Firebase + Chrome content security policy settings?-Collection of common programming errors

I’m having a similar problem; you see, Firebase’s constructor seems to perform some dom manipulation in order to do some scripting (vague, I know), which triggers Chrome CSP because well, you are not supposed to do that.

I even trying to wrap the constructor through the Sandbox Pages, but without success (I get an DOM ERR 18, even though my manifest has all permissions). Same happens if you try to do it in a Background Page or a Popup Page for a Page Action/Browser Action.

Alternative? You can inject Firebase as a content script (do it from your manifest), and through Message Passing send the callbacks as Chrome.extension.sendMessage. I’m exactly doing this at the moment, so I can tell you how that goes, so far, at least the Firebase constructor works.

Solution? James Tampling reads this and prompts the Firebase team to look up after this 🙂

UPDATE: Injecting Firebase.js as a Content Script doesn’t work neither, but the good news is that the Firebase team (reach Andrew Lee) is checking it out.

UPDATE 2 Firebase team fixed it, and now it does work from a Popup page (both in a Browser Popup or a Page Action one). You need to add the following CSP in your manifest.json though "content_security_policy": "script-src 'self' 'unsafe-eval' https://cdn.firebase.com https://*.firebaseio.com https://*.firebaseio.com; object-src 'self'; " It works wonders after that.