isSecureContext checks for localhost

jamesdaniels · jamesdaniels · commit 5645307874f8 · 2024-03-14T12:44:53.000-04:00
diff --git a/packages/auth/src/platform_browser/index.ts b/packages/auth/src/platform_browser/index.ts
@@ -90,20 +90,14 @@ export function getAuth(app: FirebaseApp = getApp()): Auth {
   });
 
   const authTokenSyncPath = getExperimentalSetting('authTokenSyncURL');
-  if (authTokenSyncPath) {
-    // Reduce the chances of an XSS attack by only allowing secure contexts or the same origin.
-    const isLocalHost = ['localhost', '127.0.0.1', '0.0.0.0'].includes(
-      location.hostname
-    );
-    if (isSecureContext || isLocalHost) {
-      const authTokenSyncUrl = new URL(authTokenSyncPath, location.origin);
-      if (location.origin === authTokenSyncUrl.origin) {
-        const mintCookie = mintCookieFactory(authTokenSyncUrl.toString());
-        beforeAuthStateChanged(auth, mintCookie, () =>
-          mintCookie(auth.currentUser)
-        );
-        onIdTokenChanged(auth, user => mintCookie(user));
-      }
+  if (authTokenSyncPath && isSecureContext) {
+    const authTokenSyncUrl = new URL(authTokenSyncPath, location.origin);
+    if (location.origin === authTokenSyncUrl.origin) {
+      const mintCookie = mintCookieFactory(authTokenSyncUrl.toString());
+      beforeAuthStateChanged(auth, mintCookie, () =>
+        mintCookie(auth.currentUser)
+      );
+      onIdTokenChanged(auth, user => mintCookie(user));
     }
   }
 
