我想知道firebase函数getAuth()是否以某种方式检查最初发出令牌的网站链接是否是请求授权状态的链接。
我担心如果恶意网站以某种方式访问我的Firebase.io链接,并在与基于Firebase的后端网站相同的浏览器中运行简单的getAuth(),它将能够访问发布到的Firebase令牌我网站的用户。
对此有任何想法将不胜感激。
答案 0 :(得分:2)
Note: I work at Firebase
Firebase Authentication sessions are stored using LocalStorage accessible only to your domain. This means that the sessions are not accessible from domains outside of your control.
If you're using OAuth (Google, Facebook, Twitter, or GitHub login), then authentication is further restricted to your domain via our OAuth configuration in your Firebase dashboard, where you must explicitly authorize domains for access.
Users of email / password authentication can authenticate from any source, provided that the user has access to the password. In short, we ensure that the sessions stored for your domain are not accessible elsewhere. Our top priorities for this product are data security and making that security available to you (as the developer) easily and as the default.
If you have additional concerns that are sensitive for any reason, don't hesitate to reach out to me rob at firebase.com.