How does Firebase domain whitelisting work behind the scene to make it foolproof?

Question

How Firebase domain whitelisting works behind the scene to make it foolproof? To be clear, I'm not trying to configure my domain in Firebase console(Which I understand how to do), but instead, trying to build some similar source domain validation in my server side - API code. What web standards Firebase uses to make sure only authorized domains make API call as the API token is public.

What if someone uses non-browser HTTP client with source domain headers faked with the API token of my app? I assume Firebase would've thought about such case and its covered. Trying to understand the how its foolproof.

Answer 1

My guess would be that it is not fool-proof, but limits the use cases in certain situations.

You could use such a whitelisted domain in the CORS related headers, this would prevent certain actions from modern browsers.

The whitelisted domains can also used with authentication to make sure the redirect after login is to your domain.

Theoretically you could go and check the Referer header, but a lot of browsers do not supply it for security / privacy purposes so that would be a bad option.

As for firebase, since it is quite hard to use firebase without the library, the library can just supply the current url to the server and prevent any action from unlisted domains. This is by no means fool-proof.

What if someone uses non-browser HTTP client with source domain headers faked with the API token of my app? I assume Firebase would've thought about such case and its covered.

I think your assumption is wrong. Clients are insecure and any request can be faked. Eventually it's a packet that is sent to a server and if you control the sender you control the contents of the packet.

If we monitored the connection between the client and Firebase we can figure out a way to perform the same tasks from another (out of browser) process.

Answer 2

TLS. If you look at the IETF's documentation Handshake Protocol Overview :

When a TLS client and server first start communicating, they agree on a protocol version, select cryptographic algorithms, optionally authenticate each other, and use public-key encryption techniques to generate shared secrets.

So, I think this is the mechanism used for domain whitelisting. Regarding faking HTTP headers, Firebase does not accept HTTP, only HTTPS (TLS).