Firebase + Chrome content security policy settings?

7
votes

I'm trying to use Firebase in a Chrome extension background page, but it looks like it's executing inline-scripts, which isn't allowed because of security concerns.

I've currently set the CSP to:

{"content_security_policy": 
  "script-src 'self' https://cdn.firebase.com https://<my-subdomain>.firebaseio.com; object-src 'self'"}

I'm able to load the initial Firebase script, but upon calling new Firebase('my-firebase-url'), I get the following error:

Refused to execute inline script because it violates the following Content Security Policy directive: ". Uncaught ReferenceError: pRTLPCB is not defined

Is there any work around or advice the Firebase team (or anyone) can give, and maybe an explanation of why scripts are being executed inline?

3
google-chrome-extensionfirebasecontent-security-policy
Ah, I see I'm not the only one. Yes, the problem is that Firebase constructor is doing some funky magic on call (console.log a new Firebase(URL) to see what I mean.jjperezaguinaga
Sadly didn't have success from the content side neither - d.pr/i/pRMzjjperezaguinaga

3 Answers

13
votes

At the time the question was asked, there was a bug preventing Firebase from working in Chrome extensions, but this has now been fixed.

The correct CSP is:

"content_security_policy": "script-src 'self' https://cdn.firebase.com https://*.firebaseio.com; object-src 'self'"

(Note that the wildcard in the domain is important, since Firebase may connect to other subdomains internally.)

For a sample chrome extension using Firebase, see: https://github.com/firebase/firebase-chrome-extension.

3
votes

I'm having a similar problem; you see, Firebase's constructor seems to perform some dom manipulation in order to do some scripting (vague, I know), which triggers Chrome CSP because well, you are not supposed to do that.

I even trying to wrap the constructor through the Sandbox Pages, but without success (I get an DOM ERR 18, even though my manifest has all permissions). Same happens if you try to do it in a Background Page or a Popup Page for a Page Action/Browser Action.

Alternative? You can inject Firebase as a content script (do it from your manifest), and through Message Passing send the callbacks as Chrome.extension.sendMessage. I'm exactly doing this at the moment, so I can tell you how that goes, so far, at least the Firebase constructor works.

Solution? James Tampling reads this and prompts the Firebase team to look up after this :)

UPDATE: Injecting Firebase.js as a Content Script doesn't work neither, but the good news is that the Firebase team (reach Andrew Lee) is checking it out.

UPDATE 2 Firebase team fixed it, and now it does work from a Popup page (both in a Browser Popup or a Page Action one). You need to add the following CSP in your manifest.json though "content_security_policy": "script-src 'self' 'unsafe-eval' https://cdn.firebase.com https://*.firebaseio.com https://*.firebaseio.com; object-src 'self'; " It works wonders after that.

1
votes

I have a cordova js app, only the below one worked:

<meta http-equiv="Content-Security-Policy" content="

  default-src 'self' data: gap: https://ssl.gstatic.com 'unsafe-eval';
  script-src  'self' https://www.gstatic.com https://cdn.firebase.com https://*.firebaseio.com; object-src 'self';

  " />

hope this helps.