From 1e114ddaa88b3fc233c0222207666f4fa960974b Mon Sep 17 00:00:00 2001
From: Martha Cryan <martha.cryan326@gmail.com>
Date: Thu, 18 Jun 2026 19:33:40 -0700
Subject: [PATCH 1/2] Add origin as query string to requests to plotlyServerURL

---
 src/plots/plots.js | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/plots/plots.js b/src/plots/plots.js
index d86c5c7e06b..43227690209 100644
--- a/src/plots/plots.js
+++ b/src/plots/plots.js
@@ -213,7 +213,12 @@ plots.sendDataToCloud = function(gd, serverURL) {
 
     // Open the Cloud login page in a new tab. We keep a reference so we can post
     // the chart back to it once Cloud reports that authentication succeeded.
-    var cloudWindow = window.open(serverURL, '_blank');
+    // Pass the current page's origin as a query string so Cloud knows where to
+    // send the CHART_AUTH_SUCCESS message back to.
+    var uploadUrl = serverURL +
+        (serverURL.indexOf('?') === -1 ? '?' : '&') +
+        'origin=' + encodeURIComponent(window.location.origin);
+    var cloudWindow = window.open(uploadUrl, '_blank');
     if(!cloudWindow) {
         console.error('Unable to open Plotly Cloud (the popup may have been blocked)');
         gd.emit('plotly_exportfail');

From a26650b4338e2a3258f46192e6479f26cf25eb7e Mon Sep 17 00:00:00 2001
From: Martha Cryan <martha.cryan326@gmail.com>
Date: Tue, 23 Jun 2026 18:33:00 -0700
Subject: [PATCH 2/2] Update to use built-in APIs instead of hard-coding query
 strings

---
 src/plots/plots.js | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/src/plots/plots.js b/src/plots/plots.js
index 43227690209..4bfefec3cef 100644
--- a/src/plots/plots.js
+++ b/src/plots/plots.js
@@ -215,10 +215,9 @@ plots.sendDataToCloud = function(gd, serverURL) {
     // the chart back to it once Cloud reports that authentication succeeded.
     // Pass the current page's origin as a query string so Cloud knows where to
     // send the CHART_AUTH_SUCCESS message back to.
-    var uploadUrl = serverURL +
-        (serverURL.indexOf('?') === -1 ? '?' : '&') +
-        'origin=' + encodeURIComponent(window.location.origin);
-    var cloudWindow = window.open(uploadUrl, '_blank');
+    var uploadUrl = new URL(serverURL);
+    uploadUrl.searchParams.set('origin', window.location.origin);
+    var cloudWindow = window.open(uploadUrl.href, '_blank');
     if(!cloudWindow) {
         console.error('Unable to open Plotly Cloud (the popup may have been blocked)');
         gd.emit('plotly_exportfail');