Firepad in Chrome App

[Ken Petti]

Hey, 

I want to utilize Firepad in a Chrome app. I seem to hit a snag when I construct a new Firebase connection. Following the example in the docs, I get this error:

 

Refused to load the script 'https://panels-fd87e.firebaseio.com/.lp?start=t&ser=66668183&cb=1&v=5' because it violates the following Content Security Policy directive: "default-src 'self' blob: filesystem: chrome-extension-resource:". Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.

After a bit of research, I saw something about putting scripts like this inside an iframe, Now, in my index.html file I have this:

 

<iframe id="sandbox-frame" sandbox="allow-scripts" src="sandbox.html"></iframe> 

But in the Chrome console I now see these errors:

 

firebase.js:170 Sandbox access violation: Blocked a frame at "chrome-extension://ehcppapahgjgakjmpgigikchnclhekdn" from accessing a frame at "null".  Both frames are sandboxed and lack the "allow-same-origin" flag

 

firebase.js:171 Uncaught SecurityError: Failed to read the 'contentDocument' property from 'HTMLIFrameElement': Sandbox access violation: Blocked a frame at "chrome-extension://ehcppapahgjgakjmpgigikchnclhekdn" from accessing a frame at "null".  Both frames are sandboxed and lack the "allow-same-origin" flag.

Any help would be great

Thanks! 

[Michael Lehenbauer]

Hi Ken,

I haven't played with this in a long time, but you may want to take a look at this firebase chrome extension example which has an example content security policy that used to work.  I'm not sure if it still does or if there are other issues you might hit.

Sorry I can't be of more help.  Let us know if you get it working.

Best regards,

-Michael

--
You received this message because you are subscribed to the Google Groups "Firepad" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firepad-io+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firepad-io/790626a7-2ede-4563-8b24-d4219f388039%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Ken Petti]

Yeah, so modifying the content security policy for packaged apps is no longer allowed. I did find this stackoverflow though http://stackoverflow.com/a/30588748, which suggests running Firebase.INTERNAL.forceWebSockets() before creating a new firebase. I've added that and it does in fact work. 

There is also this stack http://stackoverflow.com/q/30586960, and one of the comments on the answer says "(re: forcing a websocket) Some features are working some are not. Like, User session is lost on app restart." Not quite sure what that means/how that impacts usage.

[Michael Lehenbauer]

Ah, cool.  Glad you made some progress.  I think that's referring to if you use Firebase Authentication, the user state isn't persisted (presumably because localStorage isn't available or something).

For what it's worth, I'm sure that comment was made in reference to the 2.x SDK.  If you're using 3.x, it's a new ball game. :-)

-Michael

To view this discussion on the web visit https://groups.google.com/d/msgid/firepad-io/613d6c99-2c35-4533-9b68-9bd01df55d49%40googlegroups.com.