Chrome extension is at risk of being removed due to Firebase injecting remote code to load Google API (Blue Argon)

[Jiajun]

Yesterday, I received an email from Google informing me that my extension may be removed. The reason cited was that the extension was loading remote code.

However, since I am aware that Manifest V3 does not allow remote code loading, I never considered adding such functionality to the extension during development. After analyzing the packaged code, I discovered a section of code in Firebase Auth called _loadJS, which dynamically creates a script tag pointing to Google's own API. This analysis was later confirmed in subsequent emails exchanged with Google.

Links of the code:

_loadJS

The Function that calls `_loadJS` and loads the external API

Since Firebase is also a Google product, how can I solve this? Waiting for the Firebase team to fix it could take forever.

[Uladzimir Yankovich]

In general, it would be good if the Chrome Extension and Firebase teams discussed the project of normal operation of Firebase in MV3.

[Patrick Kettner]

Hi Jiajun,

We are working with the firebase team to get their code working more easily in Manifest v3. However, in the meantime, the simplest method of authentication is to use chrome.identity.getAuthToken. It would look something like this

chrome.identity.getAuthToken({ 'interactive': true }, async (token) => {
    const credential = firebase.auth.GoogleAuthProvider.credential(null, token);

      try {
        const {user} = await firebase.auth().signInWithCredential(credential)

        console.log(`the user object is here! - ${user}`)

      } catch (e) {

        console.error(error);

      }

}); 

[Patrick Kettner]

we actually do! Spoke with them this morning about this exact issue. There are straightforward ways to make auth work in MV3, but firebase allows for a LOT of auth flows. Not all of them work simply. I am working on an omnibus demo of all versions, in the meantime I just posted the "simple" way on this thread

[Uladzimir Yankovich]

This is amazing news 🥰!

Patrick, you are my hero! I'm already thinking about putting your photo on the table next to the family photo 😂

[Patrick Kettner]

Bring them to AFDS, we will have a photoshoot :D

[Jiajun]

Hi Patrick,

We tried using the code you provided and found that the document.createElement('script') is still present in the bundled code. If we understand correctly, it seems that this code is only for login and doesn't solve the issue we raised, is that right?

In our extension's background script, we only use the signOut method from firebase/auth. However, when webpack bundles the code, the document.createElement('script') still appears and points to the Google API.

Since our extension has new features going live every week, this situation has put us in a difficult position. I noticed that many developers have recently encountered the same problem. If you could provide a complete example, we would greatly appreciate it. We will also spread the word and help other developers resolve this issue. Thank you.

[Jackie Han]

There were a lot of discussions about this in the past.

As a temporary workaround, you can try manually deleting the relevant code (remote js) if the code is unused, like this.

--
You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/fbfc4ad9-786a-4b71-ad26-3b7909c659d3n%40chromium.org.

[Patrick Kettner]

To be clear, you would want to use some kind of tree shaking build process, like rollup after using the code. It removes the remove code being loaded.

[Cxq chen]

Is there any follow up? The version 10.7.1  solved the issue? I submitted my app recently and was rejected because of remote code violation in firebase-auth.js. In my submitted package, I used previous firebase version. So I'm wondering whether the new version solved the remote code reference issue.

[Patrick Kettner]

The only fix in 10.7.1  is for #414. You will still need to follow the above instructions.

[Cxq chen]

Thanks Patrick! The above instructions, do you mean the "chrome.identity" solution attached below?  Does it support sign up as well?

"chrome.identity.getAuthToken({ 'interactive': true }, async (token) => {
    const credential = firebase.auth.GoogleAuthProvider.credential(null, token);

      try {
        const {user} = await firebase.auth().signInWithCredential(credential)

        console.log(`the user object is here! - ${user}`)

      } catch (e) {

        console.error(error);

      }

}); "

[Patrick Kettner]

That is one option, yes. You will need to try it and see what works for your codebase. If you are compiling the code, check for references to recaptcha or enterprise.js in the generated output.

[Patrick Kettner]

Happy to help!

On Thu, Jan 18, 2024 at 5:30 PM Sean Gates <se...@revvable.com> wrote:

We were able to get things through review and published by moving completely to the module based imports which allowed tree shaking.

Thanks for your help with that, Patrick!

--
Sean Gates, CTO

--
You received this message because you are subscribed to a topic in the Google Groups "Chromium Extensions" group.
To unsubscribe from this topic, visit https://groups.google.com/a/chromium.org/d/topic/chromium-extensions/ll_TE1uV4G0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to chromium-extens...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/CAPAuxoAipzv4robNRycr4UxvxbBLQKMLNpzbEButtx0%2Bft3oCg%40mail.gmail.com.