8000 Enforce authTokenSyncURL being a path and not a url. by hsubox76 · Pull Request #8056 · firebase/firebase-js-sdk · GitHub
[go: up one dir, main page]
Skip to content

Enforce authTokenSyncURL being a path and not a url. #8056

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Mar 6, 2024
Merged

Enforce authTokenSyncURL being a path and not a url. #8056

merged 1 commit into from
Mar 6, 2024

Conversation

hsubox76
Copy link
Contributor 8000
@hsubox76 hsubox76 commented Mar 5, 2024
edited
Loading

The _authTokenSyncURL property coming from the FIREBASE_DEFAULTS autoinit (for frameworks tooling) should only point to the same domain and be a relative path. Do not set the cookie if this is not a relative path (such as if it is a full url), as this could be a possible vulnerability.

See b/327386166

@changeset-bot changeset-bot
Copy link
changeset-bot bot commented Mar 5, 2024

🦋 Changeset detected

Latest commit: d8cac08

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 3 packages
Name Type
@firebase/auth Patch
@firebase/auth-compat Patch
firebase Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@hsubox76 hsubox76 requested a review from jamesdaniels March 5, 2024 18:44
@google-oss-bot
Copy link
Contributor

Size Report 1

Affected Products

  • @firebase/auth

    TypeBase (e60188d)Merge (0088e11)Diff
    browser177 kB177 kB+38 B (+0.0%)
    esm5231 kB231 kB+38 B (+0.0%)
    module177 kB177 kB+38 B (+0.0%)

  • @firebase/auth/internal

    TypeBase (e60188d)Merge (0088e11)Diff
    browser188 kB188 kB+38 B (+0.0%)
    esm5244 kB244 kB+38 B (+0.0%)
    module188 kB188 kB+38 B (+0.0%)

  • bundle

    TypeBase (e60188d)Merge (0088e11)Diff
    auth (GoogleFBTwitterGitHubPopup)101 kB101 kB+19 B (+0.0%)

  • firebase

    TypeBase (e60188d)Merge (0088e11)Diff
    firebase-auth.js147 kB147 kB+19 B (+0.0%)

Test Logs

  1. https://storage.googleapis.com/firebase-sdk-metric-reports/98RFFgD1tY.html

@google-oss-bot
Copy link
Contributor

Size Analysis Report 1

Affected Products

  • @firebase/auth

    • getAuth

      Size

      TypeBase (e60188d)Merge (0088e11)Diff
      size72.4 kB72.4 kB+19 B (+0.0%)
      size-with-ext-deps100 kB100 kB+19 B (+0.0%)

Test Logs

  1. https://storage.googleapis.com/firebase-sdk-metric-reports/iB521IhizP.html

@hsubox76 hsubox76 merged commit 245dd26 into master Mar 6, 2024
@hsubox76 hsubox76 deleted the ch-defaults-fix-1 branch March 6, 2024 18:19
@hsubox76 hsubox76 mentioned this pull request Mar 8, 2024
Merged
@google-oss-bot google-oss-bot mentioned this pull request Mar 11, 2024
Merged
@FujiKinaga FujiKinaga mentioned this pull request Mar 27, 2024
Closed
1 task
@firebase firebase locked and limited conversation to collaborators Apr 6, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@jamesdaniels jamesdaniels jamesdaniels approved these changes

@DellaBitta DellaBitta DellaBitta approved these changes

@lisajian lisajian Awaiting requested review from lisajian

@Xiaoshouzi-gh Xiaoshouzi-gh Awaiting requested review from Xiaoshouzi-gh

@renkelvin renkelvin Awaiting requested review from renkelvin

@sam-gc sam-gc Awaiting requested review from sam-gc

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@hsubox76 @google-oss-bot @jamesdaniels @DellaBitta
0