CSP issue in console is a problem for extension review?

[Aleksandar Penev (aleksoft)]

I hope this is the right place to ask about my concerns regarding this issue: https://github.com/firebase/flutterfire/issues/9817. If there is a CSP issue in the console, will it pose a problem for the review of the Chrome extension?

[Deco]

The short definitive answer is yes it can potentially impact the review, the longer answer is it's a bit more complicated relating to the reviewer, which CSP error is invoked and if it's possible to correct or not. Generally, if the CSP error has a solution, then the reviewer will highlight it for rejection, but as per everything, this is not a one size fits all answer and it purely depends on what your extension is doing, and the implementation logic.

Cheers,

DDeco

On Mon, 8 May 2023 at 15:48, Aleksandar Penev (aleksoft) <alek...@gmail.com> wrote:

I hope this is the right place to ask about my concerns regarding this issue: https://github.com/firebase/flutterfire/issues/9817. If there is a CSP issue in the console, will it pose a problem for the review of the Chrome extension?

--
You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/5122c94e-e005-4ff6-957c-a2c6386ba1f9n%40chromium.org.

[Patrick Kettner]

If it prevents the extension from working as described, it will almost certainly be an issue. If it does not impact the extension, it is potentially not a problem, but there are a large number of variables that go into it so it is very hard to say with what you have shared.

The specific CSP errors that are listed in that issue are about firebase attempting to inject dom elements to fetch remote scripts. That is not allowed with manifest v3. You would need to bundle the firebase files with your extension, and do something like rewrite the library code at build time to import the local files rather than the remote version. If you share a repo or build showing CSP errors, id be happy to help further.

patrick

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/CABcX4UdmdesPAY_qcVuXpLEhmwbUGRvFTM0B5C6kVp9UoeyHbQ%40mail.gmail.com.

[Aleksandar Penev (aleksoft)]

I'm in the early stages of development, but I will share the discussion in github issue if someone wants to share.