New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
馃悰 [firebase_core] CSP Violation in Firebase Core #9817
Comments
Don't have much experience with chrome extensions, however I'm not sure what the solution here would be if cross origin scripts are not allowed. What is the issue with using the csp flag? It is actually possible to tell FlutterFire to not both loading the scripts from the cdn, however this still requires you load them in from somewhere else. Maybe a build script to download them locally is the best option here? I've also got vauge memories of being able to specify external domains in the manifest file for situations like this. Not on a computer right now so can't easily check. |
Keeping this issue open and labeling for tracking. |
Please enlighten me! Concerning flutterfire, how can I specify no external CDN? Currently I just About specifying external domains in the |
any update on this? |
No, still a problem |
Hey all, |
Thanks, @tolotrasamue I was able to get this working with your trick. But still, firebase auth throws are not implemented on signInWithCredential. Also, libraries like shared_preference are not working! |
I tried the solution that was proposed in by @tolotrasamuel but I'm still facing the same issue unfortunately :( Here's what I did exactly: I downloaded firebase-app-check.js, firebase-app.js, firebase-firestore.js, firebase-remote-config.js and put them in a local folder called firebase. I then created a file called engine.js that calls the code you mention in your answer then I included this file in my index.html inside a script tag with the type "module" within the body section. I fixed all the calls to CDN inside the downloaded files so that they point to my local files. I'm using : firebase_core: ^2.8.0 and cloud_firestore: ^4.4.5 @tolotrasamuel and @mohanish2504 can you please tell me if these are the only steps necessary or are there other steps that I'm missing? |
@sniper0110 can you share code buddy. |
Ok @mohanish2504
Here's my
Here's my engine.js file which I use to call local firebase js files:
This is the part that's causing the CSP issues: Inside my
|
I just realized something strange! Although I am still seeing those CSP issues in the console, the Firebase app is actually being initialized now! So I can confirm that the changes that I made actually had an impact. But I still need to find a way to address those CSP issues. This could be a blocking point when I'll try to submit my extension to chrome store for review. |
If anyone or @sniper0110 can share a repo of extension in this google group to discuss whether it will be a problem. |
Hello everyone, any news on this? I tried the solution proposed in the SO but its not working. |
This solution works But first check if the firebase product you need works on chrome extensions: https://firebase.google.com/docs/web/environments-js-sdk steps, in terminal: mkdir firebase-npm inside the dir create the files package.json {
"name": "firebase-npm",
"version": "1.0.0",
"description": "",
"main": "index.js",
"scripts": {
"build": "webpack"
},
"keywords": [],
"author": "",
"license": "ISC",
"dependencies": {
"firebase": "^10.10.0"
},
"devDependencies": {
"webpack": "^5.91.0",
"webpack-cli": "^5.1.4"
}
} firebase.js import * as firebaseCore from 'firebase/app';
import * as firebaseRemoteConfig from 'firebase/remote-config';
window.firebase_core = firebaseCore;
window.firebase_remote_config = firebaseRemoteConfig; webpack.config.js const path = require('path');
module.exports = {
entry: './firebase.js', // Your source file
output: {
filename: 'bundle.js', // Compiled file
path: path.resolve(__dirname, 'dist'), // Output directory
},
mode: 'production', // Use 'development' for development build
}; .gitignore
then, in terminal, inside the directory run Inside the |
I am building a flutter app for a chrome extension, which does not allow ANY CSP violations at all (using manifest v3).
Recently I integrated firebase firestore, however I would get console errors refusing to execute scripts due to CSP in production builds. This broke the app, which loaded with only a white background.
These were the scripts added:
(I am using firebase_core and cloud_firestore)
These are the console errors:
(Note the 'DIRTY_manual_CSP_fix.js' errors)
DIRTY_manual_CSP_fix.js
My initial thought was 'well, lets add this code manually into a script and execute it myself' since the
main.dart.js
build obviously depended onwindow.ff_trigger_firebase_*
to properly execute.This is the file mentioned above, but this only kicks the problem upstairs and still violates CSP as it dynamically imports files from 'https://www.gstatic.com/firebasejs/9.9.0/firebase-*' which chrome does not like (errors above)
For reference, my file 'DIRTY_manual_CSP_fix.js is pasted below:
--csp
flag for flutter buildsYou might be thinking, 'why don't you add the
--csp
flag when building?'Simply to get anything to work as a chrome extension I have been doing this from the start. To confirm: ALL of these builds are with the
--csp
flag enabled.The full build command I use it:
flutter build web --web-renderer html --csp
Other references:
This is not the first mention of this issue, issue #80221 mentions nearly the exact build finding the same issue and cause:
This is the code causing the issue:
When building with
--profile
the CSP error is caused somewhere in filehtml_dart2js.dart
Originally posted by @codemasterover9000 in flutter/flutter#80221 (comment)
Potential Solution
There is only one solution to using the firebase client library in flutter and a strict CSP policy, which I am forced to do.
This is to manually copy the script files and include them in the production bundle, which is possible but not a good nor elegant solution.
Reproduction:
I have added a minimal reproducible repository here: https://github.com/ActuallyHappening/SchoolBoxStyling/tree/master/csp_firebase_bug
I have included the faulty build, with the
--csp
flag enabled (full build command usedflutter build web --csp --web-renderer html
).To see error, open chrome://extensions/ (chrome extensions page), turn on dev mode, and select 'load unpacked', choosing the
build/web
folder.When you click the extensions icon, you should see a white screen. Right click and inspect, view console, and share in my annoyance. The same errors appear.
For reference:
The manifest file I used is pasted below. Note that adding a CSP option is optional, as it is implied.
My actual manifest includes an explicit "content_security_policy" (CSP) key, pasted below. Removing this does nothing to solve the issue, as chrome implies this anyway.
Adding a nonce or extra keys to the 'script-src' or 'object-src' results in chrome not even parsing the manifest when loading the extension.
The dart code that triggers the firebase_core plugin to inject its own script DOM nodes seems to be this:
In the minimal reproducible example, the console logs and script tags added were:
(all)
(just scripts)
This is my
pubspec.yaml
from the example repo. I have 1 extra dependancy,firebase_core
, and nothing else:Final thoughts
I would appreciate any insight into solving this problem, and ideally a feature flag for the
firebase_core
plugin that solves this CSP issue.Flutter is an amazing tool, but I have resorted to using the lower level firebase REST API to load data into my app, using
dio
and thedio_http_cache
packages.The text was updated successfully, but these errors were encountered: