Skip to content

fix: allow Firebase Auth scripts in CSP"#223

Merged
hrx01-dev merged 1 commit into
mainfrom
fix/allow-Firebas-Authscripts-in-CSP
Jun 27, 2026
Merged

fix: allow Firebase Auth scripts in CSP"#223
hrx01-dev merged 1 commit into
mainfrom
fix/allow-Firebas-Authscripts-in-CSP

Conversation

@hrx01-dev

@hrx01-dev hrx01-dev commented Jun 27, 2026
edited by coderabbitai Bot
Loading

Copy link
Copy Markdown
Owner

Description

The PR #222 accidently restricts external scripts .

Summary by CodeRabbit

  • Bug Fixes
    • Updated security settings to allow additional trusted sources, improving support for embedded widgets and external API requests while keeping other protections in place.

@vercel

vercel Bot commented Jun 27, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
servio Ready Ready Preview, Comment Jun 27, 2026 8:04pm

@coderabbitai

coderabbitai Bot commented Jun 27, 2026
edited
Loading

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

The Content-Security-Policy header in firebase.json is updated on a single line: script-src gains https://apis.google.com, https://www.gstatic.com, and the Cloudinary widget domain; connect-src gains the https: scheme alongside existing sources.

Changes

CSP Header Update

Layer / File(s) Summary
CSP script-src and connect-src expansion
firebase.json		 Adds Google APIs, Gstatic, and Cloudinary widget domains to script-src; adds https: to connect-src in the existing Content-Security-Policy header.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~5 minutes

Possibly related PRs

  • hrx01-dev/Servio#217: Originally introduced the Content-Security-Policy header in firebase.json that this PR is now extending.

Poem

🐇 A hop through the headers, a tweak here and there,
Cloudinary and Google now join with a flair,
connect-src says https: — yes, all of it's fine,
The CSP bunny drew a broader, safer line!
✨ Carrots for security, one line at a time! 🥕

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the CSP change and its purpose of restoring Firebase Auth script loading.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/allow-Firebas-Authscripts-in-CSP

Comment @coderabbitai help to get the list of available commands.

@github-actions

github-actions Bot commented Jun 27, 2026

Copy link
Copy Markdown

Visit the preview URL for this PR (updated for commit b8d9bb8):

https://servio-0--pr223-fix-allow-firebas-au-s1rxnk1p.web.app

(expires Sat, 04 Jul 2026 20:05:33 GMT)

🔥 via Firebase Hosting GitHub Action 🌎

Sign: 15915abb5951eb298a844eda460b24f444d93a69

coderabbitai[bot]
coderabbitai Bot reviewed Jun 27, 2026
View reviewed changes

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
firebase.json (1)

41-41: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Mirror the CSP origins in vite.config.ts Production now allows https://apis.google.com, https://www.gstatic.com, and https://widget.cloudinary.com, but the dev-server policy still only allows 'self' 'unsafe-inline' 'unsafe-eval', so those scripts will be CSP-blocked during local development.

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@firebase.json` at line 41, The dev-server CSP in vite.config.ts is missing
the same script origins now allowed in production, so local development will
still block them. Update the CSP policy generation in the Vite config to mirror
the firebase.json script-src entries, specifically including
https://apis.google.com, https://www.gstatic.com, and
https://widget.cloudinary.com alongside the existing sources. Use the
CSP-building logic in vite.config.ts and keep the dev and prod origins aligned.
🤖 Prompt for all review comments with AI agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@firebase.json`:
- Line 41: The dev-server CSP in vite.config.ts is missing the same script
origins now allowed in production, so local development will still block them.
Update the CSP policy generation in the Vite config to mirror the firebase.json
script-src entries, specifically including https://apis.google.com,
https://www.gstatic.com, and https://widget.cloudinary.com alongside the
existing sources. Use the CSP-building logic in vite.config.ts and keep the dev
and prod origins aligned.
ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 402a36f5-f5f1-444f-87aa-92bddf5314ad

📥 Commits

Reviewing files that changed from the base of the PR and between 38838c4 and b8d9bb8.

📒 Files selected for processing (1)
  • firebase.json

@hrx01-dev hrx01-dev merged commit 3599df5 into main Jun 27, 2026
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@hrx01-dev