firebase-js-sdk icon indicating copy to clipboard operation
firebase-js-sdk copied to clipboard
verified publisher icon firebase

Firestore should not access www.google.com, only *.googleapis.com

Open neelance opened this issue 3 years ago • 6 comments

We are currently rolling out a Content Security Policy. While doing so, we noticed that Firestore sometimes connects to www.google.com, specifically https://www.google.com/images/cleardot.gif. This is because this URL is hardcoded in the webchannel transport:

https://github.com/google/closure-library/blob/7c5e8ef152adf9cc814875c42ab2a0244653b69c/closure/goog/labs/net/webchannel/netutils.js#L48

It would be best if Firestore would only connect to *.googleapis.com domains.

neelance avatar Nov 10 '22 13:11 neelance

I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.

google-oss-bot avatar Nov 10 '22 13:11 google-oss-bot

Hi @neelance, thanks for reaching out. Let me check what we can do for this or bring someone here that can provide more context about it. I’ll update this thread if I have any information to share.

jbalidiong avatar Nov 10 '22 15:11 jbalidiong

Googlers see b/259147891

ehsannas avatar Nov 14 '22 23:11 ehsannas

Thanks for reporting @neelance . We'll take steps to fix this.

ehsannas avatar Nov 16 '22 20:11 ehsannas

Any progress on this?

neelance avatar Dec 05 '23 15:12 neelance

Hey @neelance , since this occurs in one of our dependencies (webchannel), I have filed an issue to them to fix it. I believe it hasn't been resolved yet. But I'll follow up again. Thanks for your patience.

ehsannas avatar Dec 05 '23 19:12 ehsannas