From 9ca1a4e4f9f13d56cde93cab6d83a8bc54f83539 Mon Sep 17 00:00:00 2001 From: James Daniels Date: Thu, 21 Mar 2024 13:28:57 -0400 Subject: [PATCH] More complex check for authTokenSyncUrl (#8076) --- .changeset/green-mugs-protect.md | 5 +++++ packages/auth/src/platform_browser/index.ts | 23 ++++++++++++++------- 2 files changed, 20 insertions(+), 8 deletions(-) create mode 100644 .changeset/green-mugs-protect.md diff --git a/.changeset/green-mugs-protect.md b/.changeset/green-mugs-protect.md new file mode 100644 index 00000000000..38ba2cf9b0f --- /dev/null +++ b/.changeset/green-mugs-protect.md @@ -0,0 +1,5 @@ +--- +'@firebase/auth': patch +--- + +Additional protection against misuse of the authTokenSyncURL experiment diff --git a/packages/auth/src/platform_browser/index.ts b/packages/auth/src/platform_browser/index.ts index ea14f3d7aba..f94525bfeb7 100644 --- a/packages/auth/src/platform_browser/index.ts +++ b/packages/auth/src/platform_browser/index.ts @@ -90,14 +90,21 @@ export function getAuth(app: FirebaseApp = getApp()): Auth { }); const authTokenSyncPath = getExperimentalSetting('authTokenSyncURL'); - // Don't allow urls (XSS possibility), only paths on the same domain - // (starting with a single '/') - if (authTokenSyncPath && authTokenSyncPath.match(/^\/[^\/].*/)) { - const mintCookie = mintCookieFactory(authTokenSyncPath); - beforeAuthStateChanged(auth, mintCookie, () => - mintCookie(auth.currentUser) - ); - onIdTokenChanged(auth, user => mintCookie(user)); + // Only do the Cookie exchange in a secure context + if ( + authTokenSyncPath && + typeof isSecureContext === 'boolean' && + isSecureContext + ) { + // Don't allow urls (XSS possibility), only paths on the same domain + const authTokenSyncUrl = new URL(authTokenSyncPath, location.origin); + if (location.origin === authTokenSyncUrl.origin) { + const mintCookie = mintCookieFactory(authTokenSyncUrl.toString()); + beforeAuthStateChanged(auth, mintCookie, () => + mintCookie(auth.currentUser) + ); + onIdTokenChanged(auth, user => mintCookie(user)); + } } const authEmulatorHost = getDefaultEmulatorHost('auth');