quickstart-js
quickstart-js copied to clipboard
firebase
chrome-extension: CSPs & database()
first: this project is a godsend, so thanks.
second, just for context: i'm using a boilerplate for my chrome extension that has several csps set to enable hot-reloading
Anyway, I got auth running by following your readme steps (seriously, thanks). but when I try to fire-up (pun, ugh) the database:
let fb = firebase.initializeApp(firebaseConfig);
let db = fb.database()
... i get some csp errors (text versions below):
By adding the iframe URLs to my csp in the manifest, i can make the errors go away. that is to say, changing csp from:
"content_security_policy": "default-src 'self'; script-src 'self' https://www.gstatic.com/ https://cdn.firebase.com https://*.firebaseio.com https://www.googleapis.com http://localhost:3000 'unsafe-eval'; object-src 'self';connect-src https://www.googleapis.com/ http://localhost:3000 ws://localhost:3000 ws://localhost:35729; style-src * 'unsafe-inline'; img-src 'self' data:;",
to:
"content_security_policy": "default-src 'self'; script-src 'self' https://cdn.firebase.com https://www.gstatic.com/ https://*.firebaseio.com https://www.googleapis.com http://localhost:3000 'unsafe-eval'; object-src 'self';connect-src https://www.googleapis.com/ http://localhost:3000 ws://localhost:3000 ws://localhost:35729 wss://s-usc1c-nss-133.firebaseio.com/ wss://wayhome-d.firebaseio.com; style-src * 'unsafe-inline'; img-src 'self' data:; frame-src wss://s-usc1c-nss-133.firebaseio.com/",
My concern is: are these URLs static to my project? eg wss://s-usc1c-nss-133... ? It's easy enough to set up a dev/prod split for my separate firebase projects, but if the urls change unpredictably, I'll of course have to find another solution.
I tried setting the frame-src to wss://*.firebaseio.com, but that threw the same csp error as above.
Full console error text:
Refused to connect to 'wss://s-usc1c-nss-133.firebaseio.com/.ws?v=5&ns=wayhome-d' because it violates the following Content Security Policy directive: "connect-src https://www.googleapis.com/ http://localhost:3000 ws://localhost:3000 ws://localhost:35729".
bg.open @ database.js:122(anonymous function) @ database.js:137
database.js:129 Refused to frame 'https://s-usc1c-nss-133.firebaseio.com/.lp?dframe=t&id=972161&pw=aKWcrZ89En&ns=wayhome-d' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'frame-src' was not explicitly set, so 'default-src' is used as a fallback.
gg.start @ database.js:129(anonymous function) @ database.js:139(anonymous function) @ database.js:30Tb @ database.js:53Sb @ database.js:30(anonymous function) @ database.js:128pRTLPCB @ .lp?start=t&ser=8877773&cb=2&v=5&ns=wayhome-d:6(anonymous function) @ .lp?start=t&ser=8877773&cb=2&v=5&ns=wayhome-d:9
database.js:122 Refused to connect to 'wss://s-usc1c-nss-133.firebaseio.com/.ws?v=5&s=qCdXJWFtmoRHKhkjBrMd5AKlKNBcQfaz&ns=wayhome-d' because it violates the following Content Security Policy directive: "connect-src https://www.googleapis.com/ http://localhost:3000 ws://localhost:3000 ws://localhost:35729".
bg.open @ database.js:122xg @ database.js:143(anonymous function) @ database.js:139(anonymous function) @ database.js:30Tb @ database.js:53Sb @ database.js:30(anonymous function) @ database.js:128pRTLPCB @ .lp?start=t&ser=8877773&cb=2&v=5&ns=wayhome-d:6(anonymous function) @ .lp?start=t&ser=8877773&cb=2&v=5&ns=wayhome-d:9
Any update ? @brandonmp I am using correct CSP but still have this issue.
Im using websockets workaround as of now.
Has Anyone found how to get this done. I've to implement firebase notifications for my extension. Couldn't find a way
