In the extension settings, into
Capabilities tab, the new CSP settings allow me to customize
What about the
script-src directive? Should I add that directly into the header of my index.html file?
It seems that one of the google firebase script that I use (I have no control over it) is trying to randomly add a script to my extension html which is blocked.
How should I proceed?
script-src is not supported.
- Twitch (for the Extension Helper)
- Your Extension
- Google Analytics
And that is it
you cannot modify the script-src CSP for security reasons.
So you should be able to include the firebase script locally and not from their CDN
And a final note: HTML HEAD/meta CSP’s are not supported by twitch at all.
The google firebase package is included in my bundle, but the code is trying to import a script at runtime (manipulating dom and adding a script tag). I have no control over this. What should I do?
Sounds like this version of Firebase is not supported for Twitch Extension or you need to read further on firebase on how to tell firebase not to do this