skip to Main Content

Only after a certain amount of time does this error occur. But if remove the extension from chrome and re-add it, it won’t happen for a while.
This only happens in the popup.html file for some reason.

The error:
Error:

`BrowserPollConnection.ts:740` Refused to load the script 'https://fb-instance.firebaseio.com/.lp?start=t&ser=xx&cb=3&v=5&p=1:xxx' because it violates the following Content Security Policy directive: "script-src 'self' 'wasm-unsafe-eval'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

enter image description here

There is nothing I can add or change to the manifest content_security_policy, and I believe that the popup is part of the extension_pages.
And again, this error only occurs after a certain time (or something else that I don’t know of), and removing and re-adding the extension is the only way to "fix" the error.
This only happens since maybe a week, perhaps a chrome update (Now on: v104.0.5112.81)

So if I follow that firebasio.com url, there is some kind of firebase script that wants to execute from remote:

function pLPCommand(c, a1, a2, a3, a4) {
parent.window["pLPCommand1"] && parent.window["pLPCommand1"](c, a1, a2, a3, a4);
}
function pRTLPCB(pN, data) {
parent.window["pRTLPCB1"] && parent.window["xxx"](pN, data);
}
         pLPCommand('start','123','abcd');
pRTLPCB(0,[{"t":"c","d":{"t":"h","d":{"ts":xxx,"v":"5","h":"fb-instance.firebaseio.com","s":"xxx"}}}]);

I know this is not even a critical script and is probably some sort of analytics, since the popup works fine before this… until it doesn’t…

Manifest.json (MV3):

  "content_security_policy": {
    "extension_pages": "script-src 'self'; object-src 'self'; script-src-elem 'self' 'unsafe-inline' https://www.gstatic.com/ https://*.firebaseio.com https://*.firebasedatabase.app https://www.googleapis.com"
  },

And I don’t want to re-write the whole popup so that it uses the sandbox CSP, and have to rewire it, and then I can’t access the chrome.window, chrome.tabs etc, APIs and would have to forward the authentication etc. JUST to avoid a problem that is cause by what seems to be a non-critical script that the firebase library wants to execute for some reason.

And before the error occurs I don’t see any requests to that https://subdomain.firebaseio.com/.lp?start=t&ser=etcetc url, and I’m not sure what triggers this to happen. And once it does, it will keep happening, until I remove the extension completely and re-add it, reloading does not work…

(Using: "firebase": "^9.6.3" atm)

/Update

I’ve narrowed it down to the onAuthStateChanged part of my firebase code. So instead, I now send a message to the background page to get my auth.uid then I can just operate normally. (I just needed it for a query)

But it’s odd, because I do the initial login/auth through the newtab/options page.
But I can still create firestore entries in the popup and I’m not even doing firebase.initializeApp(config) in the popup anywhere so I wonder how this ‘sandboxed’ script knows who I am, but this is a different question entirely…

2

Answers


  1. I’m not sure why it’s working from time to time, but from my understanding is not possible to add those urls to the CSP.
    From the Google Chrome Documentation

    In addition, Manifest V3 disallows certain CSP modifications for extension_pages that were permitted in Manifest V2. The script-src, object-src, and worker-src directives may only have the following values:
    self, none, Any localhost source, (http://localhost, http://127.0.0.1, or any port on those domains)

    Login or Signup to reply.
  2. I also got stuck in this problem and spent a lot of time to solve it.

    localStorage.removeItem("firebase:previous_websocket_failure")
    

    The SDK will set firebase:previous_websocket_failure to true in localStorage when the websocket connection is not available.

    That’s where the problem arises.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search