From 54cb464a1cab9b261db48af7ac5fa74e9ee08c2a Mon Sep 17 00:00:00 2001
From: Jonas Hungershausen <jonas.hungershausen@ory.sh>
Date: Mon, 26 Aug 2024 09:50:34 +0000
Subject: [PATCH] chore: don't return allowed return URLs (#4044)

---
 x/http_secure_redirect.go | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/x/http_secure_redirect.go b/x/http_secure_redirect.go
index 9851abc0f53e..1b86b00940db 100644
--- a/x/http_secure_redirect.go
+++ b/x/http_secure_redirect.go
@@ -17,8 +17,6 @@ import (
 	"github.com/ory/x/stringsx"
 	"github.com/ory/x/urlx"
 
-	"github.com/samber/lo"
-
 	"github.com/ory/kratos/driver/config"
 )
 
@@ -145,10 +143,8 @@ func SecureRedirectTo(r *http.Request, defaultReturnTo *url.URL, opts ...SecureR
 
 	return nil, errors.WithStack(herodot.ErrBadRequest.
 		WithID(text.ErrIDRedirectURLNotAllowed).
-		WithReasonf("Requested return_to URL %q is not allowed.", returnTo).
-		WithDebugf("Allowed domains are: %v", strings.Join(lo.Map(o.allowlist, func(u url.URL, _ int) string {
-			return u.String()
-		}), ", ")))
+		WithReasonf("Requested return_to URL %q is not allowed.", returnTo),
+	)
 }
 
 func SecureContentNegotiationRedirection(