am trying to link a chrome extension to firebase cloud messaging, but am getting
Unrecognized manifest key 'gcm_sender_id' error when i load the extension
image of the error,
here is my manifest file:
{
"manifest_version": 2,
"name": "iQU",
"description": "iQU",
"version": "1.0",
"browser_action": {
"default_icon": "icon.png",
"default_popup": "index.html"
},
"permissions": [],
"content_security_policy": "script-src 'self' 'unsafe-eval' https://cdn.firebase.com https://*.firebaseio.com https://*.firebaseio.com; object-src 'self'; ",
"web_accessible_resources": [
"assets/css/*",
"assets/js/*",
"assets/fonts/*"
],
"gcm_sender_id": "103953800507"
}
any help please?
Related
I am developing an MV3 chrome extension that uses a sqlite3 database but I am getting an error "
'content_security_policy.extension_pages': Insecure CSP value "'unsafe-eval'" in directive 'script-src'.
Could not load manifest." when I try and add it to my chrome browser.
My manifest.json is as follows:
{
"manifest_version": 3,
"name": "Some name",
"version": "1.0",
"description": "Some description",
"icons": {
"16": "icons/icon1.png",
"32": "icons/icon2.png",
"48": "icons/icon3.png",
"128": "icons/icon4.png"
},
"action": {
"default_popup": "search.html",
"default_icon": "icons/icon4.png"
},
"background": {
"service_worker": "background.js"
},
"web_accessible_resources": [
{
"matches": ["<all_urls>"],
"resources": ["sqlite3.wasm"]
}
],
"content_security_policy": {
"extension_pages": "script-src 'self' 'unsafe-eval'; object-src 'self'; worker-src blob: 'self';"
},
"host_permissions": [
"activeTab",
"storage"
]
}
Note: sqlite3.wasm exists at in the same dir as the manifest file.
Any advice appreciated!
The issue seems to be specific to MV3.
We are getting a frame-ancestors related iframe error when attempting to use the hellosign-embedded library from our application, the application is hosted in Firebase
example of error message:
Refused to frame 'https://app.hellosign.com/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'".
example of headers configuration for firebase hosting:
"headers": [
{
"source": "**/*",
"headers": [
{
"key": "Cache-Control",
"value": "no-cache"
},
{
"key": "Content-Security-Policy",
"value": "frame-ancestors 'self' *://*.hellosign.com"
}
]
}
]
So either these settings are not being recognized, or there is a deeper issue.
I have seen similar questions but nothing that answers this exactly. So I have an application being hosted by Firebase. I recently ran some penetration tests on it and realized I need to add some security headers to the website.
Specifically: X-Frame-Options, X-XSS-Protection, and X-Content-Type-Options. The problem is I really do not know how to do that. Having given it a bit of research I can see that the way to add headers to my firebase application is to add them to my firebase.json file which I will show here:
{
"hosting": {
"site": "xxxxxxxxxxxxxxxxx",
"public": "dist/xxxxxxxxxxxx",
"ignore": [
"firebase.json",
"**/.*",
"**/node_modules/**"
],
"headers" : [ {
"source": "**",
"headers" : [{
"key" : "Access-Control-Allow-Origin",
"value" : "*"
}]
}],
"rewrites": [
{
"source": "**",
"destination": "/index.html"
}
]
}
}
Do I need to add them to the "headers" section of that?
Sorry for the ignorance but any help is appreciated.
Almost complete Firebase Security Headers
Just create your Content-Security-Policy, i´ve used report-uri.com
"headers": [
{
"source": "**",
"headers": [
{
"key": "Content-Security-Policy",
"value": "default-src 'none'; script-src 'self'; style-src 'report-sample' 'self'; object-src 'none'; base-uri 'self'; connect-src 'self'; font-src 'self'; frame-src 'self'; img-src 'self' https://www.google.com https://www.google.ad https://www.google.ae https://www.google.com.af https://www.google.com.ag https://www.google.com.ai https://www.google.al https://www.google.am https://www.google.co.ao https://www.google.com.ar https://www.google.as https://www.google.at https://www.google.com.au https://www.google.az https://www.google.ba https://www.google.com.bd https://www.google.be https://www.google.bf https://www.google.bg https://www.google.com.bh https://www.google.bi https://www.google.bj https://www.google.com.bn https://www.google.com.bo https://www.google.com.br https://www.google.bs https://www.google.bt https://www.google.co.bw https://www.google.by https://www.google.com.bz https://www.google.ca https://www.google.cd https://www.google.cf https://www.google.cg https://www.google.ch https://www.google.ci https://www.google.co.ck https://www.google.cl https://www.google.cm https://www.google.cn https://www.google.com.co https://www.google.co.cr https://www.google.com.cu https://www.google.cv https://www.google.com.cy https://www.google.cz https://www.google.de https://www.google.dj https://www.google.dk https://www.google.dm https://www.google.com.do https://www.google.dz https://www.google.com.ec https://www.google.ee https://www.google.com.eg https://www.google.es https://www.google.com.et https://www.google.fi https://www.google.com.fj https://www.google.fm https://www.google.fr https://www.google.ga https://www.google.ge https://www.google.gg https://www.google.com.gh https://www.google.com.gi https://www.google.gl https://www.google.gm https://www.google.gr https://www.google.com.gt https://www.google.gy https://www.google.com.hk https://www.google.hn https://www.google.hr https://www.google.ht https://www.google.hu https://www.google.co.id https://www.google.ie https://www.google.co.il https://www.google.im https://www.google.co.in https://www.google.iq https://www.google.is https://www.google.it https://www.google.je https://www.google.com.jm https://www.google.jo https://www.google.co.jp https://www.google.co.ke https://www.google.com.kh https://www.google.ki https://www.google.kg https://www.google.co.kr https://www.google.com.kw https://www.google.kz https://www.google.la https://www.google.com.lb https://www.google.li https://www.google.lk https://www.google.co.ls https://www.google.lt https://www.google.lu https://www.google.lv https://www.google.com.ly https://www.google.co.ma https://www.google.md https://www.google.me https://www.google.mg https://www.google.mk https://www.google.ml https://www.google.com.mm https://www.google.mn https://www.google.ms https://www.google.com.mt https://www.google.mu https://www.google.mv https://www.google.mw https://www.google.com.mx https://www.google.com.my https://www.google.co.mz https://www.google.com.na https://www.google.com.ng https://www.google.com.ni https://www.google.ne https://www.google.nl https://www.google.no https://www.google.com.np https://www.google.nr https://www.google.nu https://www.google.co.nz https://www.google.com.om https://www.google.com.pa https://www.google.com.pe https://www.google.com.pg https://www.google.com.ph https://www.google.com.pk https://www.google.pl https://www.google.pn https://www.google.com.pr https://www.google.ps https://www.google.pt https://www.google.com.py https://www.google.com.qa https://www.google.ro https://www.google.ru https://www.google.rw https://www.google.com.sa https://www.google.com.sb https://www.google.sc https://www.google.se https://www.google.com.sg https://www.google.sh https://www.google.si https://www.google.sk https://www.google.com.sl https://www.google.sn https://www.google.so https://www.google.sm https://www.google.sr https://www.google.st https://www.google.com.sv https://www.google.td https://www.google.tg https://www.google.co.th https://www.google.com.tj https://www.google.tl https://www.google.tm https://www.google.tn https://www.google.to https://www.google.com.tr https://www.google.tt https://www.google.com.tw https://www.google.co.tz https://www.google.com.ua https://www.google.co.ug https://www.google.co.uk https://www.google.com.uy https://www.google.co.uz https://www.google.com.vc https://www.google.co.ve https://www.google.vg https://www.google.co.vi https://www.google.com.vn https://www.google.vu https://www.google.ws https://www.google.rs https://www.google.co.za https://www.google.co.zm https://www.google.co.zw https://www.google.cat https://www.gstatic.com/images/ https://www.googletagmanager.com/; manifest-src 'self'; media-src 'self'; report-uri https://YOURKEY.report-uri.com/r/d/csp/reportOnly; report-to https://YOURKEY.report-uri.com/b/g/h; worker-src 'self'; form-action 'self'; frame-ancestors 'self';"
},
{
"key": "Cache-Control",
"value": "public, max-age=31536000"
},
{ "key": "X-Content-Type-Options", "value": "nosniff" },
{
"key": "X-Frame-Options",
"value": "DENY"
},
{ "key": "X-XSS-Protection", "value": "1; mode=block" },
{ "key": "Referrer-Policy", "value": "no-referrer" },
{ "key": "Feature-Policy", "value": "microphone 'self'" },
{
"key": "Expect-CT",
"value": "max-age=86400, report-uri='https://YOURKEY.report-uri.com/b/g/h'"
},
{
"key": "Report-To",
"value": "'group':'default', 'max_age':31536000, 'endpoints':[{'url':'https://YOURKEY.report-uri.com/b/g/h'}],'include_subdomains':true'"
}
]
"headers" : [ {
"source": "**",
"headers" : [
{ "key" : "Access-Control-Allow-Origin", "value" : "*" },
{ "key" : "X-Frame-Options", "value" : "deny" },
{ "key" : "X-Content-Type-Options", "value" : "nosniff" },
{ "key" : "X-XSS-Protection", "value" : "1; mode=block" }
]
}],
This seemed to work perfectly well.
I deploy a static site on firebase hosting with some header configuarations.
But I some of my headers doesn't appear after the site deployed.
I tried change the value of Cache-Control header and it works.
But X-Frame-Options,Content-Security-Policy,X-Content-Type-Options doesn't.
firebase.json:
{
"hosting": {
"public": "public",
"ignore": ["firebase.json", "**/.*", "**/node_modules/**"],
"headers": [
{
"source": "**/*.#(html)",
"headers": [
{
"key": "Cache-Control",
"value": "max-age=3600"
},
{
"key": "X-Frame-Options",
"value": "SAMEORIGIN"
},
{
"key": "Content-Security-Policy",
"value":
"script-src 'self' 'unsafe-inline' cdnjs.cloudflare.com; style-src 'self' 'unsafe-inline' cdnjs.cloudflare.com"
}
]
},
{
"source": "**/*.#(jpg|jpeg|gif|png|ico|svg)",
"headers": [
{
"key": "Cache-Control",
"value": "max-age=2592000"
}
]
},
{
"source": "**/*.#(js|css)",
"headers": [
{
"key": "Cache-Control",
"value": "max-age=2592000"
}
]
},
{
"source": "**/*",
"headers": [
{
"key": "X-Content-Type-Options",
"value": "nosniff"
}
]
}
]
}
}
Actual response header I get:
After deploy, make sure to clear your browser's cache or use incognito mode. That's what happened to me, my custom headers were not showing because Chrome cached previously deployed version
This may be an oversight but I'm using firebase and set up the firebase.json file which is a mixture of auto-generation and copying the headers block from Firebase's documentation. The issue is, my fonts refuse to allow me access even though my file looks like this:
{
"firestore": {
"rules": "firestore.rules",
"indexes": "firestore.indexes.json"
},
"hosting": {
"public": "build",
"ignore": [
"firebase.json",
"**/.*",
"**/node_modules/**"
],
"rewrites": [
{
"source": "**",
"destination": "/index.html"
}
],
"headers": [
{
"source" : "**/*.#(eot|otf|ttf|ttc|woff)",
"headers" : [{
"key" : "Access-Control-Allow-Origin",
"value" : "*"
}]
}, {
"source" : "**/*.#(jpg|jpeg|gif|png|svg)",
"headers" : [{
"key" : "Cache-Control",
"value" : "max-age=7200"
}]
}]
},
"storage": {
"rules": "storage.rules"
}
}
This is the CORS error I'm getting:
Access to Font {Firebase font url}. {Firebase font url} from origin {Firebase project url} has been blocked by CORS policy. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin {Firebase project url} is therefore not allowed access.
Side note: I have an images folder in which I am able to load those just fine. Is there something about fonts that require more attention?
Firebase rolled out a new feature/tool that forces users to update the CORS settings for Google Storage. I found the answer on this StackOverflow question.
Firebase Storage and Access-Control-Allow-Origin