For security reasons, LabKey Server restricts the host names that can be used in returnUrl parameters. By default, only redirects to the same LabKey instance are allowed. Other server host names must be specifically granted access to allow them to be automatically redirected.
For more information on the security concern, please refer to the OWASP advisory
A site administrator can allow hosts based on the server name or IP address, based on how it will be referenced in the returnUrl parameter values.
To add an External Redirect Host URL to the approved list:
- Go to (Admin) > Site > Admin Console.
- Under Configuration click External Redirect Hosts.
- In the Host field enter a approved URL and click Save.
- URLs already granted access are added to the list under Existing External Redirect Hosts.
- You can directly edit and save the list of existing redirect URLs if necessary.