I'd like to use a firebase to store data from a web application, which is entirely static-hosted (i.e. all the code is client side). I don't really want the users to have to authenticate - it's basic data capture, nothing personal, and no need for them to have accounts. But I would like to take whatever steps are possible to protect what would otherwise be a 'public' firebase.
So I had this thought. Is it possible in any way to restrict write access to firebase based on where the client code was served from? I.e., is there some way to allow client code that I serve from a specific domain to 'prove' to firebase that it really came from my domain?
Obviously a token of some kind isn't that helpful, since anyone could browse my server, grab the token, and then reuse it in their own code. But the only difference is that their own code wouldn't have originated on my server.
I suppose I'm wondering if, when a JS client makes a request to firebase, there is any way to know with reasonably certainty where that client code came from. I guess it might be something like CORS, but I'm not sure if that's a good analogy. And since my site is entirely static, I can't use the server-side API and authenticate that way.
This doesn't have to be 100% bullet-proof. Just making it tedious or tricky for someone to 'spoof' would be enough.
