My Firebase web app is municating with two urls that are relevant for this question:
- https://*.firebaseapp/ (1st URL)
- https://*.firebaseio/ (2nd URL)
For security reasons outside of scope of the Firebase service, I'm putting CSP headers in my app (content=frame-src).
I whitelisted https://[MY_ID].firebaseapp/ (1st URL), because it is needed for authentication. Moreover, the same url is in my config in my frontend, so I feel it's safe to have it there and not exposing any secrets (if that makes sense...).
But while testing my app, every once in a while I get the following error about the 2nd URL:
Refused to frame 'https://[OTHER_ID].firebaseio/' because it violates the following Content Security Policy directive: "[MY_CSP_DIRECTIVE]".
My questions are:
In General:
- What is the purpose of this url? I don't seem to miss any functionality so far while I get this error message in my console.
Actions:
- Is it safe to whitelist
https://*.firebaseio/with a wildcard? Or does that open up munication to random backends of other (possibly malicious) Firebase users? - Should I specify my ID like
https://[OTHER_ID].firebaseio/instead? Or am I then exposing an ID that I shouldn't expose in any way? - Or should I ignore the error as long as it doesn't seem to affect my app?
My Firebase web app is municating with two urls that are relevant for this question:
- https://*.firebaseapp./ (1st URL)
- https://*.firebaseio./ (2nd URL)
For security reasons outside of scope of the Firebase service, I'm putting CSP headers in my app (content=frame-src).
I whitelisted https://[MY_ID].firebaseapp./ (1st URL), because it is needed for authentication. Moreover, the same url is in my config in my frontend, so I feel it's safe to have it there and not exposing any secrets (if that makes sense...).
But while testing my app, every once in a while I get the following error about the 2nd URL:
Refused to frame 'https://[OTHER_ID].firebaseio./' because it violates the following Content Security Policy directive: "[MY_CSP_DIRECTIVE]".
My questions are:
In General:
- What is the purpose of this url? I don't seem to miss any functionality so far while I get this error message in my console.
Actions:
- Is it safe to whitelist
https://*.firebaseio./with a wildcard? Or does that open up munication to random backends of other (possibly malicious) Firebase users? - Should I specify my ID like
https://[OTHER_ID].firebaseio./instead? Or am I then exposing an ID that I shouldn't expose in any way? - Or should I ignore the error as long as it doesn't seem to affect my app?
2 Answers
Reset to default 2I'll admit I'm not familiar with Firebase myself but I know all the CSP related aspects of this.
Is it safe to whitelist https://*.firebaseio./ with a wildcard? Or does that open up munication to random backends of other (possibly malicious) Firebase users?
If each user gets a subdomain then yes, you're whitelisting all subdomains so anyone's firebase code could be executed.
More generally, you want to be as specific as you can with CSP without causing a problem. Generally down to the subdomain is specific enough, though you can even specify down to a specific directory or even file if you choose. Whitelisting all subdomains is generally not advised. Even if a site does not currently serve dangerous resources on another subdomain, they could add one at any time.
And you're not exposing anything the user won't already know by whitelisting in CSP. They'll know the domain from the Sources tab. You'd have to use a proxy if you don't want your users to see a direct origin.
If it doesn't affect your app I would still prefer to fix the issue one way or another, otherwise it leaves a scary message in the browser console (not that most users would look) and would make implementing report-uri later a pain from all the false-positives. Fix the child-src with the io domain and find out what it does, and if it's not something you need I'd see if you can remove it.
While working on firebase project, I too had this doubt. It seems that while going through the documentation of Realtime database, I found out that, depending of the location of the database, firebase provides different TLDs for these regions.
Here's the relevant information from the documentation:
Depending on the location of the database, the URL for the new database will be in one of the following forms:
DATABASE_NAME.firebaseio. (for databases in us-central1)
DATABASE_NAME.REGION.firebasedatabase.app (for databases in all other locations)
发布者:admin,转转请注明出处:http://www.yc00.com/questions/1744329761a4568829.html
评论列表(0条)