Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

More complex check for authTokenSyncUrl #8076

Merged
merged 6 commits into from
Mar 21, 2024
Merged

More complex check for authTokenSyncUrl #8076

merged 6 commits into from
Mar 21, 2024

Conversation

jamesdaniels
Copy link
Member

@jamesdaniels jamesdaniels commented Mar 14, 2024
edited
Loading

  • Don't allow insecure context, unless localhost
  • Protect against escaping hacks by instantiating a new URL instance

b/327386166

FYI @hsubox76

Q, should we guard against isSecureContext not being available? Can I use isSecureContext?

@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Mar 14, 2024
edited
Loading

🦋 Changeset detected

Latest commit: 939a060

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 3 packages
Name Type
@firebase/auth Patch
@firebase/auth-compat Patch
firebase Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Mar 14, 2024
edited
Loading

Changeset File Check ✅

  • No modified packages are missing from the changeset file.
  • No changeset formatting errors detected.

@jamesdaniels jamesdaniels requested review from a team as code owners March 14, 2024 16:12
@google-oss-bot
Copy link
Contributor

google-oss-bot commented Mar 14, 2024
edited
Loading

Size Report 1

Affected Products

  • @firebase/auth

    TypeBase (1eb302f)Merge (a074812)Diff
    browser177 kB178 kB+137 B (+0.1%)
    esm5231 kB231 kB+135 B (+0.1%)
    module177 kB178 kB+137 B (+0.1%)

  • @firebase/auth/internal

    TypeBase (1eb302f)Merge (a074812)Diff
    browser188 kB188 kB+137 B (+0.1%)
    esm5244 kB245 kB+135 B (+0.1%)
    module188 kB188 kB+137 B (+0.1%)

  • bundle

    TypeBase (1eb302f)Merge (a074812)Diff
    auth (GoogleFBTwitterGitHubPopup)101 kB101 kB+108 B (+0.1%)

  • firebase

    TypeBase (1eb302f)Merge (a074812)Diff
    firebase-auth.js147 kB148 kB+107 B (+0.1%)

Test Logs

  1. https://storage.googleapis.com/firebase-sdk-metric-reports/L76Ue7M1uP.html

@google-oss-bot
Copy link
Contributor

google-oss-bot commented Mar 14, 2024
edited
Loading

Size Analysis Report 1

Affected Products

  • @firebase/auth

    • getAuth

      Size

      TypeBase (1eb302f)Merge (a074812)Diff
      size72.4 kB72.5 kB+108 B (+0.1%)
      size-with-ext-deps100 kB100 kB+108 B (+0.1%)

Test Logs

  1. https://storage.googleapis.com/firebase-sdk-metric-reports/MhgL2oQFiE.html

@hsubox76
Copy link
Contributor

Q, should we guard against isSecureContext not being available? Can I use isSecureContext?

I think we should. Sure, this is the browser bundle and it should never be run in Node, and the chart seems to cover all the browsers we support but I'm never sure about extensions, iframes, jsdom, and bad SSR configs where they end up pulling in the browser bundle in Node.

@hsubox76 hsubox76 merged commit 9ca1a4e into master Mar 21, 2024
44 checks passed
@hsubox76 hsubox76 deleted the jamesdanielsMoreComplexAuthTokenSyncCheck branch March 21, 2024 17:28
@google-oss-bot google-oss-bot mentioned this pull request Mar 26, 2024
Merged
@firebase firebase locked and limited conversation to collaborators Apr 21, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@hsubox76 hsubox76 hsubox76 approved these changes

@lisajian lisajian Awaiting requested review from lisajian

@Xiaoshouzi-gh Xiaoshouzi-gh Awaiting requested review from Xiaoshouzi-gh

@renkelvin renkelvin Awaiting requested review from renkelvin

@sam-gc sam-gc Awaiting requested review from sam-gc

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jamesdaniels @google-oss-bot @hsubox76