Add security guidance for state parameter usage in authentication flows

[Copilot]

Clarifies that applications should not put URLs or sensitive data directly in the state parameter. Instead, use an identifier that references data stored in browser storage.

Changes

Updated JSDoc comments for the state parameter in 5 request type definitions:

msal-common:

• CommonAuthorizationUrlRequest - authorization flows
• CommonEndSessionRequest - logout flows

msal-browser:

• PopupRequest - popup authentication
• RedirectRequest - redirect authentication
• SsoSilentRequest - silent SSO

Guidance Added

/**
 * - state - A value included in the request that is also returned in the token response.
 *   A randomly generated unique value is typically used for preventing cross site request 
 *   forgery attacks. The state is also used to encode information about the user's state 
 *   in the app before the authentication request occurred. For security and privacy reasons,
 *   we do not recommend putting URLs or other sensitive data directly in the state parameter.
 *   Instead, use a key or identifier that corresponds to data stored in browser storage
 *   (e.g., localStorage, sessionStorage), allowing your app to securely reference the
 *   necessary data after authentication.
 */

This pattern improves privacy by keeping potentially sensitive redirect URLs and application state out of the authorization request/response flow.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• googlechromelabs.github.io
  • Triggering command: /usr/local/bin/node node install.mjs (dns block)
• https://storage.googleapis.com/chrome-for-testing-public/137.0.7151.55/linux64/chrome-headless-shell-linux64.zip
  • Triggering command: /usr/local/bin/node node install.mjs (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

Update documentation to clarify guidance on the use of the app specific state parameter. The documentation should explicitly state:

• We do not recommend putting URLs directly in the application's state parameter during authentication flows.
• Instead, applications should use a key (such as an identifier) in the state parameter, which corresponds to relevant data stored in browser storage (e.g., localStorage, sessionStorage).
• This approach allows the app to securely reference any necessary data to be consumed after authentication, improving privacy and security.
  Reference and follow all relevant PR instructions provided in .github/copilot-instructions.md so that formatting and contribution requirements are met.

This pull request was created as a result of the following prompt from Copilot chat.

Update documentation to clarify guidance on the use of the app specific state parameter. The documentation should explicitly state:

• We do not recommend putting URLs directly in the application's state parameter during authentication flows.
• Instead, applications should use a key (such as an identifier) in the state parameter, which corresponds to relevant data stored in browser storage (e.g., localStorage, sessionStorage).
• This approach allows the app to securely reference any necessary data to be consumed after authentication, improving privacy and security.
  Reference and follow all relevant PR instructions provided in .github/copilot-instructions.md so that formatting and contribution requirements are met.

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.