More complex check for authTokenSyncUrl

.changeset/green-mugs-protect.md

@@ -0,0 +1,5 @@
+---
+'@firebase/auth': patch
+---
+
+Additional protection against misuse of the authTokenSyncURL experiment

packages/auth/src/platform_browser/index.ts

@@ -90,14 +90,21 @@ export function getAuth(app: FirebaseApp = getApp()): Auth {
   });
 
   const authTokenSyncPath = getExperimentalSetting('authTokenSyncURL');
-  // Don't allow urls (XSS possibility), only paths on the same domain
-  // (starting with a single '/')
-  if (authTokenSyncPath && authTokenSyncPath.match(/^\/[^\/].*/)) {
-    const mintCookie = mintCookieFactory(authTokenSyncPath);
-    beforeAuthStateChanged(auth, mintCookie, () =>
-      mintCookie(auth.currentUser)
+  if (authTokenSyncPath) {
+    // Reduce the chances of an XSS attack by only allowing secure contexts or the same origin.
+    const isLocalHost = ['localhost', '127.0.0.1', '0.0.0.0'].includes(
+      location.hostname
     );
-    onIdTokenChanged(auth, user => mintCookie(user));
+    if (isSecureContext || isLocalHost) {
+      const authTokenSyncUrl = new URL(authTokenSyncPath, location.origin);
+      if (location.origin === authTokenSyncUrl.origin) {
+        const mintCookie = mintCookieFactory(authTokenSyncUrl.toString());
+        beforeAuthStateChanged(auth, mintCookie, () =>
+          mintCookie(auth.currentUser)
+        );
+        onIdTokenChanged(auth, user => mintCookie(user));
+      }
+    }
   }
 
   const authEmulatorHost = getDefaultEmulatorHost('auth');