You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Regardless of the host from which you're making the request (localhost, example.com, etc.), Chrome or any other browser with a CORS implementation will block the resource because gstatic.com's responses lack an Access-Control-Allow-Origin: * header.
This also disallows the use of hashes for Subresource Integrity checks, as CORS is a precondition.
If you're fine with passing up the security benefits of CORS and Subresource Integrity, you can avoid the errors by simply writing the script tag without the crossorigin attribute, but I would request that Firebase/Google make this a priority and update the docs to show usage with crossorigin and integrity attributes.
The response code of the firebase scripts to the service worker is an opaque 0 without proper cors headers. The only workaround is to use jsdelivr cdn:
Pinging this since it has been 3 years and subresource integrity is a critically important tool for security. Subresource integrity is working for firebase-ui-auth.js and just about everything else under gstatic.com. How hard can it be to get it working as well for firebase.js and modules?
It would be nice to be able to use gstatic instead of having to add another CDN.
[REQUIRED] Describe your environment
[REQUIRED] Describe the problem
Steps to reproduce:
crossorigin="anonymous"
attribute, make a request for one of the CDN-hosted Firebase JS files:Access-Control-Allow-Origin: *
header.crossorigin
attribute, but I would request that Firebase/Google make this a priority and update the docs to show usage withcrossorigin
andintegrity
attributes.Relevant Code:
Here's a sample response from gstatic.com for a request made to https://www.gstatic.com/firebasejs/4.8.1/firebase-app.js:
The text was updated successfully, but these errors were encountered: