Restricting Cloud Firestore to a specific domain
up vote
0
down vote
favorite
Is there a way to restrict Cloud Firestore (for hosting/web) to do CRUD operations with restrictions to one domain only, say xyz.com?
For example, the rule below locks read, update, delete without authorisation but you can still write things to the database.
service cloud.firestore {
match /databases/{database}/documents {
match /coming-soon-email-ids/{document=**} {
allow write;
allow read, update, delete: if request.auth.uid == !null;
}
}
}
Or do I have to integrate Google's firewall in it?
firebase google-cloud-firestore firebase-security-rules edited Nov 22 at 7:28
Doug Stevenson
66.5k87997
asked Nov 22 at 7:11
Akshay
740828
add a comment |
up vote
0
down vote
favorite
Is there a way to restrict Cloud Firestore (for hosting/web) to do CRUD operations with restrictions to one domain only, say xyz.com?
For example, the rule below locks read, update, delete without authorisation but you can still write things to the database.
service cloud.firestore {
match /databases/{database}/documents {
match /coming-soon-email-ids/{document=**} {
allow write;
allow read, update, delete: if request.auth.uid == !null;
}
}
}
Or do I have to integrate Google's firewall in it?
firebase google-cloud-firestore firebase-security-rules edited Nov 22 at 7:28
Doug Stevenson
66.5k87997
asked Nov 22 at 7:11
Akshay
740828
add a comment |
up vote
0
down vote
favorite
up vote
0
down vote
favorite
Is there a way to restrict Cloud Firestore (for hosting/web) to do CRUD operations with restrictions to one domain only, say xyz.com?
For example, the rule below locks read, update, delete without authorisation but you can still write things to the database.
service cloud.firestore {
match /databases/{database}/documents {
match /coming-soon-email-ids/{document=**} {
allow write;
allow read, update, delete: if request.auth.uid == !null;
}
}
}
Or do I have to integrate Google's firewall in it?
firebase google-cloud-firestore firebase-security-rules edited Nov 22 at 7:28
Doug Stevenson
66.5k87997
asked Nov 22 at 7:11
Akshay
740828
Is there a way to restrict Cloud Firestore (for hosting/web) to do CRUD operations with restrictions to one domain only, say xyz.com?
For example, the rule below locks read, update, delete without authorisation but you can still write things to the database.
service cloud.firestore {
match /databases/{database}/documents {
match /coming-soon-email-ids/{document=**} {
allow write;
allow read, update, delete: if request.auth.uid == !null;
}
}
}
Or do I have to integrate Google's firewall in it?
firebase google-cloud-firestore firebase-security-rules firebase google-cloud-firestore firebase-security-rules edited Nov 22 at 7:28
Doug Stevenson
66.5k87997
asked Nov 22 at 7:11
Akshay
740828
edited Nov 22 at 7:28
Doug Stevenson
66.5k87997
asked Nov 22 at 7:11
Akshay
740828
edited Nov 22 at 7:28
Doug Stevenson
66.5k87997
edited Nov 22 at 7:28
Doug Stevenson
66.5k87997
edited Nov 22 at 7:28
Doug Stevenson
66.5k87997
66.5k87997
asked Nov 22 at 7:11
Akshay
740828
asked Nov 22 at 7:11
Akshay
740828
asked Nov 22 at 7:11
Akshay
740828
740828
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
up vote
2
down vote
accepted
Firebase security rules aren't able to restrict access to a web domain. In a very general sense, it is not possible, because Firestore is intended to be accessed from mobile clients around the world, using web, Android, and iOS. Android and iOS clients never appear to be coming from some domain. They just directly access the database via the provided client library, or sometimes through the Firestore REST API. Web clients may even spoof their apparent domain (which is only really available by the insecure "Referrer" header in an HTTP request).
answered Nov 22 at 7:28
Doug Stevenson
66.5k87997
Ok is there a way to restric to one or more fields?
– Akshay
Nov 23 at 5:47
I don't know what you're asking. It sounds like the beginning of a whole new question that's unrelated to this one.
– Doug Stevenson
Nov 23 at 5:55
True. Will post a new one thanks.
– Akshay
Nov 23 at 7:46
add a comment |
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
2
down vote
accepted
Firebase security rules aren't able to restrict access to a web domain. In a very general sense, it is not possible, because Firestore is intended to be accessed from mobile clients around the world, using web, Android, and iOS. Android and iOS clients never appear to be coming from some domain. They just directly access the database via the provided client library, or sometimes through the Firestore REST API. Web clients may even spoof their apparent domain (which is only really available by the insecure "Referrer" header in an HTTP request).
answered Nov 22 at 7:28
Doug Stevenson
66.5k87997
Ok is there a way to restric to one or more fields?
– Akshay
Nov 23 at 5:47
I don't know what you're asking. It sounds like the beginning of a whole new question that's unrelated to this one.
– Doug Stevenson
Nov 23 at 5:55
True. Will post a new one thanks.
– Akshay
Nov 23 at 7:46
add a comment |
up vote
2
down vote
accepted
Firebase security rules aren't able to restrict access to a web domain. In a very general sense, it is not possible, because Firestore is intended to be accessed from mobile clients around the world, using web, Android, and iOS. Android and iOS clients never appear to be coming from some domain. They just directly access the database via the provided client library, or sometimes through the Firestore REST API. Web clients may even spoof their apparent domain (which is only really available by the insecure "Referrer" header in an HTTP request).
answered Nov 22 at 7:28
Doug Stevenson
66.5k87997
Ok is there a way to restric to one or more fields?
– Akshay
Nov 23 at 5:47
I don't know what you're asking. It sounds like the beginning of a whole new question that's unrelated to this one.
– Doug Stevenson
Nov 23 at 5:55
True. Will post a new one thanks.
– Akshay
Nov 23 at 7:46
add a comment |
up vote
2
down vote
accepted
up vote
2
down vote
accepted
Firebase security rules aren't able to restrict access to a web domain. In a very general sense, it is not possible, because Firestore is intended to be accessed from mobile clients around the world, using web, Android, and iOS. Android and iOS clients never appear to be coming from some domain. They just directly access the database via the provided client library, or sometimes through the Firestore REST API. Web clients may even spoof their apparent domain (which is only really available by the insecure "Referrer" header in an HTTP request).
answered Nov 22 at 7:28
Doug Stevenson
66.5k87997
Firebase security rules aren't able to restrict access to a web domain. In a very general sense, it is not possible, because Firestore is intended to be accessed from mobile clients around the world, using web, Android, and iOS. Android and iOS clients never appear to be coming from some domain. They just directly access the database via the provided client library, or sometimes through the Firestore REST API. Web clients may even spoof their apparent domain (which is only really available by the insecure "Referrer" header in an HTTP request).
answered Nov 22 at 7:28
Doug Stevenson
66.5k87997
answered Nov 22 at 7:28
Doug Stevenson
66.5k87997
answered Nov 22 at 7:28
Doug Stevenson
66.5k87997
answered Nov 22 at 7:28
Doug Stevenson
66.5k87997
66.5k87997
Ok is there a way to restric to one or more fields?
– Akshay
Nov 23 at 5:47
I don't know what you're asking. It sounds like the beginning of a whole new question that's unrelated to this one.
– Doug Stevenson
Nov 23 at 5:55
True. Will post a new one thanks.
– Akshay
Nov 23 at 7:46
add a comment |
Ok is there a way to restric to one or more fields?
– Akshay
Nov 23 at 5:47
I don't know what you're asking. It sounds like the beginning of a whole new question that's unrelated to this one.
– Doug Stevenson
Nov 23 at 5:55
True. Will post a new one thanks.
– Akshay
Nov 23 at 7:46
Ok is there a way to restric to one or more fields?
– Akshay
Nov 23 at 5:47
Ok is there a way to restric to one or more fields?
– Akshay
Nov 23 at 5:47
I don't know what you're asking. It sounds like the beginning of a whole new question that's unrelated to this one.
– Doug Stevenson
Nov 23 at 5:55
I don't know what you're asking. It sounds like the beginning of a whole new question that's unrelated to this one.
– Doug Stevenson
Nov 23 at 5:55
True. Will post a new one thanks.
– Akshay
Nov 23 at 7:46
True. Will post a new one thanks.
– Akshay
Nov 23 at 7:46
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53425585%2frestricting-cloud-firestore-to-a-specific-domain%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
