first: this project is a godsend, so thanks.
second, just for context: i'm using a boilerplate for my chrome extension that has several csps set to enable hot-reloading
Anyway, I got auth
running by following your readme
steps (seriously, thanks). but when I try to fire-up (pun, ugh) the database:
let fb = firebase.initializeApp(firebaseConfig);
let db = fb.database()
... i get some csp errors (text versions below):
By adding the iframe URLs to my csp in the manifest
, i can make the errors go away. that is to say, changing csp from:
"content_security_policy": "default-src 'self'; script-src 'self' https://www.gstatic.com/ https://cdn.firebase.com https://*.firebaseio.com https://www.googleapis.com http://localhost:3000 'unsafe-eval'; object-src 'self';connect-src https://www.googleapis.com/ http://localhost:3000 ws://localhost:3000 ws://localhost:35729; style-src * 'unsafe-inline'; img-src 'self' data:;",
to:
"content_security_policy": "default-src 'self'; script-src 'self' https://cdn.firebase.com https://www.gstatic.com/ https://*.firebaseio.com https://www.googleapis.com http://localhost:3000 'unsafe-eval'; object-src 'self';connect-src https://www.googleapis.com/ http://localhost:3000 ws://localhost:3000 ws://localhost:35729 wss://s-usc1c-nss-133.firebaseio.com/ wss://wayhome-d.firebaseio.com; style-src * 'unsafe-inline'; img-src 'self' data:; frame-src wss://s-usc1c-nss-133.firebaseio.com/",
My concern is: are these URLs static to my project? eg wss://s-usc1c-nss-133...
? It's easy enough to set up a dev
/prod
split for my separate firebase projects, but if the urls change unpredictably, I'll of course have to find another solution.
I tried setting the frame-src
to wss://*.firebaseio.com
, but that threw the same csp error as above.
Full console error text:
Refused to connect to 'wss://s-usc1c-nss-133.firebaseio.com/.ws?v=5&ns=wayhome-d' because it violates the following Content Security Policy directive: "connect-src https://www.googleapis.com/ http://localhost:3000 ws://localhost:3000 ws://localhost:35729".
bg.open @ database.js:122(anonymous function) @ database.js:137
database.js:129 Refused to frame 'https://s-usc1c-nss-133.firebaseio.com/.lp?dframe=t&id=972161&pw=aKWcrZ89En&ns=wayhome-d' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'frame-src' was not explicitly set, so 'default-src' is used as a fallback.
gg.start @ database.js:129(anonymous function) @ database.js:139(anonymous function) @ database.js:30Tb @ database.js:53Sb @ database.js:30(anonymous function) @ database.js:128pRTLPCB @ .lp?start=t&ser=8877773&cb=2&v=5&ns=wayhome-d:6(anonymous function) @ .lp?start=t&ser=8877773&cb=2&v=5&ns=wayhome-d:9
database.js:122 Refused to connect to 'wss://s-usc1c-nss-133.firebaseio.com/.ws?v=5&s=qCdXJWFtmoRHKhkjBrMd5AKlKNBcQfaz&ns=wayhome-d' because it violates the following Content Security Policy directive: "connect-src https://www.googleapis.com/ http://localhost:3000 ws://localhost:3000 ws://localhost:35729".
bg.open @ database.js:122xg @ database.js:143(anonymous function) @ database.js:139(anonymous function) @ database.js:30Tb @ database.js:53Sb @ database.js:30(anonymous function) @ database.js:128pRTLPCB @ .lp?start=t&ser=8877773&cb=2&v=5&ns=wayhome-d:6(anonymous function) @ .lp?start=t&ser=8877773&cb=2&v=5&ns=wayhome-d:9