Restricting Cloud Firestore to a specific domain

Solution 1:

Firebase security rules aren't able to restrict access to a web domain. In a very general sense, it is not possible, because Firestore is intended to be accessed from mobile clients around the world, using web, Android, and iOS. Android and iOS clients never appear to be coming from some domain. They just directly access the database via the provided client library, or sometimes through the Firestore REST API. Web clients may even spoof their apparent domain (which is only really available by the insecure "Referrer" header in an HTTP request).

You can only really restrict access to users signed in to your app or site using Firebase Authentication, but you can't limit where they come from.

Solution 2:

I had the same question, and I coming up with a solution. You can do sign In anonymously:

const signIn = async () => {
auth.signInAnonymously()
.then(() => {
  // Signed in..
})
.catch((error) => {
  var errorCode = error.code;
  var errorMessage = error.message;
  // ...
});

Then you can put your rules like:

allow read, write: if request.auth != null;

Then in authentication, you can activate the a anonymous method for sign in and add your authorized domains.