Manifest v3 & Firebase

5005 views
Skip to first unread message

Ryan Graham

unread,
Aug 20, 2020, 11:45:02 AM8/20/20
to Chromium Extensions
We currently have a Chrome extension in the web store which loads Firebase into the background page for real-time communication.

This allows us to have a single Firebase instance per browser instance (using persistent: true). Firebase has a limit on "simultaneous connections", so this works well with persistent: true because it means only one connection per user.
It also means the authentication happens in the context of the extension, not the user's tabs.

In Manifest v3 this is not possible. As far as I see it there are two options:
  • Use Firebase in each tab. This will increase the number of "simultaneous connections" exponentially for our users, so not really an option.
  • Open a tab which must stay open at all times in order to stay connected. This is terrible from a UX perspective and not something that our users will understand.
Are there any ways we can avoid these pitfalls in Manifest v3?

wOxxOm

unread,
Aug 21, 2020, 10:31:28 AM8/21/20
to Chromium Extensions, Ryan Graham
>  Are there any ways we can avoid these pitfalls in Manifest v3? 

There are none because Chromium team has been claiming the need "wasn't demonstrated". Now it has been clearly demonstrated by you so please open a ticket on https://crbug.com as there's a theoretical possibility they will understand that some states in the background script cannot be serialized at all or it'd be unreasonably wasteful to restore.

A kinda lame workaround is to open one port to any tab's content script and keep it open (indefinitely or until the user signs out of firebase if you support such an action). This will prevent unloading of the service worker, which is a documented feature. You can use the port's onDisconnect event to repeat the process with a different random tab. When there are no connectable tabs (i.e. you can't connect to an empty new tab as it doesn't run content scripts in modern Chrome) you'll either have to let it sleep or open a new dummy tab just to have a port connection, which is why this workaround is kinda lame.

wOxxOm

unread,
Aug 21, 2020, 10:47:25 AM8/21/20
to Chromium Extensions, wOxxOm, Ryan Graham
Ah, and of course you might still be able to use the option of having a dedicated tab by tricking the users into believing this tab is useful: display some info about your extension, live graphs, indicators, stats, pulse. You can set the tab's state to "pinned". You can also use "beforeunload" event listener to prevent the tab from being closed accidentally. Also show something like "If you don't like having this tab open please star the bug #### to convince Chromium team to find a better solution".

Kartik Watwani

unread,
Aug 22, 2020, 5:40:20 PM8/22/20
to Chromium Extensions, wOxxOm, Ryan Graham
@Ryan Our extension also has the same requirement of signing in user using Firebase from the background page. I mentioned to @Simeon via CRX office hours about keeping the background page persistent for a different use case as the firebase login issue didn't come to my mind in September last year. I wish the background page with {persistent: true} is maintained in Manifest version 3 as well. Did you open a ticket @Ryan?

Simeon Vincent

unread,
Aug 22, 2020, 9:20:22 PM8/22/20
to Kartik Watwani, Chromium Extensions, wOxxOm, Ryan Graham
Hey all,

I met with members of the Firebase team to talk about Manifest V3 late last year and the constraints it will impose. During that meeting we discussed a couple strategies for working with the new platform, but it was primarily an information session so we didn't arrive at any firm conclusions. I haven't spoken with them since.

I'm going to give myself a task to reach out to them next week to see what, if anything, they plan to change it have changed in their JS library to support MV3 extensions.

Cheers,

Simeon Vincent
Developer Advocate for Chrome Extensions

--
You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/e8dd37dd-9753-4e01-9cd7-93c8987edc40n%40chromium.org.

Scott Fortmann-Roe

unread,
Aug 25, 2020, 7:19:54 AM8/25/20
to Simeon Vincent, Kartik Watwani, Chromium Extensions, wOxxOm, Ryan Graham
On the authentication issue, I think the following should work:
  • Direct your users to your website to log into your app via Firebase
  • After login, have your website request a custom auth token from Firebase Functions using the Node Admin SDK
  • Use message passing to send that token to your extension.
  • Your extension can then log-into Firebase as the user via this custom token.
This flow works well with MV2. I haven't tested in MV3 yet, but the Firebase team is steadily solving issues related to service workers (e.g. see here: https://github.com/firebase/firebase-js-sdk/issues/983) so I think there is a good change this approach should work currently.

Amit Singh

unread,
Dec 21, 2020, 12:30:41 PM12/21/20
to Chromium Extensions, sco...@gmail.com, watwa...@gmail.com, Chromium Extensions, wOxxOm, Ryan Graham, Simeon Vincent
I am facing an issue for using firebase with manifest v3. Is there any other way/update to allow firebase auth in extensions other than the way suggested by Scott Fortmann-Roe?

I am using firebase npm package and the problem is that it is loading https://apis.google.com/js/api.js internally, but since remote scripts are now prohibited in v3, is there any workaround for this? Earlier is used to simply do "content_security_policy": "script-src 'self' https://apis.google.com/ 'unsafe-eval'; object-src 'self'".

Russell Barnard

unread,
Dec 24, 2020, 2:25:52 PM12/24/20
to Chromium Extensions, amitsi...@gmail.com, sco...@gmail.com, watwa...@gmail.com, Chromium Extensions, wOxxOm, Ryan Graham, Simeon Vincent
With the change to v3 of the manifest do we yet know if it's possible to still use firebase auth? As we have a number of extensions currently using a background page with remote scripts for firebase e.g 

<script src="https://www.gstatic.com/firebasejs/7.9.2/firebase-app.js"></script>
<script src="firebase.js"></script>

As I understand this is not supported in v3 is firebase going to be supported at all as mentioned above even the npm version makes external calls.

What would be the best direction to take here, also do you know yet when v2 extensions have to be migrated by?


Jackie Han

unread,
Dec 24, 2020, 11:56:17 PM12/24/20
to Russell Barnard, Chromium Extensions
Firebase doesn't need remote code.  You can download their static js files and put them in your extension.



--
韩国恺(Jackie)

Amit Singh

unread,
Dec 28, 2020, 7:42:39 AM12/28/20
to Chromium Extensions, Jackie Han, Chromium Extensions, Russ
Jackie Chan, Care to explain how can I add a remote script inside my extension bundle which is internally called by firebase npm package?

Jackie Han

unread,
Dec 28, 2020, 8:56:03 AM12/28/20
to Amit Singh, Chromium Extensions, Russ
Sorry, I don't use firebase js sdk by npm. Firebase provides static js sdk files, which will only call it's backend api and won't dynamic insert remote code. You can include the static files you needed by functions, e.g. if you only use firebase auth, only download firebase-app.js and firebase-auth.js. Putting firebase sdk files in the extension is better than using it's remote code, no network download time and can work offline.

PS1: Using static firebase js files can't resolve "simultaneous connections" problem Ryan Graham mentioned.
PS2: Google Map api doesn't support static sdk js files, it will load more remote code from google server.
PS3: Youtube player api only support iframe to embed. That iframe will load youtube's remote code, we can't control.
--
韩国恺(Jackie)

Masao Okamoto

unread,
Sep 25, 2021, 5:12:06 AM9/25/21
to Chromium Extensions, Jackie Han, Chromium Extensions, Rusty, Amit Singh
Hello. I found this discussion and try user authentication by firebase auth on manifest v3 with bundle static js sdk files (use firebase8.10.0.js).

Here is my result.

I got below error when I tried to authorize user by using auth.signInWithPopup method from background scripts.

code: "auth/operation-not-supported-in-this-environment" message: "This operation is not supported in the environment this application is running on. \"location.protocol\" must be http, https or chrome-extension and web storage must be enabled."

The background script on manifest v3 can't operate to show popup provide with chrome-extension protocol, isn't it?
If there is the way to avoid this issue, I'd like to know that.
And I seriously hope that the issues will be resolve.

2020年12月28日月曜日 22:56:03 UTC+9 Jackie Han:

Klapaucius

unread,
Sep 27, 2021, 5:09:42 PM9/27/21
to Chromium Extensions, mas...@weup.jp, Jackie Han, Chromium Extensions, Rusty, Amit Singh
I just tried to use manifest v3 for firebase-auth and also failed badly.

I could  in fact load firebase-auth etc in a service worker with manifest snippet:
----
  "background": {
"service_worker": "background.js",
"type" : "module"
    },
    
    "content_security_policy": {
"extension_pages": "script-src 'self'; object-src 'self'",
"sandbox": "sandbox allow-scripts; script-src 'self' 'https://apis.google.com/' 'https://www.gstatic.com/' 'https://*.firebaseio.com' 'https://www.googleapis.com' 'https://ajax.googleapis.com'; object-src 'self'"
    },
---

I then used this code in my service worker:

---
import { getAuth, onAuthStateChanged, connectAuthEmulator,signOut,signInWithEmailAndPassword, GoogleAuthProvider,signInWithPopup } from 'https://www.gstatic.com/firebasejs/9.1.0/firebase-auth.js';
import { getFirestore, setDoc, getDoc, collection, doc, connectFirestoreEmulator, query, where, getDocs } from "https://www.gstatic.com/firebasejs/9.1.0/firebase-firestore.js";
const firebaseApp = initializeApp({
  apiKey: "xxx",
  authDomain: "xxx",
  projectId: "xxx",
  storageBucket: "xxx",
  messagingSenderId: "xxx",
  appId: "xxx",
  measurementId: "xxx"
  });

  const provider = new GoogleAuthProvider();
  const auth = getAuth(firebaseApp);
  ---

This does work until the last line, which will complain about missing window (presumably needed to open a SignInWithGoogle popup?).

I tried to locally download the 3 scripts, but then I also get an error in getAuth : component auth not initialized yet.

I've also tried 9.0.1 - same result.

I'm stumped. Does *anyone* have found a way to make firebase-auth work in v3 ? Is there a definite plan to make it possible before the v2 deprecation starts in January 2022 ?

Is there another way I'm not aware of ? Am I using a foot gun ?

Vladimir Yankovich

unread,
Dec 31, 2021, 7:36:17 PM12/31/21
to Chromium Extensions, Klapaucius, mas...@weup.jp, Jackie Han, Chromium Extensions, Rusty, Amit Singh
If I am not mistaken, is this problem still relevant, or is there already a known solution?

Moreover, I see that a year ago Simeon promised to talk to the FB team, but I do not see an answer about the results of this meeting.

Colleagues, does anyone know the solution? Or the current status of the ability to use FB Auth with MV3?

Klapaucius Klapaucius

unread,
Jan 3, 2022, 3:25:44 PMJan 3
to Vladimir Yankovich, sim...@chromium.org, Chromium Extensions, mas...@weup.jp, Jackie Han, Rusty, Amit Singh
It's still relevant to me. I have gotten various tidbits about how one could possibly open a new main window instead of a popup, but I haven't gotten that to work yet, maybe due to a lack of time trying.

However, I *really* want the people who build the firebase library (I'm unsure that these are google or microsoft team, BTW) to update the documentation here:


When that documentation is updated to cover MV3, I'd be very happy indeed. But all the questions I sent to those teams on mailing lists were unanswered, so I think that the dev team doesn't have an answer (yet?).

Simeon, if you could use your contacts to elicit a response from those teams, that would be super duper great. Even if the answer is 'we know it's broken, but we commit to a fix before MV2 is phased out - we want developers to use firebase in  chrome extensions in the future'.

This lack of communication and possibly vision is the troubling part for me. I was for instance using Google Apps with great success, but that project got cancelled with. 6 month notice another even with customers paying for higher Gsuite tiers - projecting from that, I would not put it past the dev teams to ax Firebase for Chrome extension if it becomes too much of hassle, given that Chrome Extensions are purely cost center with no profit.


Unrelatedly, I'm wishing everyone here a successful and happy 2022!


Li Voon Loke

unread,
Jan 12, 2022, 5:35:08 AMJan 12
to Chromium Extensions, Klapaucius, Chromium Extensions, mas...@weup.jp, Jackie Han, Rusty, Amit Singh, yankovic...@gmail.com, Simeon Vincent
I made it work for my case (to access firestore9 from the extension). Here is a short guide. I hope it helps someone!
https://github.com/noovil/chrome-extension-manifestv3

Klapaucius Klapaucius

unread,
Jan 19, 2022, 4:11:57 PMJan 19
to Li Voon Loke, Chromium Extensions, mas...@weup.jp, Jackie Han, Rusty, Amit Singh, yankovic...@gmail.com, Simeon Vincent
This looks great! Let me understand though how you access firestore - how do you authenticate ? I would like to use 'sign-in-with-google', which tries to open a popup window, and that's where I run into problems.

I'll try your method anyway, I'm just asking to save myself time in case you have hardcoded auth credentials.


Li Voon Loke

unread,
Jan 19, 2022, 5:55:50 PMJan 19
to Chromium Extensions, Klapaucius, Chromium Extensions
In this case, yes I did hardcode the credentials. I haven't tried it with Google SSO, but do share if you're successful with it!

Jorge Dardon

unread,
Jan 25, 2022, 7:03:47 PMJan 25
to Chromium Extensions, liv...@datadrivenanalytics.com.au, Klapaucius, Chromium Extensions
Can anyone confirm Firebase's current status with chrome extensions? Is Firebase Auth working with manifest V3 as of 2022?

geet mehar

unread,
Jan 26, 2022, 1:50:59 AMJan 26
to Jorge Dardon, Chromium Extensions, liv...@datadrivenanalytics.com.au, Klapaucius
Guys, I found this video which claims to work FBase with V3. May be you could try this? https://www.youtube.com/watch?v=UjH2INUPmF4



--
Regards,
Geet Mehar

Jackie Han

unread,
Jan 26, 2022, 7:20:47 AMJan 26
to geet mehar, Jorge Dardon, Chromium Extensions, liv...@datadrivenanalytics.com.au, Klapaucius
(I haven't used firebase for a while)
To effectively discuss, please provide more specific information.

1. Firebase uses remote code?
No. You can bundle or include Firebase static js files in your extension.

2. Which firebase SDK version?
version 8 or earlier: it uses classical js files
version 9: it uses npm or es module, and many changes
I found in v9 firebase uses fetch api instead of XHR.

3. extension service has two types:
  // manifest.json
  "background": {
    "service_worker": "background.js",
    "type": "module" // default is "classic"
  }

4. Which environment? 
extension service worker or extension page or content script

5. Which firebase product?
Firebase Support Chrome Extensions Officially
  • Analytics ❌
  • Authentication ✔️
  • Cloud Firestore ✔️
  • Cloud Functions ✔️
  • Cloud Messaging ✔️
  • Cloud Storage ✔️
  • Performance Monitoring ❌
  • Realtime Database ✔️
  • Remote Config ✔️
Another Reference:Session with service workers https://firebase.google.com/docs/auth/web/service-worker-sessions

6. Report Issue
If you find something wrong, I suggest you file an issue at https://github.com/firebase/firebase-js-sdk/issues


Klapaucius Klapaucius

unread,
Jan 26, 2022, 1:48:03 PMJan 26
to Jackie Han, geet mehar, Jorge Dardon, Chromium Extensions, liv...@datadrivenanalytics.com.au
Also please indicate whether you want to 'sign-in-with-Google' or not.

As I see it, you can get firebase to work in a service worker if you bundle the files yourself (I think I and others succeeded), but MV3 still puts restrictions on opening windows, EVEN THE POPUP NEEDED TO LOGIN WITH GOOGLE. So that means if you do password based auth, or hardcode credentials, you probably get firebase to work, even though your service worker might get periodically restarted. But for Sign-in-with-Google, I believe you're currently SOL. I'd love the authors of the extension/Firebase folks update this file:


for Manifest V3.

Jackie Han

unread,
Jan 26, 2022, 2:18:03 PMJan 26
to Klapaucius Klapaucius, geet mehar, Jorge Dardon, Chromium Extensions, liv...@datadrivenanalytics.com.au
I see there is a note that says "All Authentication features, except phone authentication and popup/redirect OAuth operations, are supported.".

Yes, using credentials should work if you use chrome.identity to auth users. Like:
    chrome.identity.getAuthToken({...}, function(token) {
        ....
        let credential = firebase.auth.GoogleAuthProvider.credential(null, token);
        firebase.auth().signInWithCredential(credential);
    });

PS: chrome.identity.getAuthToken can't work on other Chromium browser.

5letters

unread,
Jan 31, 2022, 5:03:42 AMJan 31
to Chromium Extensions, Jackie Han
Does anybody know if there is any plan to support popup/redirect OAuth operations?

Rasika Suryakant Warade

unread,
Jan 31, 2022, 7:52:38 AMJan 31
to Chromium Extensions, 5letters, Jackie Han
I have been following this thread, since I hit this issue early this year and was trying to figure this out too. 

I was looking to get the Firebase Google Sign In working with MV3 and got it working.  I have added this boilerplate code here: https://github.com/RasikaWarade/chrome-extension-mv3-firebase-boilerplate

Hope this helps you! Let me know if you have any questions.

FYI issues I faced and have tried to find all possible workarounds and not currently supported:

  • As a beginner I would have preferred using their built in sign in firebase-ui library, FirebaseUI functionality. I can confirm this does not work at the moment, as this library does not support the optimizations of module bundling.
  • I have tried and it does not work for `signInWithPopup` and `signInWithRedirect` functionalities for Google Sign In due to the limitations on the Chrome Extension MV3 side.
Best Regards!

Jed

unread,
Mar 6, 2022, 8:08:18 PMMar 6
to Chromium Extensions, Rasika Suryakant Warade, 5letters, Jackie Han
Thanks for your great boilerplate example Rasika.  That's very useful.  However I see that you are doing sign-in from a popup window.  From the popup, could you also have used the signInWithPopup method?  Also, do you know if the authentication is usable by the backgroundPage if you sign in with a popup? 

My challenge is that I had an MV2 extension which leveraged signInWithPopup via the backgroundPage.  With MV3, this is no longer possible for various reasons mentioned above. I can move sign in to a contentscript or popup, but I don't think this would allow me to execute authenticated firebase calls from the backgroundPage, at least in my experience.  But perhaps I've missed something.

tarun kumar

unread,
Mar 8, 2022, 5:56:47 AMMar 8
to Chromium Extensions, Klapaucius, mas...@weup.jp, Jackie Han, Chromium Extensions, Rusty, Amit Singh

I am facing the same problem. I have done everything but in the end I am am getting the same error: 
getAuth : component auth not initialized yet 
Firebase Auth is not supported in service worker in manifest v3. 
Other users who have commented on this thread are using auth in popup not in service worker.
If any one is able to get firebase auth working in service worker in manifest v3 , please share the code.

Jorge Dardon

unread,
Mar 8, 2022, 9:52:53 AMMar 8
to Chromium Extensions, tarun kumar, Klapaucius, mas...@weup.jp, Jackie Han, Chromium Extensions, Rusty, Amit Singh
Hello everyone, I wanted to share a possible resource for getting over the hurdle of Firebase Auth in MV3.

In this resource, I wanted to bring attention to this solution specifically by JulienR2

The solution seems to work in MV2 and MV3 and confirmed by some other members.
However, this assumes that you have a web app / server using firebase auth to generate a custom token which you can pass along to your extension in MV3 and sign in.

I wanted to share and get others' inputs on this.

Thanks.

Klapaucius Klapaucius

unread,
Mar 9, 2022, 1:11:23 AMMar 9
to Jorge Dardon, Chromium Extensions, tarun kumar, mas...@weup.jp, Jackie Han, Rusty, Amit Singh
I mean, that's definitely better than not being able to use firebase at all, but the reason there exist popups with a Google/Facebook/... powered oauth UI is that this UI can do all kinds of clever security things behind the curtains and streamline the user experience. SIGN-IN IS HARD.

If you require the user to somehow go through various steps to get manually a bearer token, you 

a) significantly weaken security
b) significantly impact usability.


Jorge Dardon

unread,
Mar 20, 2022, 4:59:55 PMMar 20
to Chromium Extensions, Rasika Suryakant Warade, 5letters, Jackie Han
Hey @Rasika,

Can you explain how this boilerplate works? Like how it manages to fix the Google Sign In
in MV3. And does it work with redirect?

Mark Johnston

unread,
Mar 24, 2022, 5:23:45 PMMar 24
to Chromium Extensions, jdar...@gmail.com, Rasika Suryakant Warade, 5letters, Jackie Han
Hey folks, I see options here regarding workarounds to get Firebase working, things like injecting service workers into various tabs and such. Most of this seems to be specifically regarding Firebase auth. Has anybody found a reliable way to get Firebase messaging working in an v3 extension, or are we still stuck using the same tab injection workarounds? I see the gcm namespace seems to exist for v3, but does that mean we're stuck using deprecated technologies for push-related messaging? Are there other reliable options that anybody knows of other than polling / other pull-related functionality? 

yuleini 27

unread,
Mar 27, 2022, 2:18:17 PMMar 27
to Mark Johnston, Chromium Extensions, jdar...@gmail.com, Rasika Suryakant Warade, 5letters, Jackie Han
Hello, I read your message and I don't know the truth, but I would like to ask you a big favor, could you give me 1300 dollars? Plisssss I really need them if you don't mind if you have a lot of money can you give me that amount? I have PayPal: julein...@gmail.com the account name does not match my gmail name plissssss

Camron

unread,
Mar 28, 2022, 5:16:42 AMMar 28
to Chromium Extensions, julein...@gmail.com, Chromium Extensions, jdar...@gmail.com, Rasika Suryakant Warade, 5letters, Jackie Han, mar...@prodege.com
Hi all. I see suggestions here on how to solve Google Sign In in MV3. Does anyone have suggestions though for how to implement Apple Sign In in MV3? I've tried a few things but no luck.
Message has been deleted

Jorge Dardon

unread,
Apr 22, 2022, 11:24:26 AMApr 22
to Chromium Extensions, Jorge Dardon, Camron, julein...@gmail.com, Chromium Extensions, Rasika Suryakant Warade, 5letters, Jackie Han, mar...@prodege.com
Just wanted to share my experience after successfully managing to set up login with firebase in case this helped anyone else.
The caveat is that it's not true signup/login per se. It is sharing authentication between a web app and the chrome extension, synchronizing the state and having the chrome extension's auth state dependent (and mirroring) on the web app's auth state. However, it's more than that because Firebase is working and you are signed in to the extension itself as well as the web app.
This is further described in this firebase issue. https://github.com/firebase/quickstart-js/issues/208

I wanted to highlight some additional caveats.
1) This only works with Firebase 8. For this to work you need to download the SDK files for firebase-app and firebase-auth and import it in your background scripts. Firebase 9 SDK static files have imports which are not allowed in the service worker.

2) This does not solve the sign in with google popup/redirect workflow. I reiterate that this only synchronizes auth state between your web app and extension. So you'll need a web app with a backend server as well for the custom token part of the setup. However, you can sign in with google in the web app and the same will happen in the extension because you're creating a custom token with the uid received.


Conclusion:

For those of you that have a web app that works along your chrome extension, this might well be the perfect solution to your problem.

On Sunday, April 17, 2022 at 4:00:06 PM UTC-4 Jorge Dardon wrote:
hey guys, where are the static SDK files for V9? Did Google remove support for that? I cannot find them. The links above do not have them. I feel like that's the only way Firebase Auth can work in a service worker.

Please help

Uladzimir Yankovich

unread,
Apr 22, 2022, 2:23:52 PMApr 22
to Chromium Extensions, jdar...@gmail.com, Camron, julein...@gmail.com, Chromium Extensions, Rasika Suryakant Warade, 5letters, Jackie Han, mar...@prodege.com
Just in case, since this forum is read by the guys from the Chrome team, this is not a solution. This is a good workaround, temporary solution.

Extensions are full-fledged products that should not be required to have a web server and web applications to fully work.

Pawel Kacprzak

unread,
Sep 30, 2022, 9:14:07 PMSep 30
to Chromium Extensions, yankovic...@gmail.com, jdar...@gmail.com, camron...@gmail.com, julein...@gmail.com, Chromium Extensions, Rasika Suryakant Warade, 5letters, Jackie Han, mar...@prodege.com
Installing firebase from npm results in a build that fetches https://apis.google.com/js/api.js internally, just like @Amit Singh mentioned here: https://groups.google.com/a/chromium.org/g/chromium-extensions/c/xQmZLc8cu6Q/m/kpwXEsD9AQAJ and I'm concerned it may cause troubles regarding the "no remote code execution". Do you have any recommended way of approaching that?


@Jackie Han, you wrote:
> 1. Firebase uses remote code?
> No. You can bundle or include Firebase static js files in your extension.

Could you elaborate more about that? Because files downloaded from paths like https://www.gstatic.com/firebasejs/9.9.3/firebase-auth.js     contain references to online js resources. 

What I'm considering is to path the npm package so that https://apis.google.com/js/api.js is bundled into the extension files and loaded from there but that's rather dirty and I'd prefer to avoid it if a better solution exists. 

Jackie Han

unread,
Oct 1, 2022, 2:18:19 AMOct 1
to Pawel Kacprzak, Chromium Extensions, yankovic...@gmail.com, jdar...@gmail.com, camron...@gmail.com, julein...@gmail.com, Rasika Suryakant Warade, 5letters, mar...@prodege.com
Could you do an actual test in your extension? I haven't used it for a long time. In old version(e.g. https://www.gstatic.com/firebasejs/5.10.0/firebase-auth.js), it also contains "https://apis.google.com/js/api.js", but in my case it doesn't load it (I don't use popup OAuth operations).

By reading its document, Firebase JS SDK version 9 is module based, but there is an compat version that works like old versions. For example, use https://www.gstatic.com/firebasejs/9.10.0/firebase-auth-compat.js instead of https://www.gstatic.com/firebasejs/9.10.0/firebase-auth.js.

Pawel Kacprzak

unread,
Oct 1, 2022, 1:12:35 PMOct 1
to Chromium Extensions, Jackie Han, Chromium Extensions, yankovic...@gmail.com, jdar...@gmail.com, camron...@gmail.com, julein...@gmail.com, Rasika Suryakant Warade, 5letters, mar...@prodege.com, Pawel Kacprzak
@Jackie Han

> Could you do an actual test in your extension? I haven't used it for a long time. In old version(e.g. https://www.gstatic.com/firebasejs/5.10.0/firebase-auth.js), it also contains "https://apis.google.com/js/api.js", but in my case it doesn't load it (I don't use popup OAuth operations).

I did an actual test with npm version so far. It works perfectly but has this reference to "https://apis.google.com/js/api.js" I also don't use popup OAuth operations but I'm concerned that even having something like fetch("https://apis.google.com/js/api.js") may cause rejection (or even worse a violation during a random review after a positive initial review). Did you manage to publish an MV3 extension having this reference to "https://apis.google.com/js/api.js" in the source code?

About including the static versions you mentioned, I wanted to try that but I'm not totally sure how should I include them in my source code. With the npm version (Firebase JS SDK version 9), I just include the below imports in the service worker:

import { initializeApp } from 'firebase/app';
import { getAuth, onAuthStateChanged, signInWithCustomToken, signOut } from 'firebase/auth';

Do you have any advice about how to make these functions available in the service worker importing them from the static files? Maybe I'm missing something obvious there. 


Jackie Han

unread,
Oct 1, 2022, 3:12:44 PMOct 1
to Pawel Kacprzak, Chromium Extensions, yankovic...@gmail.com, jdar...@gmail.com, camron...@gmail.com, julein...@gmail.com, Rasika Suryakant Warade, 5letters, mar...@prodege.com
I did an actual test with npm version so far. It works perfectly

If it works, you don't need to worry about it. Technically, the browser uses CSP to forbid remote code. If there is just a JS URL string in source code, and it doesn't run, I think it is safe.

NPM or traditional browser JS?
 
If you use version 9, NPM is the official recommendation. They say V9 Modular API supports tree-shaking, so I wonder if that unused code(remote js url) will be removed when you bundle modules.

The review process is a black box, so I can't promise you anything. You can publish a very simple version to CWS first, if they reject it, you can appeal. As a last resort, you can remove that unused code manually.

Pawel Kacprzak

unread,
Oct 1, 2022, 4:26:07 PMOct 1
to Chromium Extensions, Jackie Han, Chromium Extensions, yankovic...@gmail.com, jdar...@gmail.com, camron...@gmail.com, julein...@gmail.com, Rasika Suryakant Warade, 5letters, mar...@prodege.com, Pawel Kacprzak
@Jakie Han Thanks a lot for the insights

> If you use version 9, NPM is the official recommendation. They say V9 Modular API supports tree-shaking, so I wonder if that unused code(remote js url) will be removed when you bundle modules.

So what I did is that I produced a minimum example that imports auth to check if it includes this remote js url, the only imports I used were:

import { initializeApp } from 'firebase/app';
import { getAuth } from 'firebase/auth';

and this makes the "https://apis.google.com/js/api.js" string included in the build. Removing the import { getAuth } from 'firebase/auth' makes this string disappear from the build so I guess there is no way to get the advantage of tree-shaking to exclude this url from the build while using auth. What I'm planning to do is to either leave the string in the build as it is or add an additional step to the build that replaces it with something like an empty string to be safe. 

Rob Helmer

unread,
Oct 1, 2022, 5:43:08 PMOct 1
to Chromium Extensions
On Sat, Oct 1, 2022 at 1:26 PM Pawel Kacprzak <pawel.ka...@gmail.com> wrote:
@Jakie Han Thanks a lot for the insights

> If you use version 9, NPM is the official recommendation. They say V9 Modular API supports tree-shaking, so I wonder if that unused code(remote js url) will be removed when you bundle modules.

So what I did is that I produced a minimum example that imports auth to check if it includes this remote js url, the only imports I used were:

import { initializeApp } from 'firebase/app';
import { getAuth } from 'firebase/auth';

and this makes the "https://apis.google.com/js/api.js" string included in the build. Removing the import { getAuth } from 'firebase/auth' makes this string disappear from the build so I guess there is no way to get the advantage of tree-shaking to exclude this url from the build while using auth. What I'm planning to do is to either leave the string in the build as it is or add an additional step to the build that replaces it with something like an empty string to be safe. 

We've released several extensions that use the Firebase client SDK (version 9 from npm) and they've been accepted on the Firefox AMO and also the CWS. I was curious and looked at our generated code (we bundle everything into a single background.js) and I do see this in our build output too (we are using tree-shaking or at least should be).

I'm pretty sure that code wouldn't work in the service worker context in any case (looks like it's injecting a script tag), and at least in our experience so far it hasn't led to rejection from the store. We use the upstream Firebase package without modification and our builds are easy to reproduce.

I think it's worth seeing why this code is making it into these builds and filing an issue on https://github.com/firebase/firebase-js-sdk if something needs to change to support it. I agree that not including this code in the extension at all would be least confusing for everyone.

 

Pawel Kacprzak

unread,
Oct 1, 2022, 5:59:12 PMOct 1
to Chromium Extensions, rhe...@rallyforall.com, chromium-...@chromium.org

> I'm pretty sure that code wouldn't work in the service worker context in any case (looks like it's injecting a script tag), and at least in our experience so far it hasn't led to rejection from the store. We use the upstream Firebase package without modification and our builds are easy to reproduce.

Thanks for the insights. It helps a lot with making decisions while updating to MV3. I'm also pretty sure executing this piece of code won't work in the context of the service worker - and that's why people struggle with implementing the well-known signInWithPopup authentication flow in the context of an extension. 

To be sure that the reference to this remote JS code doesn't end in the production code I decided to go with the following workaround for now (if you use webpack):

1. Install replace-in-file-webpack-plugin https://www.npmjs.com/package/replace-in-file-webpack-plugin
2. Add the following snippet to webpack plugins

    new ReplaceInFileWebpackPlugin([{
      dir: 'build', // replace with your output dir
      test: [/background.bundle.js(\.map)?$/],  // replace this with something that matches your output 
      rules: [{
        search: 'https://apis.google.com/js/api.js',
        replace: '',
      }],
    }]),
Reply all
Reply to author
Forward
Message has been deleted
0 new messages