Working chrome extension popup has sporadic CSP errors with firebase

Question

. 。 Answers to this question are eligible for a +100 reputation bounty. TrySpace wants to to this question: ：

This is really puzzling me, especially since it does not have any clear cause.

Only after a certain amount of time does this error occur. But if remove the extension from chrome and re-add it, it won't happen for a while. This only happens in the popup.html file for some reason.

The error: Error:

`BrowserPollConnection.ts:740` Refused to load the script 'https://fb-instance.firebaseio.com/.lp?start=t&ser=xx&cb=3&v=5&p=1:xxx' because it violates the following Content Security Policy directive: "script-src 'self' 'wasm-unsafe-eval'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

There is nothing I can add or change to the manifest content_security_policy , and I believe that the popup is part of the extension_pages . And again, this error only occurs after a certain time (or something else that I don't know of), and removing and re-adding the extension is the only way to "fix" the error. This only happens since maybe a week, perhaps a chrome update (Now on: v104.0.5112.81)

So if I follow that firebasio.com url, there is some kind of firebase script that wants to execute from remote:

function pLPCommand(c, a1, a2, a3, a4) {
parent.window["pLPCommand1"] && parent.window["pLPCommand1"](c, a1, a2, a3, a4);
}
function pRTLPCB(pN, data) {
parent.window["pRTLPCB1"] && parent.window["xxx"](pN, data);
}
         pLPCommand('start','123','abcd');
pRTLPCB(0,[{"t":"c","d":{"t":"h","d":{"ts":xxx,"v":"5","h":"fb-instance.firebaseio.com","s":"xxx"}}}]);

I know this is not even a critical script and is probably some sort of analytics, since the popup works fine before this... until it doesn't...

Manifest.json (MV3):

  "content_security_policy": {
    "extension_pages": "script-src 'self'; object-src 'self'; script-src-elem 'self' 'unsafe-inline' https://www.gstatic.com/ https://*.firebaseio.com https://*.firebasedatabase.app https://www.googleapis.com"
  },

And I don't want to re-write the whole popup so that it uses the sandbox CSP, and have to rewire it, and then I can't access the chrome.window , chrome.tabs etc, APIs and would have to forward the authentication etc. JUST to avoid a problem that is cause by what seems to be a non-critical script that the firebase library wants to execute for some reason.

And before the error occurs I don't see any requests to that https://subdomain.firebaseio.com/.lp?start=t&ser=etcetc url, and I'm not sure what triggers this to happen. And once it does, it will keep happening, until I remove the extension completely, reloading does not work...

(Using: "firebase": "^9.6.3" atm)

Answer 1

I'm not sure why it's working from time to time, but from my understanding is not possible to add those urls to the CSP. From the Google Chrome Documentation

In addition, Manifest V3 disallows certain CSP modifications for extension_pages that were permitted in Manifest V2. The script-src, object-src, and worker-src directives may only have the following values: self , none , Any localhost source, (http://localhost, http://127.0.0.1 , or any port on those domains)