From 921da962d0d22b0dd3280afa92ad324b45a33b65 Mon Sep 17 00:00:00 2001
From: ansuz <ansuz@transitiontech.ca>
Date: Tue, 27 Jul 2021 05:18:39 +0530
Subject: [PATCH] narrow exceptions for use of localhost in checkup

---
 www/checkup/main.js | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/www/checkup/main.js b/www/checkup/main.js
index 93ead1bbc..90c16a29a 100644
--- a/www/checkup/main.js
+++ b/www/checkup/main.js
@@ -705,9 +705,13 @@ define([
     var isOnion = function (host) {
         return /\.onion$/.test(host);
     };
+    var isLocalhost = function (host) {
+        return /^http:\/\/localhost/.test(host);
+    };
+
     assert(function (cb, msg) {
         // provide an exception for development instances
-        if (/http:\/\/localhost/.test(trimmedUnsafe)) { return void cb(true); }
+        if (isLocalhost(trimmedUnsafe) && isLocalhost(window.location.href)) { return void cb(true); }
 
         // if both the main and sandbox domains are onion addresses
         // then the HTTPS requirement is unnecessary