The Problem
If you are building a Chrome Extension using Manifest V3 and Firebase, you might get a rejection email from the Chrome Web Store team that looks like this:
Violation: Including remotely hosted code in a Manifest V3 item. Violating Content: Code snippet:
js/firebase/firebase-bundle.js:gapiScript:"https://apis.google.com/js/api.js",recaptchaV2Script:"https://www.google.com/recaptcha/api.js"...
Manifest V3 strictly forbids any remotely hosted code. Everything must be local to the extension package. The issue is that the Firebase Auth SDK (even recent versions) includes hardcoded URLs for Google APIs and reCAPTCHA as default values in its source code. Even if you don't use these features, the strings exist in your bundled JS, and the automated scanner flags them.
The "Popular" Solution That Didn't Work
Most advice online tells you to ensure you are importing from the "web-extension" compatible entry points or to check your firebase.initializeApp config.
// This is what people suggest
import { getAuth } from "firebase/auth/web-extension";
While using the correct entry point is good practice, it often does not remove the hardcoded strings from the final bundle. The scanner will still find https://apis.google.com/js/api.js inside your firebase-bundle.js and reject your extension immediately.
The Actual Fix
The solution is to "neuter" these URLs directly in the source files inside node_modules before you run your build script (Webpack/Vite/Rollup). Since these are just default strings used for dynamic script loading (which won't work in MV3 anyway), replacing them with empty strings is safe.
You need to find and replace these 3 URLs with '' in the @firebase/auth package:
https://apis.google.com/js/api.jshttps://www.google.com/recaptcha/api.jshttps://www.google.com/recaptcha/enterprise.js?render=
Automated Fix (Recommended)
Instead of doing this manually every time you npm install, you can use a simple script or just run this PowerShell command in your project root before building:
Get-ChildItem -Path 'node_modules/@firebase/auth' -Recurse -Filter '*.js' | ForEach-Object {
$content = Get-Content $_.FullName -Raw
$content = $content -replace 'https://apis.google.com/js/api.js', ''
$content = $content -replace 'https://www.google.com/recaptcha/api.js', ''
$content = $content -replace 'https://www.google.com/recaptcha/enterprise.js\?render=', ''
Set-Content $_.FullName $content
}
After running this, rebuild your bundle:
npm run build
Verify that your firebase-bundle.js no longer contains any https:// links pointing to Google APIs.
Why this happens?
Firebase is designed to work in standard web environments where it can lazily load GAPI or reCAPTCHA scripts when needed. In a Chrome Extension (MV3), document.createElement('script') with a remote src is blocked by the Content Security Policy (CSP). The Firebase SDK doesn't "know" it's in a restricted environment during the build phase, so it keeps those strings. Removing them manually ensures the scanner stays happy.
TL;DR
Chrome Web Store rejecting your MV3 extension because of Firebase remote code? The strings are hardcoded in @firebase/auth.
Replace these URLs with an empty string '' in all files inside node_modules/@firebase/auth/ and rebuild your project. Rejection solved.