From 493d85e09e7f5aac039c80e81adaad5bd8cacd47 Mon Sep 17 00:00:00 2001
From: Aviv Keller <38299977+RedYetiDev@users.noreply.github.com>
Date: Wed, 27 Mar 2024 20:27:12 +0000
Subject: [PATCH] golang/pkgsite: improve hostname verification to ensure
 origin before setting cookie

Updates frontend to only check for `*.go.dev` / `go.dev`, instead of `*go.dev`

Change-Id: I1460aa69f2f032f9a098a22651586bb737927453
GitHub-Last-Rev: 61741be0c1266260ede2bcaa4a3c7990f51e4638
GitHub-Pull-Request: golang/pkgsite#88
Reviewed-on: https://go-review.googlesource.com/c/pkgsite/+/574655
Reviewed-by: Aviv Keller <telavivkeller@gmail.com>
TryBot-Bypass: Jonathan Amsterdam <jba@google.com>
Reviewed-by: Jonathan Amsterdam <jba@google.com>
Reviewed-by: David Chase <drchase@google.com>
Reviewed-by: Carlos Amedee <carlos@golang.org>
---
 static/frontend/frontend.ts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/static/frontend/frontend.ts b/static/frontend/frontend.ts
index 5d32275f5..26cceff58 100644
--- a/static/frontend/frontend.ts
+++ b/static/frontend/frontend.ts
@@ -128,7 +128,7 @@ function toggleTheme() {
     nextTheme = 'auto';
   }
   let domain = '';
-  if (location.hostname.endsWith('go.dev')) {
+  if (location.hostname === 'go.dev' || location.hostname.endsWith(".go.dev")) {
     domain = 'domain=.go.dev;';
   }
   document.documentElement.setAttribute('data-theme', nextTheme);
@@ -147,7 +147,7 @@ function registerCookieNotice() {
     notice?.classList.add('Cookie-notice--visible');
     button?.addEventListener('click', () => {
       let domain = '';
-      if (location.hostname.endsWith('go.dev')) {
+      if (location.hostname === 'go.dev' || location.hostname.endsWith(".go.dev")) {
         // Apply the cookie to *.go.dev.
         domain = 'domain=.go.dev;';
       }