From 8577eb2a80731ba89b35c8f923319ecdb1b5572c Mon Sep 17 00:00:00 2001
From: Christina Holland <chholland@google.com>
Date: Fri, 8 Mar 2024 14:54:15 -0800
Subject: [PATCH 1/2] Do not allow double slashes

---
 packages/auth/src/platform_browser/index.ts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/packages/auth/src/platform_browser/index.ts b/packages/auth/src/platform_browser/index.ts
index 2d21c768454..ea14f3d7aba 100644
--- a/packages/auth/src/platform_browser/index.ts
+++ b/packages/auth/src/platform_browser/index.ts
@@ -91,8 +91,8 @@ export function getAuth(app: FirebaseApp = getApp()): Auth {
 
   const authTokenSyncPath = getExperimentalSetting('authTokenSyncURL');
   // Don't allow urls (XSS possibility), only paths on the same domain
-  // (starting with '/')
-  if (authTokenSyncPath && authTokenSyncPath.startsWith('/')) {
+  // (starting with a single '/')
+  if (authTokenSyncPath && authTokenSyncPath.match(/^\/[^\/].*/)) {
     const mintCookie = mintCookieFactory(authTokenSyncPath);
     beforeAuthStateChanged(auth, mintCookie, () =>
       mintCookie(auth.currentUser)

From af52435a9d239ae51b8e219f9d8dea5d579c72dc Mon Sep 17 00:00:00 2001
From: Christina Holland <chholland@google.com>
Date: Fri, 8 Mar 2024 14:56:07 -0800
Subject: [PATCH 2/2] changeset

---
 .changeset/bright-avocados-attack.md | 5 +++++
 1 file changed, 5 insertions(+)
 create mode 100644 .changeset/bright-avocados-attack.md

diff --git a/.changeset/bright-avocados-attack.md b/.changeset/bright-avocados-attack.md
new file mode 100644
index 00000000000..b5292466b52
--- /dev/null
+++ b/.changeset/bright-avocados-attack.md
@@ -0,0 +1,5 @@
+---
+'@firebase/auth': patch
+---
+
+Do not allow double slash at beginning of authTokenSyncURL. (follow-up fix to https://github.com/firebase/firebase-js-sdk/pull/8056)