Is it possible to have a chrome packaged app that utilizes firebase?

Question

I'm running into problems with CSP. I've tried adding firebase to permissions, and sandboxing.

I am trying to convert this firebase sample chrome extension(https://github.com/firebase/firebase-chrome-extension) to a chrome packaged app. The packaged app doesn't like to connect to firebase. I just keep getting security violations in the console.

Answer 1

for the webSdk the answer appears to be no, which is surprising.

as of right now 2017-10-03 it appears that the firebase api is dependent on the browsers localStorage and document.open (which could be fixed with a polyfill). firebase also loads scripts that it downloads from the internet (yourdatabase.firebaseio.com) the code is not allowed to be evaluated unless it is sandboxed. however when it is sandboxed the code itself is not allowed to be downloaded. so i am giving up on this.

the REST api is still available though it sort of takes away from the realtime experience.

Answer 2

Last year I'd exchange with the Firebase developer team, and they were not even aware of this problem, they were focused in the extensions other than the apps. Please find below the email exchange between me and firebase team:

firebase-support@google.com 9 Jan

to me Hey Ruvenss,

Thanks for the clarification. It's been over a year since I looked at Chrome extensions and I hadn't realized apps/extensions were diverging so much.

I'd still imagine that, if apps can run JavaScript or make REST requests, and allow external URLs to be contacted via web sockets or HTTPS, it should be reasonable to use them with Firebase. It might take a little fiddling, and it may or may not work with authentication (although I'd guess authWithRedirect() should be fine), but it should certainly be possible.

Being in the Google family doesn't really change the landscape of getting chrome apps running--there's not much demand and so it will be an individual effort of folk like you and I, digging in and trying it out, reporting specific errors, and finding a solution.

If you're willing to put in some time and share some of the errors you're seeing, along with smallish repros, I'd be happy to troubleshoot and to hunt down some chrome app engineers to help us find workarounds.

☼, Kato

On 01/08/16 15:38:15 ruvenss@gmail.com wrote: Dear Kato,

What you sent me is a chrome-extension, the security protocol is totally different from a chrome-app, since june 2015 Google Chrome team change the politics of how extensions and apps manage their connections.

If I use the same parameters in the manifest I got this message error:

There were warnings when trying to install this extension: 'content_security_policy' is only allowed for extensions and legacy packaged apps, but this is a packaged app.

So the question is, since you guys got into the google family, is there any possibilities that google-chrome apps gets in the near future a way to use firebase?

So as you can see it's a shame since firebase will solve a lot server dependency for basic mono user apps in need of external storage.

Answer 3

I was also running to the same issue. It seems "chrome packaged app" does not allow adding "content_security_policy" and re-defining the policies in manifest.json

Try adding it and re-loading the app via extension manager and you should see the following message:

There were warnings when trying to install this extension: 'content_security_policy' is only allowed for extensions and legacy packaged apps, and this is a packaged app.