firebase-js-sdk icon indicating copy to clipboard operation
firebase-js-sdk copied to clipboard
verified publisher icon firebase

Firefox error on signInWithCustomToken with empty referer: auth/requests-from-referer-<empty>-are-blocked

Open CharlieDigital opened this issue 1 year ago • 6 comments

Operating System

Mac M1, macOS 14.5

Browser Version

Firefox 129.0

Firebase SDK Version

10.12.5

Firebase SDK Product:

Auth

Describe your project's tooling

Vue + Vite building a browser extension

Describe the problem

When making a call to signInWithCustomToken, Firebase auth receives an HTTP 403 from the identity endpoint with the following error:

image

This only occurs in Firefox and works as expected on Chrome.

Screenshot 2024-08-06 at 10 29 28 PM

Steps and code to reproduce issue

I have the code published in the following extensions (with minimal obfuscation):

Chrome version of the extension where everything works: https://chromewebstore.google.com/detail/turasapp/lpfijfdbgohlblnadiokliolkkeeblpo

Firefox version: https://addons.mozilla.org/en-US/firefox/addon/turas-app/

There is no functional difference in the output code.

May be related to this issue: https://github.com/firebase/firebase-js-sdk/issues/7997

CharlieDigital avatar Aug 09 '24 20:08 CharlieDigital

Facing similar issue with await signInWithCustomToken(auth, customFirebaseToken) on Windows 10 + Chrome 126 and 127. We issue the token in the backend using a service account and then use signInWithCustomToken using the client side API that is configured with a browser key that is restricted for our sites. I don't see the option to supply a referer in this case.

cabello avatar Sep 11 '24 19:09 cabello

Hi @CharlieDigital, it looks like https://addons.mozilla.org/en-US/firefox/addon/turas-app/ does not exist. Do you have another version we can take a look at?

dlarocque avatar Sep 13 '24 16:09 dlarocque

Yup; I took it offline for the time being, but I've attached the compiled source here (largely identical except for the manifest):

turas-firefox-2024-09-14-16-39.zip

Appreciate any effort your team puts into this!

CharlieDigital avatar Sep 13 '24 16:09 CharlieDigital

Hi all, are you still experiencing this issue? If so, can you share a stand alone, minimal app that reproduces the problem? Thanks!

DellaBitta avatar May 12 '25 14:05 DellaBitta

I'm still interested in solving this, but may not be able to get to testing this again later this week (and also requires waiting for Mozilla to approve my app). I will try to update all packages and publish a new version of the extension this week and test again.

I iterate again that this is not reproducible in local dev builds and requires distribution via the Firebox extension library to verify.

CharlieDigital avatar May 12 '25 14:05 CharlieDigital

Problem still occurs after updating the firebase package to 11.7.3:

Image

Source is available here (not obfuscated): https://addons.mozilla.org/en-US/firefox/addon/turas-app/

Attached as a package:

turas-firefox-2025-05-18-00-19.zip

CharlieDigital avatar May 17 '25 01:05 CharlieDigital