In the extension settings, into
Capabilities tab, the new CSP settings allow me to customize
What about the
script-src directive? Should I add that directly into the header of my index.html file?
It seems that one of the google firebase script that I use (I have no control over it) is trying to randomly add a script to my extension html which is blocked.
How should I proceed?
script-src is not supported.
- Twitch (for the Extension Helper)
- Your Extension
- Google Analytics
And that is it
you cannot modify the script-src CSP for security reasons.
So you should be able to include the firebase script locally and not from their CDN
And a final note: HTML HEAD/meta CSP’s are not supported by twitch at all.
The google firebase package is included in my bundle, but the code is trying to import a script at runtime (manipulating dom and adding a script tag). I have no control over this. What should I do?
Sounds like this version of Firebase is not supported for Twitch Extension or you need to read further on firebase on how to tell firebase not to do this
Did you ever figure out how to use firebase (I need firestore), in your twitch extension?