Firebase Auth Popup requires "unsafe-inline" csp option for script-src rule #5193
Comments
hakankaraduman
changed the title
|
Hi @hakankaraduman, thanks for the report. I was able to reproduce the behavior you've reported when using Firebase Auth (e.g. signInWithPopup) with Content Security Policy (CSP). Let me check this out with our engineers here or bring someone who can provide more context about this matter. |
|
As mentioned in #6716 (comment), we now set a nonce around the inline JS to make CSP allowlisting easier. We will track removal of the inline code in this issue. |
|
Checking in to see if the resolution and thread of the other issue helps / pertains at all to this issue. Thanks! |
|
Hey @hakankaraduman. We need more information to resolve this issue but there hasn't been an update in 5 weekdays. I'm marking the issue as stale and if there are no new updates in the next 5 days I will close it automatically. If you have more information that will help us get to the bottom of this, just add a comment! |
|
Since there haven't been any recent updates here, I am going to close this issue. @hakankaraduman if you're still experiencing this problem and want to continue the discussion just leave a comment here and we are happy to re-open this. |
Firebase auth modal uses inline style and inline script, and forces us to use "unsafe-inline" in our csp rules.
If you add a CSP without the option of "unsafe-inline" for the script-src rule, firebase auth popup doesn't work.
I read that this is not a best practice to allow "unsafe-inline" in the CSP and I would like to remove it, if firebase allows it.
The text was updated successfully, but these errors were encountered: