Reputation: 81
Firebase api key restriction allow chrome extension
I have developed a website which uses Firebase authentication and realtime database. I've restricted Firebase API Key access to my server only (HTTP referrers - 'https://projectname.firebaseapp.com/'). But now I also want to allow my chrome extension to access it.
Upvotes: 0
Views: 752
Answers (2)
Reputation: 165
⚠️ Spoiler Bad News: Access-Control-Allow-Origin header cannot help as a security measure with Chrome Extensions.
💡 What you can do is create a custom authentication system (JWT or anything that you can store with the storage api for instance). Otherwise you can send an error code (unauthorised or unavailable). This can happen totally in the background. You can setup this handshake and store the key. You just have to make sure that this kind of auth requires that it comes from the browser and be able to verify the signature to make sure your token is not used elsewhere (like with curl or another server). JWT might be the best solution here imho.
GLHF! 🙃
Upvotes: 0
Reputation: 81
Found a solution -
Adding this to HTTP referrers worked - 'chrome-extension://yourextensionid/'.
Any better or more secure solution is welcomed!
Upvotes: 8
Related Questions
- How to set Content Security Policy in Chrome Extension Manifest.json in order for Firebase to work
- Firebase google authentication in Chrome Extension - Error getting credential
- Firebase browser key API restrictions
- Restricting Firebase API Keys
- Use Firebase for Chrome Extension authentication
- Firestore API key in an extension
- firebase in chrome extension
- invoke firebase api from chrome extension
- Is it possible to restrict access to Chrome extension using free Google Apps subscription?
- How to secure an API key in a Google chrome extension?