How to hide Firebase credentials in chrome extension?

I am working on a chrome extension, and using Cloud Firestore. As mentioned in Google’s documentation, I have to put the code in the JavaScript file itself, which is easily visible to anyone who can extract the source code. For security purposes, we can allow access to database only through certain domain names or certain apps. But in the case of Google Chrome extension, it is neither being hosted with a domain name nor it can be registered as an app. So, how do I not let anyone mess around with it ?

And my second question is that I have some if statements inside the chrome extension code which relates credentials from Cloud Firestore and shows result according to it. Like this –

if(userrefdoc.getCoins < 1){
   console.log("Not enough coins. Buy some more");

So, if someone can extract and modify my code, he can easily change the if statements according to his need and gets access to the features, which he is not allowed to use. So, how do I deal with this scenario too ?

Firebase concurrent connections chrome extension

I just hit a situation which pushed me to ask this question:

I have about 150 active monthly users and I just hit 1k concurrent connections on a single day.

I did research and found many questions on “firebase concurrent connections” topic and those who refers to user-to-concurrent ratio say that on average it’s close to 1 concurrent = ~1400 monthly users (like here and here).

I’m now trying to understand if I really did something wrong and if yes, how to fix that?

The questions are:

  • Is it look ok to get 1k concurrent connections with about 150 active users? Or am I reading it wrong?
  • Is it possible to profile concurrent connections somehow?
  • What are the typical “connection leaks” when it comes to chrome extensions and how to avoid them?

enter image description here

So far the architecture of the extension is that all the communication with firebase database is made from the background persistent script which is global to a browser instance.

And as a note, 150 active users is an estimation. For upper boundary I can say that I have 472 user records in total and half of them installed the extension and uninstalled it shortly after that – so they are not using it. And about 20% of the installed instances are also disabled in chrome.

How to use firebase database in chrome extension

I want to use it as part of my content script so that I can fetch data from my firebase database. However, I don’t know how I can reference the script that’s given in the firebase docs:

I know that if I was doing it all in the pop up html page, then I could load the script tag, but in the content script, there’s no html page other than the content page, so I’m not sure if this is even possible.

Does Topic messaging work with chrome extensions?

I am trying to implement Chrome Extension that receives push messages from Firebase.I have tried referring firebase docs but I cannot find any info regarding this.Is it possible to implement the same? Any reference document link is appreciated.

google chrome extension- push notification

I am working on chrome extension for push notifications.As of now I have an instance which is subscribed to a topic and when I broadcast a messsage on that topic using firebase ,a push notification is received .But I want to retrieve the data from the push event and display using chrome notification create method.Is it possible?I need some reference documents on this.

firebase.auth().signInWithPopup() not works with Chrome extension on Linux/Mac

I am developing a chrome extension.I have used firebase google sign for authentication using firebase.auth().signInWithPopup() method.

It works well with Windows.But it do not works with Linux/Mac OS. A popup window appears for a while then it disappears.
Please suggest Solution.

Firebase Phone Number authentication in Chrome Extension

Is it possible?
I read a bit on but it mentions OAuth redirect domains all the time, not sure if chrome extension domains are valid for this?

Chrome – Still getting “refused to load script due to CSP” even after using “unsafe-inline”

This is for a class project that is due very soon, so I am OK with the unsafe-inline (since people won’t actually be using our app).

I keep getting these errors
and have tried to find solutions here and elsewhere.

This is in my manifest.json file

 "name": "Getting Started Example",
 "version": "1.0",
 "description": "Build an Extension",
 "permissions": ["activeTab", "declarativeContent", "storage"],
 "content_security_policy": "script-src 'unsafe-inline' http://*; object-src 'unsafe-inline' http://*"}
 "background": {
 "scripts": ["background.js"],
 "persistent": false

I initialize Firebase using the code from the Firebase site in my options.html

I have also tried putting this in my options.js file without the script tags, but then I get “firebase is not defined”

How can I stop getting this error? I thought I was giving it all the permissions, but I still keep getting the same error.

The lines that the error points to, in my options.html, are:


LINE 13 is just < script > on a single line…

How do I listen for Firebase Cloud Messaging messages in the background in a Google Chrome Extension?

I have a Google Chrome Extension that listens for GCM messages in a background script via chrome.gcm.onMessage.addListener. Our provider is planning to upgrade their infrastructure to use the latest Firebase Cloud Messaging which is no longer compatible with GCM. We’ve confirmed the gcm addListener API no longer receives messages after upgrading to FCM in the dev environment.

I’ve found migration guides for Android, iOS, and progressive web apps but none specifically for background scripts in Chrome extensions.

Some resources I’ve found:

How to fix UTF-8 Firebase Error for Content Script w/ Chrome Extension Manifest.json?

I made a Chrome Extension and am using Firebase to authenticate users. I downloaded the Firebase.js from, hoping to add the firebase code to my chrome extension manifest. The Firebase auth is happening in a content script, so it needs to be included in the “js” under “content_scripts”.

Manifest.json Content Script Example

Instead, I’m getting a UTF-8 error when putting firebase.js.

Could not load file ‘js/lib/firebase.js’ for content script. It isn’t UTF-8 encoded.
Could not load manifest.

I tried using TextEdit on Mac to save the file as UTF-8 – still not luck.

What am I doing wrong?