From fb0a577dd1ef5faf44aee7bb1dabb9376e45c8b9 Mon Sep 17 00:00:00 2001
From: Troy Dai <troy.dai@outlook.com>
Date: Thu, 11 Aug 2016 14:03:17 -0700
Subject: [PATCH] Add comments to CookieAuthenticationHandler

---
 .../CookieAuthenticationHandler.cs                             | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/Microsoft.AspNetCore.Authentication.Cookies/CookieAuthenticationHandler.cs b/src/Microsoft.AspNetCore.Authentication.Cookies/CookieAuthenticationHandler.cs
index 9b45738756..f11f69e1c9 100644
--- a/src/Microsoft.AspNetCore.Authentication.Cookies/CookieAuthenticationHandler.cs
+++ b/src/Microsoft.AspNetCore.Authentication.Cookies/CookieAuthenticationHandler.cs
@@ -316,6 +316,9 @@ namespace Microsoft.AspNetCore.Authentication.Cookies
                 // set redirect uri in order:
                 // 1. properties.RedirectUri
                 // 2. query parameter ReturnUrlParameter
+                //
+                // Absolute uri is not allowed if it is from query string as query string is not
+                // a trusted source.
                 var redirectUri = properties.RedirectUri;
                 if (string.IsNullOrEmpty(redirectUri))
                 {