2

I just set up my custom domain with Firebase Hosting, lets call it mydomain.example.com.

When I navigate to it in Firefox, it shows a toggle next to the domain, that when clicked shows this:

enter image description here

Where the redacted part is my firebase project ID, and the full domain is one of the default domains for Firebase hosting.

What is happening here, exactly, and how can I change the behavior so it doesn't result in these cross-site cookies? Is this related to the Google Auth provider, which I also noticed doesn't use the new custom domain (instead, using one of the default domains) in the popup window for sign-in?

Nathan
  • 73,987
  • 14
  • 40
  • 69

1 Answers1

1

This is a known issue with the Firebase Auth SDK. It is not related to the Google Auth provider. The issue is that the Firebase Auth SDK uses a cookie to store the user's session. The cookie is set to the domain of the Firebase project, which is a default domain for Firebase Hosting. The cookie is set to be secure, so it is not sent over HTTP, but is sent over HTTPS. The cookie is also set to be SameSite=Lax, which means that it is not sent on cross-site requests unless the request is a GET request. The cookie is not sent on cross-site requests that are POST requests, which is the case for the sign-in popup. The cookie is sent on cross-site requests that are GET requests, which is the case for the main page. To solve this issue, you can set the cookie policy to SameSite=None. This will allow the cookie to be sent on cross-site requests, but it will also require the cookie to be marked as secure. This means that the cookie will only be sent over HTTPS. If you are using a custom domain, you will need to set up HTTPS for your custom domain. If you are using a default domain, you will need to set up HTTPS for your default domain.

Tibic4
  • 3,709
  • 1
  • 13
  • Do you have any resources/links to the known issue? Is there any way to change this behavior and have it be set to my custom domain? I would like to avoid having that toggle that warns about a cross-site cookie, even though everything seems to be working fine and I don't think it's a security issue. – Nathan Sep 24 '22 at 16:52
  • Here's some potential info: https://github.com/firebase/firebase-js-sdk/issues/3004#issuecomment-709946570 – Nathan Sep 24 '22 at 17:01
  • The issue is tracked in the Firebase JS SDK GitHub repository. I don't remember the exact issue number, but you can try searching for "SameSite" in the issues. No, there is no way to change the domain of the cookie. The cookie is set to the domain of the Firebase project, which is a default domain for Firebase Hosting. – Tibic4 Sep 24 '22 at 17:28