptible to this as we do not openly redirect without input from the user.

We kindly request the addition of an optional setting to the Exitscript that would allow us not to encrypt the targetUrl. This would greatly help us in maintaining the functionality of our application and the systems that rely on it.

Thank you for your attention to this matter.

[ahmad-shahid]

Hello, we don't have control on the way the link is passed. CDTS leverages the WET exitscript (https://wet-boew.github.io/wet-boew/demos/exitscript/exitscript-en.html) and WET encrypts the URLs now. We cannot go back to the previous behaviour of the exitscript.

You can perform functions through a middle (redirected) page and retrieve the URL. Take a look at the examples on our sample page: https://cdts.service.canada.ca/app/cls/WET/gcweb/v5_0_0/cdts/samples/exitscript-redirect-en.html