Skip to content

Enforce authTokenSyncURL being a path and not a url.#8056

Merged
hsubox76 merged 1 commit intomasterfrom
ch-defaults-fix-1
Mar 6, 2024
Merged

Enforce authTokenSyncURL being a path and not a url.#8056
hsubox76 merged 1 commit intomasterfrom
ch-defaults-fix-1

Conversation

@hsubox76
Copy link
Contributor

@hsubox76 hsubox76 commented Mar 5, 2024
edited
Loading

The _authTokenSyncURL property coming from the FIREBASE_DEFAULTS autoinit (for frameworks tooling) should only point to the same domain and be a relative path. Do not set the cookie if this is not a relative path (such as if it is a full url), as this could be a possible vulnerability.

See b/327386166

@changeset-bot
Copy link

changeset-bot bot commented Mar 5, 2024

🦋 Changeset detected

Latest commit: d8cac08

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 3 packages
Name Type
@firebase/auth Patch
@firebase/auth-compat Patch
firebase Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@hsubox76 hsubox76 requested a review from jamesdaniels March 5, 2024 18:44
@google-oss-bot
Copy link
Collaborator

google-oss-bot commented Mar 5, 2024

Size Report 1

Affected Products

  • @firebase/auth

    TypeBase (e60188d)Merge (0088e11)Diff
    browser177 kB177 kB+38 B (+0.0%)
    esm5231 kB231 kB+38 B (+0.0%)
    module177 kB177 kB+38 B (+0.0%)

  • @firebase/auth/internal

    TypeBase (e60188d)Merge (0088e11)Diff
    browser188 kB188 kB+38 B (+0.0%)
    esm5244 kB244 kB+38 B (+0.0%)
    module188 kB188 kB+38 B (+0.0%)

  • bundle

    TypeBase (e60188d)Merge (0088e11)Diff
    auth (GoogleFBTwitterGitHubPopup)101 kB101 kB+19 B (+0.0%)

  • firebase

    TypeBase (e60188d)Merge (0088e11)Diff
    firebase-auth.js147 kB147 kB+19 B (+0.0%)

Test Logs

  1. https://storage.googleapis.com/firebase-sdk-metric-reports/98RFFgD1tY.html

@google-oss-bot
Copy link
Collaborator

google-oss-bot commented Mar 5, 2024

Size Analysis Report 1

Affected Products

  • @firebase/auth

    • getAuth

      Size

      TypeBase (e60188d)Merge (0088e11)Diff
      size72.4 kB72.4 kB+19 B (+0.0%)
      size-with-ext-deps100 kB100 kB+19 B (+0.0%)

Test Logs

  1. https://storage.googleapis.com/firebase-sdk-metric-reports/iB521IhizP.html

@hsubox76 hsubox76 merged commit 245dd26 into master Mar 6, 2024
@hsubox76 hsubox76 deleted the ch-defaults-fix-1 branch March 6, 2024 18:19
@hsubox76 hsubox76 mentioned this pull request Mar 8, 2024
Merged
@google-oss-bot google-oss-bot mentioned this pull request Mar 11, 2024
Merged
@FujiKinaga FujiKinaga mentioned this pull request Mar 27, 2024
Closed
1 task
@firebase firebase locked and limited conversation to collaborators Apr 6, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@jamesdaniels jamesdaniels jamesdaniels approved these changes

@DellaBitta DellaBitta DellaBitta approved these changes

@lisajian lisajian Awaiting requested review from lisajian

@Xiaoshouzi-gh Xiaoshouzi-gh Awaiting requested review from Xiaoshouzi-gh

@renkelvin renkelvin Awaiting requested review from renkelvin

@sam-gc sam-gc Awaiting requested review from sam-gc

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@hsubox76 @google-oss-bot @jamesdaniels @DellaBitta