More complex check for authTokenSyncUrl (#8076)

jamesdaniels · web-flow · commit 9ca1a4e4f9f1 · 2024-03-21T10:28:57.000-07:00
diff --git a/.changeset/green-mugs-protect.md b/.changeset/green-mugs-protect.md
@@ -0,0 +1,5 @@
+---
+'@firebase/auth': patch
+---
+
+Additional protection against misuse of the authTokenSyncURL experiment
diff --git a/packages/auth/src/platform_browser/index.ts b/packages/auth/src/platform_browser/index.ts
@@ -90,14 +90,21 @@ export function getAuth(app: FirebaseApp = getApp()): Auth {
   });
 
   const authTokenSyncPath = getExperimentalSetting('authTokenSyncURL');
-  // Don't allow urls (XSS possibility), only paths on the same domain
-  // (starting with a single '/')
-  if (authTokenSyncPath && authTokenSyncPath.match(/^\/[^\/].*/)) {
-    const mintCookie = mintCookieFactory(authTokenSyncPath);
-    beforeAuthStateChanged(auth, mintCookie, () =>
-      mintCookie(auth.currentUser)
-    );
-    onIdTokenChanged(auth, user => mintCookie(user));
+  // Only do the Cookie exchange in a secure context
+  if (
+    authTokenSyncPath &&
+    typeof isSecureContext === 'boolean' &&
+    isSecureContext
+  ) {
+    // Don't allow urls (XSS possibility), only paths on the same domain
+    const authTokenSyncUrl = new URL(authTokenSyncPath, location.origin);
+    if (location.origin === authTokenSyncUrl.origin) {
+      const mintCookie = mintCookieFactory(authTokenSyncUrl.toString());
+      beforeAuthStateChanged(auth, mintCookie, () =>
+        mintCookie(auth.currentUser)
+      );
+      onIdTokenChanged(auth, user => mintCookie(user));
+    }
   }
 
   const authEmulatorHost = getDefaultEmulatorHost('auth');
