Description
This is possibly a bug in the verification flow. As pointed out by @nsklikas , a returnTo could be followed as a redirect after the verification flow completed successfully even if the returnTo was added to the request later (so after the creation of the flow, for which Kratos validates the returnTo is among the allowed ones).
Description
This is possibly a bug in the verification flow. As pointed out by @nsklikas , a returnTo could be followed as a redirect after the verification flow completed successfully even if the returnTo was added to the request later (so after the creation of the flow, for which Kratos validates the returnTo is among the allowed ones).