From 466fe816d519696034e3be5565e00353095bb61d Mon Sep 17 00:00:00 2001
From: Anders Kaseorg <andersk@mit.edu>
Date: Sat, 18 Aug 2018 22:41:55 -0400
Subject: [PATCH] docs: security.md: Fix navigation lockdown example code
 (#14185)

The `url` module is not a constructor; change `require('url')` to
`require('url').URL`. Also, check the entire origin rather than just
the hostname, since otherwise `http://my-own-server.com` is allowed in
addition to `https://my-own-server.com`, in violation of point 1 (only
load secure content).

Signed-off-by: Anders Kaseorg <andersk@mit.edu>
---
 docs/tutorial/security.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/tutorial/security.md b/docs/tutorial/security.md
index 8881f692437f..deb6207393b0 100644
--- a/docs/tutorial/security.md
+++ b/docs/tutorial/security.md
@@ -612,13 +612,13 @@ sometimes be fooled - a `startsWith('https://google.com')` test would let
 `https://google.com.attacker.com` through.
 
 ```js
-const URL = require('url')
+const URL = require('url').URL
 
 app.on('web-contents-created', (event, contents) => {
   contents.on('will-navigate', (event, navigationUrl) => {
     const parsedUrl = new URL(navigationUrl)
 
-    if (parsedUrl.hostname !== 'my-own-server.com') {
+    if (parsedUrl.origin !== 'https://my-own-server.com') {
       event.preventDefault()
     }
   })