From b3e239792e07910597369fe5f96e9f3efce701aa Mon Sep 17 00:00:00 2001
From: BrunoQuaresma <bruno_nonato_quaresma@hotmail.com>
Date: Thu, 8 May 2025 12:38:20 +0000
Subject: [PATCH 1/2] fix: do not share token with http app urls

---
 site/src/modules/resources/AppLink/AppLink.tsx | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/site/src/modules/resources/AppLink/AppLink.tsx b/site/src/modules/resources/AppLink/AppLink.tsx
index 5c4209a8f72c7..3298431c7bb1f 100644
--- a/site/src/modules/resources/AppLink/AppLink.tsx
+++ b/site/src/modules/resources/AppLink/AppLink.tsx
@@ -17,6 +17,7 @@ import { generateRandomString } from "utils/random";
 import { AgentButton } from "../AgentButton";
 import { BaseIcon } from "./BaseIcon";
 import { ShareIcon } from "./ShareIcon";
+import { url } from "node:inspector";
 
 export const DisplayAppNameMap: Record<TypesGen.DisplayApp, string> = {
 	port_forwarding_helper: "Ports",
@@ -106,7 +107,11 @@ export const AppLink: FC<AppLinkProps> = ({ app, workspace, agent }) => {
 
 					event.preventDefault();
 
-					if (app.external) {
+					// HTTP links should never need the session token, since Cookies
+					// handle sharing it when you access the Coder Dashboard. We should
+					// never be forwarding the bare session token to other domains!
+					const isHttp = app.url?.startsWith("http");
+					if (app.external && !isHttp) {
 						// This is a magic undocumented string that is replaced
 						// with a brand-new session token from the backend.
 						// This only exists for external URLs, and should only

From 4e15cde695e3f212b64e47ffac93be1ff2d95564 Mon Sep 17 00:00:00 2001
From: BrunoQuaresma <bruno_nonato_quaresma@hotmail.com>
Date: Thu, 8 May 2025 12:41:40 +0000
Subject: [PATCH 2/2] FMT

---
 site/src/modules/resources/AppLink/AppLink.tsx | 1 -
 1 file changed, 1 deletion(-)

diff --git a/site/src/modules/resources/AppLink/AppLink.tsx b/site/src/modules/resources/AppLink/AppLink.tsx
index 3298431c7bb1f..0e94335ba0c43 100644
--- a/site/src/modules/resources/AppLink/AppLink.tsx
+++ b/site/src/modules/resources/AppLink/AppLink.tsx
@@ -17,7 +17,6 @@ import { generateRandomString } from "utils/random";
 import { AgentButton } from "../AgentButton";
 import { BaseIcon } from "./BaseIcon";
 import { ShareIcon } from "./ShareIcon";
-import { url } from "node:inspector";
 
 export const DisplayAppNameMap: Record<TypesGen.DisplayApp, string> = {
 	port_forwarding_helper: "Ports",