What is Firebase's cross-domain policy?

Question

How does Firebase handle cross origin issues, and what are the underlying security concerns and how are they handled?

Answer 1

Ways to Connect

There are multiple ways to communicate with the Firebase servers, and these include:

• Firebase Client - One of the officially-supported client libraries, currently including JavaScript (both for Web and Node.js), ObjC (iOS and Mac OS-X), and JVM (Android and Java).
• REST API - Accessible via https://<your-firebase>.firebaseio.com.

CORS Policy

Firebase uses a fully-permissive cross-origin resource sharing (CORS) policy, meaning that you can make requests to the Firebase servers from any origin. This is possible because Firebase does not use cookies or traditional sessions to govern which requests are authorized and which are not.

Cross-Domain Policy File (Flash)

Similarly, Firebase uses a fully-permissive cross-domain policy file, requiring only that requests be made over SSL. See the policy file at https://demo.firebaseio-demo.com/crossdomain.xml.

Security Overview

Firebase relies upon a flexible authentication system and expression-based rules language to govern which requests are authorized and which are not.

In order for a request to be authorized, the request must include a Firebase Authentication Token, which is a way of securely sharing data between your server (or authentication provider, if using Firebase Simple Login), and the operation (and corresponding data) must pass the developer-defined security rules.

Firebase is accessible from anywhere via the client libraries or REST API, and enables you to build a fully-secure application using only client-side code. Get started with Firebase authentication by heading to the Quickstart Guide.