golang/pkgsite: improve hostname verification to ensure origin before setting cookie
Updates frontend to only check for `*.go.dev` / `go.dev`, instead of `*go.dev`
Change-Id: I1460aa69f2f032f9a098a22651586bb737927453
GitHub-Last-Rev: 61741be0c1266260ede2bcaa4a3c7990f51e4638
GitHub-Pull-Request: golang/pkgsite#88
Reviewed-on: https://go-review.googlesource.com/c/pkgsite/+/574655
Reviewed-by: Aviv Keller <telavivkeller@gmail.com>
TryBot-Bypass: Jonathan Amsterdam <jba@google.com>
Reviewed-by: Jonathan Amsterdam <jba@google.com>
Reviewed-by: David Chase <drchase@google.com>
Reviewed-by: Carlos Amedee <carlos@golang.org>
diff --git a/static/frontend/frontend.ts b/static/frontend/frontend.ts
index 5d32275..26cceff 100644
--- a/static/frontend/frontend.ts
+++ b/static/frontend/frontend.ts
@@ -128,7 +128,7 @@
nextTheme = 'auto';
}
let domain = '';
- if (location.hostname.endsWith('go.dev')) {
+ if (location.hostname === 'go.dev' || location.hostname.endsWith(".go.dev")) {
domain = 'domain=.go.dev;';
}
document.documentElement.setAttribute('data-theme', nextTheme);
@@ -147,7 +147,7 @@
notice?.classList.add('Cookie-notice--visible');
button?.addEventListener('click', () => {
let domain = '';
- if (location.hostname.endsWith('go.dev')) {
+ if (location.hostname === 'go.dev' || location.hostname.endsWith(".go.dev")) {
// Apply the cookie to *.go.dev.
domain = 'domain=.go.dev;';
}
