Issue #2868712: Extra validation to verify if the url is a local url.

core/misc/drupal.js

@@ -436,7 +436,11 @@ window.Drupal = { behaviors: {}, locale: {} };
     // Always use browser-derived absolute URLs in the comparison, to avoid
     // attempts to break out of the base path using directory traversal.
     let absoluteUrl = Drupal.url.toAbsolute(url);
+    const { origin: requestOrigin } = new URL(absoluteUrl);
     let { protocol } = window.location;
+    const { origin } = window.location;
+    // Check if the origin of the request has the same origin as the current page.
+    const isSameOrigin = requestOrigin === origin;
 
     // Consider URLs that match this site's base URL but use HTTPS instead of HTTP
     // as local as well.
@@ -461,7 +465,11 @@ window.Drupal = { behaviors: {}, locale: {} };
 
     // The given URL matches the site's base URL, or has a path under the site's
     // base URL.
-    return absoluteUrl === baseUrl || absoluteUrl.startsWith(`${baseUrl}/`);
+    return (
+      absoluteUrl === baseUrl ||
+      absoluteUrl.startsWith(`${baseUrl}/`) ||
+      isSameOrigin
+    );
   };
 
   /**