From 7a07b93a7f4800ecc8a56b32c03a95583bd46f50 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 21 Nov 2025 22:20:02 +0000
Subject: [PATCH 1/3] Initial plan


From ca57a70f5b2245b5dd7c44bbe69892dab75c1c41 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 21 Nov 2025 22:31:43 +0000
Subject: [PATCH 2/3] docs: Add security guidance for state parameter usage

Co-authored-by: jo-arroyo <45890484+jo-arroyo@users.noreply.github.com>
---
 lib/msal-browser/src/request/PopupRequest.ts                 | 2 +-
 lib/msal-browser/src/request/RedirectRequest.ts              | 2 +-
 lib/msal-browser/src/request/SsoSilentRequest.ts             | 2 +-
 lib/msal-common/src/request/CommonAuthorizationUrlRequest.ts | 2 +-
 lib/msal-common/src/request/CommonEndSessionRequest.ts       | 2 +-
 5 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/lib/msal-browser/src/request/PopupRequest.ts b/lib/msal-browser/src/request/PopupRequest.ts
index 6936f04385..09ef604591 100644
--- a/lib/msal-browser/src/request/PopupRequest.ts
+++ b/lib/msal-browser/src/request/PopupRequest.ts
@@ -15,7 +15,7 @@ import { PopupWindowAttributes } from "./PopupWindowAttributes.js";
  * - correlationId              - Unique GUID set per request to trace a request end-to-end for telemetry purposes.
  * - redirectUri                - The redirect URI where authentication responses can be received by your application. It must exactly match one of the redirect URIs registered in the Azure portal.
  * - extraScopesToConsent       - Scopes for a different resource when the user needs consent upfront.
- * - state                      - A value included in the request that is also returned in the token response. A randomly generated unique value is typically used for preventing cross site request forgery attacks. The state is also used to encode information about the user's state in the app before the authentication request occurred.
+ * - state                      - A value included in the request that is also returned in the token response. A randomly generated unique value is typically used for preventing cross site request forgery attacks. The state is also used to encode information about the user's state in the app before the authentication request occurred. For security and privacy reasons, we do not recommend putting URLs or other sensitive data directly in the state parameter. Instead, use a key or identifier that corresponds to data stored in browser storage (e.g., localStorage, sessionStorage), allowing your app to securely reference the necessary data after authentication.
  * - prompt                     - Indicates the type of user interaction that is required.
  *          login: will force the user to enter their credentials on that request, negating single-sign on
  *          none:  will ensure that the user isn't presented with any interactive prompt. if request can't be completed via single-sign on, the endpoint will return an interaction_required error
diff --git a/lib/msal-browser/src/request/RedirectRequest.ts b/lib/msal-browser/src/request/RedirectRequest.ts
index 924c38f392..f0eb1757da 100644
--- a/lib/msal-browser/src/request/RedirectRequest.ts
+++ b/lib/msal-browser/src/request/RedirectRequest.ts
@@ -14,7 +14,7 @@ import { CommonAuthorizationUrlRequest } from "@azure/msal-common/browser";
  * - correlationId              - Unique GUID set per request to trace a request end-to-end for telemetry purposes.
  * - redirectUri                - The redirect URI where authentication responses can be received by your application. It must exactly match one of the redirect URIs registered in the Azure portal.
  * - extraScopesToConsent       - Scopes for a different resource when the user needs consent upfront.
- * - state                      - A value included in the request that is also returned in the token response. A randomly generated unique value is typically used for preventing cross site request forgery attacks. The state is also used to encode information about the user's state in the app before the authentication request occurred.
+ * - state                      - A value included in the request that is also returned in the token response. A randomly generated unique value is typically used for preventing cross site request forgery attacks. The state is also used to encode information about the user's state in the app before the authentication request occurred. For security and privacy reasons, we do not recommend putting URLs or other sensitive data directly in the state parameter. Instead, use a key or identifier that corresponds to data stored in browser storage (e.g., localStorage, sessionStorage), allowing your app to securely reference the necessary data after authentication.
  * - prompt                     - Indicates the type of user interaction that is required.
  *          login: will force the user to enter their credentials on that request, negating single-sign on
  *          none:  will ensure that the user isn't presented with any interactive prompt. if request can't be completed via single-sign on, the endpoint will return an interaction_required error
diff --git a/lib/msal-browser/src/request/SsoSilentRequest.ts b/lib/msal-browser/src/request/SsoSilentRequest.ts
index 326e455cc7..10c664e45d 100644
--- a/lib/msal-browser/src/request/SsoSilentRequest.ts
+++ b/lib/msal-browser/src/request/SsoSilentRequest.ts
@@ -14,7 +14,7 @@ import { CommonAuthorizationUrlRequest } from "@azure/msal-common/browser";
  * - correlationId              - Unique GUID set per request to trace a request end-to-end for telemetry purposes.
  * - redirectUri                - The redirect URI where authentication responses can be received by your application. It must exactly match one of the redirect URIs registered in the Azure portal.
  * - extraScopesToConsent       - Scopes for a different resource when the user needs consent upfront.
- * - state                      - A value included in the request that is also returned in the token response. A randomly generated unique value is typically used for preventing cross site request forgery attacks. The state is also used to encode information about the user's state in the app before the authentication request occurred.
+ * - state                      - A value included in the request that is also returned in the token response. A randomly generated unique value is typically used for preventing cross site request forgery attacks. The state is also used to encode information about the user's state in the app before the authentication request occurred. For security and privacy reasons, we do not recommend putting URLs or other sensitive data directly in the state parameter. Instead, use a key or identifier that corresponds to data stored in browser storage (e.g., localStorage, sessionStorage), allowing your app to securely reference the necessary data after authentication.
  * - prompt                     - Indicates the type of user interaction that is required.
  *          login: will force the user to enter their credentials on that request, negating single-sign on
  *          none:  will ensure that the user isn't presented with any interactive prompt. if request can't be completed via single-sign on, the endpoint will return an interaction_required error
diff --git a/lib/msal-common/src/request/CommonAuthorizationUrlRequest.ts b/lib/msal-common/src/request/CommonAuthorizationUrlRequest.ts
index 796f713d86..ddc30647c8 100644
--- a/lib/msal-common/src/request/CommonAuthorizationUrlRequest.ts
+++ b/lib/msal-common/src/request/CommonAuthorizationUrlRequest.ts
@@ -19,7 +19,7 @@ import { AccountInfo } from "../account/AccountInfo.js";
  * - responseMode               - Specifies the method that should be used to send the authentication result to your app. Can be query, form_post, or fragment. If no value is passed in, it defaults to query.
  * - codeChallenge              - Used to secure authorization code grant via Proof of Key for Code Exchange (PKCE). For more information, see the PKCE RCF:https://tools.ietf.org/html/rfc7636
  * - codeChallengeMethod        - The method used to encode the code verifier for the code challenge parameter. Can be "plain" or "S256". If excluded, code challenge is assumed to be plaintext. For more information, see the PKCE RCF: https://tools.ietf.org/html/rfc7636
- * - state                      - A value included in the request that is also returned in the token response. A randomly generated unique value is typically used for preventing cross site request forgery attacks. The state is also used to encode information about the user's state in the app before the authentication request occurred.
+ * - state                      - A value included in the request that is also returned in the token response. A randomly generated unique value is typically used for preventing cross site request forgery attacks. The state is also used to encode information about the user's state in the app before the authentication request occurred. For security and privacy reasons, we do not recommend putting URLs or other sensitive data directly in the state parameter. Instead, use a key or identifier that corresponds to data stored in browser storage (e.g., localStorage, sessionStorage), allowing your app to securely reference the necessary data after authentication.
  * - prompt                     - Indicates the type of user interaction that is required.
  *          login: will force the user to enter their credentials on that request, negating single-sign on
  *          none:  will ensure that the user isn't presented with any interactive prompt. if request can't be completed via single-sign on, the endpoint will return an interaction_required error
diff --git a/lib/msal-common/src/request/CommonEndSessionRequest.ts b/lib/msal-common/src/request/CommonEndSessionRequest.ts
index 1b3561306d..637b1d0c22 100644
--- a/lib/msal-common/src/request/CommonEndSessionRequest.ts
+++ b/lib/msal-common/src/request/CommonEndSessionRequest.ts
@@ -12,7 +12,7 @@ import { StringDict } from "../utils/MsalTypes.js";
  * - postLogoutRedirectUri  - URI to navigate to after logout page.
  * - correlationId          - Unique GUID set per request to trace a request end-to-end for telemetry purposes.
  * - idTokenHint            - ID Token used by B2C to validate logout if required by the policy
- * - state                  - A value included in the request to the logout endpoint which will be returned in the query string upon post logout redirection
+ * - state                  - A value included in the request to the logout endpoint which will be returned in the query string upon post logout redirection. For security and privacy reasons, we do not recommend putting URLs or other sensitive data directly in the state parameter. Instead, use a key or identifier that corresponds to data stored in browser storage (e.g., localStorage, sessionStorage), allowing your app to securely reference the necessary data after logout.
  * - logoutHint             - A string that specifies the account that is being logged out in order to skip the server account picker on logout
  * - extraQueryParameters   - String to string map of custom query parameters added to the /authorize call
  */

From de6c589d54f2dd2259d745105cedebc3ac2a3951 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 21 Nov 2025 22:33:38 +0000
Subject: [PATCH 3/3] Change files

---
 ...-msal-browser-32e0b932-d6ae-4583-8e28-460258c5a6ca.json | 7 +++++++
 ...e-msal-common-586c8ff0-7f47-4514-b4bb-0b639b5efe59.json | 7 +++++++
 2 files changed, 14 insertions(+)
 create mode 100644 change/@azure-msal-browser-32e0b932-d6ae-4583-8e28-460258c5a6ca.json
 create mode 100644 change/@azure-msal-common-586c8ff0-7f47-4514-b4bb-0b639b5efe59.json

diff --git a/change/@azure-msal-browser-32e0b932-d6ae-4583-8e28-460258c5a6ca.json b/change/@azure-msal-browser-32e0b932-d6ae-4583-8e28-460258c5a6ca.json
new file mode 100644
index 0000000000..b6511f52bf
--- /dev/null
+++ b/change/@azure-msal-browser-32e0b932-d6ae-4583-8e28-460258c5a6ca.json
@@ -0,0 +1,7 @@
+{
+  "type": "none",
+  "comment": "docs: Add security guidance for state parameter usage",
+  "packageName": "@azure/msal-browser",
+  "email": "198982749+Copilot@users.noreply.github.com",
+  "dependentChangeType": "none"
+}
diff --git a/change/@azure-msal-common-586c8ff0-7f47-4514-b4bb-0b639b5efe59.json b/change/@azure-msal-common-586c8ff0-7f47-4514-b4bb-0b639b5efe59.json
new file mode 100644
index 0000000000..dd0e4e7727
--- /dev/null
+++ b/change/@azure-msal-common-586c8ff0-7f47-4514-b4bb-0b639b5efe59.json
@@ -0,0 +1,7 @@
+{
+  "type": "none",
+  "comment": "docs: Add security guidance for state parameter usage",
+  "packageName": "@azure/msal-common",
+  "email": "198982749+Copilot@users.noreply.github.com",
+  "dependentChangeType": "none"
+}