28

I’m trying to sign in anonymously from a Web app using the JS SDK and it works great on some environments, but on one environment, the exact same code that’s working elsewhere is giving me a 403:

(index):64 {“error”:{“code”:403,“message”:“Requests from referer https://myapp.firebaseapp.com/ are blocked.“,”errors”:[{“message”:“Requests from referer https://myapp.firebaseapp.com/ are blocked.“,”domain”:“global”,“reason”:“forbidden”}],“status”:“PERMISSION_DENIED”}}

Yet I think I checked everything is the same in all environments: anonymous authentication is enabled and my web app is on Firebase Hosting so the code should be environment-independent.

Any idea where else this could come from?

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
Sebastien
  • 3,583
  • 4
  • 43
  • 82

6 Answers6

30

It seems like you have set some referrer restrictions on your API key. You need to go to the Google Cloud Console and modify these restrictions on your API key.

bojeil
  • 29,642
  • 4
  • 69
  • 76
15

This helped for me:

console cloud google -> APIs & services -> credentials -> click on: browser key (auto created by firebase) -> application restrictions: none & API restrictions: don't restrict key.

Now your API won't block any requests. I hope this works!

Douwe
  • 151
  • 1
  • 2
  • Works, but unsafe. You need to add the Authorized domains (from Firebase console) there and it should work. – Dpedrinha May 18 '22 at 23:26
  • I want to make sure I have this right @Dpedrinha. Setting "application restrictions" to none or adding a domain like `*.web.app` to "website restrictions" **is** safe, but only if the list of "Authorized domains" in the Firebase console contains the exact domain that should be authorized? – Ben Keys Jul 24 '23 at 14:27
  • @BenKeys Not really. See my answer bellow. – Dpedrinha Jul 31 '23 at 22:34
  • @Dpedrinha What about it is unsafe? – Ben Keys Aug 02 '23 at 14:54
2

Go to your Firebase console - Authentication.

Find your Authorized domains and copy them.

Go to Google Cloud Platform and find the Browser key (auto created by Firebase).

Add the previously copied domains to the HTTP referrers.

Dpedrinha
  • 3,741
  • 3
  • 38
  • 57
0

solution for

I set my app on google cloud platform to "http referrers" and was tring to access a file in Firebase storage. When I'm not logged in, the file could not be visited. I found here and then googledreferrer restrictions firebase storage.

my solution

I see there's a security rules for firebase storage in official docs. I checked the rule and it was by default allow read, write: if request.auth != null;. I changed it to allow write: if request.auth != null; allow read: if true;

Then everything worked.

Pablo LION
  • 1,294
  • 6
  • 20
0

I was able to solve this by creating a new restricted key (restricted by website, to my app's domain.)

  1. Go to your projects API Credentials in Google Cloud

  2. Click on "Create Credentials", and select "API Keys".

    API Credentials in Google Cloud

  3. Restrict your API key to your domain(s). See Google's guide on restricting API Keys. For example, to allow any URL in your site You must set two URLs in the allowedReferers list:

    • URL for the domain, without a subdomain, and with a wildcard for the path. For example:

      example.com/*

    • A second URL that includes a wildcard for the subdomain and a wildcard for the path. For example:

      *.example.com/*

    • You may need to copy to authorized domains listed in your Firebase Authentication Settings to your API restricted domains, For example:

      myproject-3243.firebaseapp.com/*

    • Make sure your Firebase Authentication Settings for domain names mirror those in your API Key restricted domains except, note that wildcard (*) notation only applies to the API Key settings.

      enter image description here

  4. Wait 5 minutes for your changes to take effect, then use the new API Key in your app.

Benson
  • 4,181
  • 2
  • 26
  • 44
-2

To make it work I've added the following "website restrictions" for my "Browser key":

Maslow
  • 1,084
  • 9
  • 22