Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Firebase + Chrome content security policy settings?

I'm trying to use Firebase in a Chrome extension background page, but it looks like it's executing inline-scripts, which isn't allowed because of security concerns.

I've currently set the CSP to:

{"content_security_policy": 
  "script-src 'self' https://cdn.firebase.com https://<my-subdomain>.firebaseio.com; object-src 'self'"}

I'm able to load the initial Firebase script, but upon calling new Firebase('my-firebase-url'), I get the following error:

Refused to execute inline script because it violates the following Content Security Policy directive: ". Uncaught ReferenceError: pRTLPCB is not defined

Is there any work around or advice the Firebase team (or anyone) can give, and maybe an explanation of why scripts are being executed inline?

like image 762
sgrove Avatar asked Dec 22 '12 22:12

sgrove


1 Answers

At the time the question was asked, there was a bug preventing Firebase from working in Chrome extensions, but this has now been fixed.

The correct CSP is:

"content_security_policy": "script-src 'self' https://cdn.firebase.com https://*.firebaseio.com; object-src 'self'"

(Note that the wildcard in the domain is important, since Firebase may connect to other subdomains internally.)

For a sample chrome extension using Firebase, see: https://github.com/firebase/firebase-chrome-extension.

like image 188
Andrew Lee Avatar answered Sep 20 '22 02:09

Andrew Lee