1

I am trying to create a basic chrome extension to sign in with google using Firebase but I keep getting this error:

Refused to load the script 'https://apis.google.com/js/api.js?onload=__iframefcb441380' because it violates the following Content Security Policy directive: "script-src 'self' https://www.gstatic.com/firebasejs/3.7.3/firebase.js".

Here is my popup.html (you can ignore everything under the sign in and log out buttons):

 <html>
  <head>
    <script src="https://www.gstatic.com/firebasejs/3.7.3/firebase.js"></script>

  </head>

  <body>

    <div id="banner">
        <div id="banner-content">
        Frogger
        </div>

        <div id="banner-button">
          <button id="gSign">Google Signin</button>
          <button id="gOut">Google Signout</button>
        </div>
      </div>


    <div class="container" style="display: none;">

      <input id="txtEmail" type="email" placeholder="Email">
      <input id="txtPassword" type="password" placeholder="Password">

      <button id="btnLogin" class="btn btn-action">
        Log In
      </button>

      <button id="btnSignUp" class="btn btn-secondary">
        Sign Up
      </button>

      <button id="btnLogOut" class="btn btn-action hide">
        Log Out
      </button>
    </div>

    <script src="app.js"></script>

  </body>

</html>

here is my app.js:

(function(){

  // Initialize Firebase
  var config = {
    apiKey: "My key is here",
    authDomain: "my domain is here",
    databaseURL: "I have all this filled out properely",
    storageBucket: "bucket",
    messagingSenderId: "senderId"
  };
  firebase.initializeApp(config); 

  function googleSignin() {
     firebase.auth()

     .signInWithPopup(provider).then(function(result) {
        var token = result.credential.accessToken;
        var user = result.user;

        console.log(token)
        console.log(user)
     }).catch(function(error) {
        var errorCode = error.code;
        var errorMessage = error.message;

        console.log(error.code)
        console.log(error.message)
     });
   }

   function googleSignout() {
     firebase.auth().signOut()

     .then(function() {
        console.log('Signout Succesfull')
     }, function(error) {
        console.log('Signout Failed')
     });
 }

  document.getElementById("gSign").addEventListener("click", e=>{
    firebase.auth()

    .signInWithPopup(provider).then(function(result) {
       var token = result.credential.accessToken;
       var user = result.user;

       console.log(token)
       console.log(user)
    }).catch(function(error) {
       var errorCode = error.code;
       var errorMessage = error.message;

       console.log(error.code)
       console.log(error.message)
    });

  });



}())

and finally here is my manifest.json (where I think I'm doing something wrong):

{
  "manifest_version": 2,

  "name": "Getting started example",
  "description": "This extension shows a Google Image search result for the current page",
  "version": "1.0",

  "content_security_policy": "script-src 'self' https://www.gstatic.com/firebasejs/3.7.3/firebase.js; object-src 'self'",
  "browser_action": {
    "default_popup": "popup.html"
  },
  "permissions": [
    "activeTab",
    "https://www.gstatic.com/firebasejs/3.7.3/firebase.js"

  ]
}

NOTE: Please try to answer this with what I can do specifically to stop this error from occurring. I have looked at tons of different posts and websites but they weren't specific enough, all they gave were links to read.

EDIT:

I figured out how to whitelist links, but as i continue to whitelist, more and more links keep coming up saying that they violate the CSP. So my question is; is there a way to know all of the links I need to whitelist? How can I do this? Thanks.

eeevvv1122333
  • 13
  • 5
  • > "all they gave were links to read. " — and did you read them? – Display Name Mar 23 '17 at 19:57
  • Yes I tried to read them but couldn't figure out how to apply them to my code. Any suggestions? – eeevvv1122333 Mar 23 '17 at 20:19
  • Why are you not just downloading it and including it in your extension (i.e. as a file within the extension)? – Makyen Mar 23 '17 at 21:19
  • The error is quite explicit: `https://apis.google.com/js/api.js?onload=__iframefcb441380` is being loaded, probably/potentially by Firebase. You don't have it white-listed, so it is denied as it violates the CSP. You've already white-listed *firebase.js*, so I'm not sure what you are having a problem with. Your choices are to white-list that specific code (which will probably change if Firebase is updated), or include *firebase.js*, that code and any other needed code, in your extension (the better option). – Makyen Mar 23 '17 at 21:27
  • @Makyn I'm sorry but I'm very new to this. Could you specify exactly what I need to put inside of my code? – eeevvv1122333 Mar 23 '17 at 23:19

0 Answers0