File tree Expand file tree Collapse file tree 2 files changed +20
-8
lines changed
packages/auth/src/platform_browser Expand file tree Collapse file tree 2 files changed +20
-8
lines changed Original file line number Diff line number Diff line change 1+ ---
2+ ' @firebase/auth ' patch
3+ ---
4+
5+ Additional protection against misuse of the authTokenSyncURL experiment
Original file line number Diff line number Diff line change @@ -90,14 +90,21 @@ export function getAuth(app: FirebaseApp = getApp()): Auth {
9090 } ) ;
9191
9292 const authTokenSyncPath = getExperimentalSetting ( 'authTokenSyncURL' ) ;
93- // Don't allow urls (XSS possibility), only paths on the same domain
94- // (starting with a single '/')
95- if ( authTokenSyncPath && authTokenSyncPath . match ( / ^ \/ [ ^ \/ ] .* / ) ) {
96- const mintCookie = mintCookieFactory ( authTokenSyncPath ) ;
97- beforeAuthStateChanged ( auth , mintCookie , ( ) =>
98- mintCookie ( auth . currentUser )
99- ) ;
100- onIdTokenChanged ( auth , user => mintCookie ( user ) ) ;
93+ // Only do the Cookie exchange in a secure context
94+ if (
95+ authTokenSyncPath &&
96+ typeof isSecureContext === 'boolean' &&
97+ isSecureContext
98+ ) {
99+ // Don't allow urls (XSS possibility), only paths on the same domain
100+ const authTokenSyncUrl = new URL ( authTokenSyncPath , location . origin ) ;
101+ if ( location . origin === authTokenSyncUrl . origin ) {
102+ const mintCookie = mintCookieFactory ( authTokenSyncUrl . toString ( ) ) ;
103+ beforeAuthStateChanged ( auth , mintCookie , ( ) =>
104+ mintCookie ( auth . currentUser )
105+ ) ;
106+ onIdTokenChanged ( auth , user => mintCookie ( user ) ) ;
107+ }
101108 }
102109
103110 const authEmulatorHost = getDefaultEmulatorHost ( 'auth' ) ;
You can’t perform that action at this time.
0 commit comments