Remove third party auth redirect URI domain check.

remoting/webapp/third_party_token_fetcher.js

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 /**
  * @fileoverview
  * Third party authentication support for the remoting web-app.
  *
  * When third party authentication is being used, the client must request both a
  * token and a shared secret from a third-party server. The server can then
@@ skipping 70 matching lines @@
 /**
  * Parse the access token from the URL to which we were redirected.
  *
  * @param {string} responseUrl The URL to which we were redirected.
  * @private
  */
 remoting.ThirdPartyTokenFetcher.prototype.parseRedirectUrl_ =
     function(responseUrl) {
   var token = '';
   var sharedSecret = '';
-  if (responseUrl &&
-      responseUrl.search(this.redirectUri_ + '#') == 0) {
-    var query = responseUrl.substring(this.redirectUri_.length + 1);
-    var parts = query.split('&');
-    /** @type {Object.<string>} */
-    var queryArgs = {};
-    for (var i = 0; i < parts.length; i++) {
-      var pair = parts[i].split('=');
-      queryArgs[decodeURIComponent(pair[0])] = decodeURIComponent(pair[1]);
-    }
+  var query = responseUrl.substring(responseUrl.search('#') + 1);

[Wez, 2013/08/09 00:35:28]

Old code coped with an empty responseUrl - don't we still need to cope with
that, e.g. w/ the URL not containing a '#' character?

[rmsousa, 2013/08/09 01:44:00]

being pedantic: the new code was also (accidentally) coping with those cases
(substring would return "" in either case)

But given that an empty string is a special case (appsv2 will send that when the
user closes the window without authenticating), yeah, we should handle it more
clearly.

+  var parts = query.split('&');
+  /** @type {Object.<string>} */
+  var queryArgs = {};
+  for (var i = 0; i < parts.length; i++) {
+    var pair = parts[i].split('=');
+    queryArgs[decodeURIComponent(pair[0])] = decodeURIComponent(pair[1]);
+  }
 
-    // Check that 'state' contains the same XSRF token we sent in the request.
-    var xsrfToken = queryArgs['state'];
-    if (xsrfToken == this.xsrfToken_ &&
-        'code' in queryArgs && 'access_token' in queryArgs) {
-      // Terminology note:
-      // In the OAuth code/token exchange semantics, 'code' refers to the value
-      // obtained when the *user* authenticates itself, while 'access_token' is
-      // the value obtained when the *application* authenticates itself to the
-      // server ("implicitly", by receiving it directly in the URL fragment, or
-      // explicitly, by sending the 'code' and a 'client_secret' to the server).
-      // Internally, the piece of data obtained when the user authenticates
-      // itself is called the 'token', and the one obtained when the host
-      // authenticates itself (using the 'token' received from the client and
-      // its private key) is called the 'shared secret'.
-      // The client implicitly authenticates itself, and directly obtains the
-      // 'shared secret', along with the 'token' from the redirect URL fragment.
-      token = queryArgs['code'];
-      sharedSecret = queryArgs['access_token'];
-    }
+  // Check that 'state' contains the same XSRF token we sent in the request.
+  var xsrfToken = queryArgs['state'];
+  if (xsrfToken == this.xsrfToken_ &&
+      'code' in queryArgs && 'access_token' in queryArgs) {
+    // Terminology note:
+    // In the OAuth code/token exchange semantics, 'code' refers to the value
+    // obtained when the *user* authenticates itself, while 'access_token' is
+    // the value obtained when the *application* authenticates itself to the
+    // server ("implicitly", by receiving it directly in the URL fragment, or
+    // explicitly, by sending the 'code' and a 'client_secret' to the server).
+    // Internally, the piece of data obtained when the user authenticates
+    // itself is called the 'token', and the one obtained when the host
+    // authenticates itself (using the 'token' received from the client and
+    // its private key) is called the 'shared secret'.
+    // The client implicitly authenticates itself, and directly obtains the
+    // 'shared secret', along with the 'token' from the redirect URL fragment.
+    token = queryArgs['code'];
+    sharedSecret = queryArgs['access_token'];
   }
   this.onThirdPartyTokenFetched_(token, sharedSecret);
 };
 
 /**
  * Build a full token request URL from the parameters in this object.
  *
  * @return {string} Full URL to request a token.
  * @private
  */
@@ skipping 31 matching lines @@
  * Fetch a token from a token server using the identity.launchWebAuthFlow API.
  * @private
  */
 remoting.ThirdPartyTokenFetcher.prototype.fetchTokenIdentityApi_ = function() {
   var fullTokenUrl = this.getFullTokenUrl_();
   // TODO(rmsousa): chrome.identity.launchWebAuthFlow is experimental.
   chrome.experimental.identity.launchWebAuthFlow(
     {'url': fullTokenUrl, 'interactive': true},
     this.parseRedirectUrl_.bind(this));
 };