(function () {
"use strict";
var loc = window.location;
var loginWinObj = window.OAUTH3_CORE.queryparse(loc.hash || loc.search);
var prefix = "(" + window.location.hostname + ") [.well-known/oauth3/callback.html]";
if (loginWinObj.debug) {
console.warn(prefix, "DEBUG MODE ENABLED. Automatic redirects disabled.");
}
// '--oauth3-callback-' prefix exist for security so that an attacker can't social engineer execution an arbitrary function
// TODO finalize name of '--oauth3-callback-', this will be a defacto standard
// TODO maybe call it 'self-xss-' or 'hack-my-account-' to discourage people from doing dumb things?
var callbackName = '--oauth3-callback-' + loginWinObj.state;
console.log(prefix, loc.href);
console.log(prefix, 'Parsed URL Obj:', loginWinObj);
console.log(prefix, 'callbackName:', callbackName);
window.oauth3complete = function () {
// The hacks that used to be necessary for this on iOS should no longer be necessary in iOS 9+
// see https://bugs.chromium.org/p/chromium/issues/detail?id=136610 and https://crbug.com/423444
// TODO Should we still create an abstraction for older versions?
if (window.parent) {
// iframe
try {
window.parent[callbackName](loginWinObj);
return;
} catch(e) {
console.warn(e);
}
}
if (window.opener) {
try {
window.opener[callbackName](loginWinObj);
return;
} catch(e) {
console.warn(e);
}
}
console.error("neither window.parent nor window.opener existed to complete callback");
/*
// the caller should close (or signal to close) the window
try {
window.close();
} catch (err) {
console.log('Error: ', err);
}
*/
};
if (!loginWinObj.debug) {
window.oauth3complete();
}
else {
document.body.innerHTML = window.location.hostname + window.location.pathname
+ '
You\'ve passed the \'debug\' parameter so we\'re pausing'
+ ' to let you look at logs or whatever it is that you intended to do.'
+ '
Continue with callback: javascript:window.oauth3complete()';
return;
}
}());