From 245dd26e19b6c16aca7e1b7e597ed5784c2984ba Mon Sep 17 00:00:00 2001
From: Christina Holland <chholland@google.com>
Date: Wed, 6 Mar 2024 10:19:40 -0800
Subject: [PATCH] Enforce authTokenSyncURL being a path and not a url. (#8056)

---
 .changeset/thirty-otters-hug.md             | 5 +++++
 packages/auth/src/platform_browser/index.ts | 8 +++++---
 2 files changed, 10 insertions(+), 3 deletions(-)
 create mode 100644 .changeset/thirty-otters-hug.md

diff --git a/.changeset/thirty-otters-hug.md b/.changeset/thirty-otters-hug.md
new file mode 100644
index 00000000000..6dd0c7e0059
--- /dev/null
+++ b/.changeset/thirty-otters-hug.md
@@ -0,0 +1,5 @@
+---
+'@firebase/auth': patch
+---
+
+Fix possible XSS vulnerability through **FIREBASE_DEFAULTS** settings.
diff --git a/packages/auth/src/platform_browser/index.ts b/packages/auth/src/platform_browser/index.ts
index 6399072d713..2d21c768454 100644
--- a/packages/auth/src/platform_browser/index.ts
+++ b/packages/auth/src/platform_browser/index.ts
@@ -89,9 +89,11 @@ export function getAuth(app: FirebaseApp = getApp()): Auth {
     ]
   });
 
-  const authTokenSyncUrl = getExperimentalSetting('authTokenSyncURL');
-  if (authTokenSyncUrl) {
-    const mintCookie = mintCookieFactory(authTokenSyncUrl);
+  const authTokenSyncPath = getExperimentalSetting('authTokenSyncURL');
+  // Don't allow urls (XSS possibility), only paths on the same domain
+  // (starting with '/')
+  if (authTokenSyncPath && authTokenSyncPath.startsWith('/')) {
+    const mintCookie = mintCookieFactory(authTokenSyncPath);
     beforeAuthStateChanged(auth, mintCookie, () =>
       mintCookie(auth.currentUser)
     );