5

I am trying to make a website cross origin isolated, and enabled the following headers on my site:

https://web.dev/cross-origin-isolation-guide/

Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Embedder-Policy: require-corp

Firebase auth uses a call to:

https://<AUTH_DOMAIN>/__/auth/iframe?apiKey=<API_KEY>&appName=[DEFAULT]

This gets blocked if you and makes authentication fail.

Because your site has the Cross-Origin Embedder Policy (COEP) enabled, each resource must specify a suitable Cross-Origin Resource Policy (CORP). This behavior prevents a document from loading cross-origin resources which don’t explicitly grant permission to be loaded. To solve this, add the following to the resource’s response header: Cross-Origin-Resource-Policy: same-site if the resource and your site are served from the same site. Cross-Origin-Resource-Policy: cross-origin if the resource is served from another location than your website. ⚠️If you set this header, any website can embed this resource.

How does one fix this? It seems like the root issue is that firebase needs to set a header on their side ?

Kartik Ayyar
  • 832
  • 1
  • 7
  • 23
  • Is this issue fixed ? I am also experiencing the same issue. – Critical Carpet Feb 12 '22 at 10:08
  • 2
    The workaround I ended up using was make auth work on an non COEP enabled page, then redirect the user to the COEP page. But I am not sure if this got fixed or not. Really wish someone from Firebase responded to this, this is kind of a bad bug. – Kartik Ayyar Feb 12 '22 at 11:36
  • Any news on this? Also experiencing this issue when trying to use OPFS which requires those same headers to be set. – Biel Simon May 23 '23 at 18:22

0 Answers0