CSP script-src directive


In the extension settings, into Capabilities tab, the new CSP settings allow me to customize img-src, media-src and connect-src directives.

What about the script-src directive? Should I add that directly into the header of my index.html file?

It seems that one of the google firebase script that I use (I have no control over it) is trying to randomly add a script to my extension html which is blocked.
How should I proceed?

Thank you,

script-src is not supported.

Javascript is allowed from the following locations

  • Twitch (for the Extension Helper)
  • Your Extension
  • Google Analytics

And that is it

you cannot modify the script-src CSP for security reasons.

So you should be able to include the firebase script locally and not from their CDN

See also: “Scripts (JavaScript)”

And a final note: HTML HEAD/meta CSP’s are not supported by twitch at all.

The google firebase package is included in my bundle, but the code is trying to import a script at runtime (manipulating dom and adding a script tag). I have no control over this. What should I do?

Sounds like this version of Firebase is not supported for Twitch Extension or you need to read further on firebase on how to tell firebase not to do this

Did you ever figure out how to use firebase (I need firestore), in your twitch extension?