Content Security Policy and Firebase

[Daniel Sánchez]

Hi everyone,

After some time playing with Firebase, I decided to apply some CSP because I read that is a good way to prevent attacks, I'm really new with those topics (Security things). I wrote a long line in my .htaccess allowing trusted origins such as angularjs, firebase, jquery, etc. Now at the end the console only shows one error or problem.

Refused to connect to 'wss://s-usc1c-nss-139.firebaseio.com/.ws?v=5&s=sLsb6FpYpVgR4oMXz5mDGnnVhi0HVibT&ns...' because it violates the following Content Security Policy directive: "connect-src 'self' s-usc1c-nss-139.firebaseio.com".

I actually have that directive already but it is still showing that error. How can I solve that? maybe I'm missing something or maybe I shouldn't care about it.

Any tip would be appreciated or more info that I need to consider when applying some CSP

Thanks :)

[Tom Larkworthy]

So that's the webwsocket data communication to Firebase (note wss, protocol, WebSocket Secure). If it fails to connect, we fallback to http long polling. So its entirely possible your app will still work, but at reduced performance. I would try to fix it, http://stackoverflow.com/questions/32986074/content-security-policy-meta-tag-for-allowing-web-socketmight help?

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/9701f2d9-5bef-4e94-ab6b-b21440c08e99%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Daniel Sánchez]

Hi Tom,

Thanks for helping, I had to add (*) in the directive 

connect-src * 'self' auth.firebase.com s-usc1c-nss-139.firebaseio.com

Introducir código aquí...

Now that error does not appear anymore, hope I'm doing it well.

Thanks