From fec1613713e99d71bb354ce2ac1331195de2e626 Mon Sep 17 00:00:00 2001
From: dyzulk <66510723+dyzulk@users.noreply.github.com>
Date: Mon, 12 Jan 2026 08:47:23 +0700
Subject: [PATCH] Security: Add fail-safe current domain validation to QR
 scanner

---
 js/qr-scanner.js | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/js/qr-scanner.js b/js/qr-scanner.js
index 1f31609..da06a0e 100644
--- a/js/qr-scanner.js
+++ b/js/qr-scanner.js
@@ -33,11 +33,14 @@ function handleDecodedText(decodedText) {
         if (decodedText.startsWith('http://') || decodedText.startsWith('https://')) {
             const url = new URL(decodedText);
             const hostname = url.hostname;
+            const currentHostname = window.location.hostname;
             
-            // SECURITY CHECK: Check against Allowed Domains
-            const isAllowed = brandConfig.allowedDomains.some(domain => 
+            // SECURITY CHECK: 
+            // 1. Fail-safe: Always allow current domain
+            // 2. Config: Allow domains in whitelist
+            const isAllowed = (hostname === currentHostname) || (brandConfig.allowedDomains && brandConfig.allowedDomains.some(domain => 
                 hostname === domain || hostname.endsWith('.' + domain)
-            );
+            ));
 
             if (isAllowed) {
                 scannedUrl = decodedText; // Store for redirection