Only after a certain amount of time does this error occur. But if remove the extension from chrome and re-add it, it won’t happen for a while.
This only happens in the popup.html file for some reason.
The error:
Error:
`BrowserPollConnection.ts:740` Refused to load the script 'https://fb-instance.firebaseio.com/.lp?start=t&ser=xx&cb=3&v=5&p=1:xxx' because it violates the following Content Security Policy directive: "script-src 'self' 'wasm-unsafe-eval'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
There is nothing I can add or change to the manifest content_security_policy, and I believe that the popup is part of the extension_pages.
And again, this error only occurs after a certain time (or something else that I don’t know of), and removing and re-adding the extension is the only way to "fix" the error.
This only happens since maybe a week, perhaps a chrome update (Now on: v104.0.5112.81)
So if I follow that firebasio.com url, there is some kind of firebase script that wants to execute from remote:
function pLPCommand(c, a1, a2, a3, a4) {
parent.window["pLPCommand1"] && parent.window["pLPCommand1"](c, a1, a2, a3, a4);
}
function pRTLPCB(pN, data) {
parent.window["pRTLPCB1"] && parent.window["xxx"](pN, data);
}
pLPCommand('start','123','abcd');
pRTLPCB(0,[{"t":"c","d":{"t":"h","d":{"ts":xxx,"v":"5","h":"fb-instance.firebaseio.com","s":"xxx"}}}]);
I know this is not even a critical script and is probably some sort of analytics, since the popup works fine before this… until it doesn’t…
Manifest.json (MV3):
"content_security_policy": {
"extension_pages": "script-src 'self'; object-src 'self'; script-src-elem 'self' 'unsafe-inline' https://www.gstatic.com/ https://*.firebaseio.com https://*.firebasedatabase.app https://www.googleapis.com"
},
And I don’t want to re-write the whole popup so that it uses the sandbox CSP, and have to rewire it, and then I can’t access the chrome.window, chrome.tabs etc, APIs and would have to forward the authentication etc. JUST to avoid a problem that is cause by what seems to be a non-critical script that the firebase library wants to execute for some reason.
And before the error occurs I don’t see any requests to that https://subdomain.firebaseio.com/.lp?start=t&ser=etcetc url, and I’m not sure what triggers this to happen. And once it does, it will keep happening, until I remove the extension completely and re-add it, reloading does not work…
(Using: "firebase": "^9.6.3" atm)
/Update
I’ve narrowed it down to the onAuthStateChanged part of my firebase code. So instead, I now send a message to the background page to get my auth.uid then I can just operate normally. (I just needed it for a query)
But it’s odd, because I do the initial login/auth through the newtab/options page.
But I can still create firestore entries in the popup and I’m not even doing firebase.initializeApp(config) in the popup anywhere so I wonder how this ‘sandboxed’ script knows who I am, but this is a different question entirely…
2
Answers
I’m not sure why it’s working from time to time, but from my understanding is not possible to add those urls to the CSP.
From the Google Chrome Documentation
I also got stuck in this problem and spent a lot of time to solve it.
The SDK will set
firebase:previous_websocket_failuretotruein localStorage when the websocket connection is not available.That’s where the problem arises.