CSP Violation Detected when packaged for FirefoxOS

edited August 2013 in Packaging Apps
Hi,

I've just try to validate my Enyo2 app in the firefox os validator, but I get many CSP validation errors and warnings.

One is:

Error: It appears that your code may be performing an action which violates the CSP (content security policy) for privileged apps.
You can find more information about what is and is not allowed by the CSP on the Mozilla Developers website. https://developer.mozilla.org/en-US/docs/Security/CSP
index.html
<body class="enyo-unselectable">
<script>
if (!window.App) {

Does anyone how to work around this? The reason seems to be the inline scripting since I get similar errors when pushing the app to a FxOS device.
E/GeckoConsole( 2105): [JavaScript Warning: "Content Security Policy: Directive inline script base restriction violated" {file: "app://20b13fad-1800-468e-b91c-9e9895ad4f99/index.html" line: 19 column: 0 source: "
E/GeckoConsole( 2105): if (!window.App) {
E/GeckoConsole( 2105): alert('No app..."}]
Regards,
zefanja

Comments

  • AFAIK, Mozilla disallow inline scripting, so probably you're right.

    You can use enyo.ready() to circunvent this.
  • Thanks for the tip. Is does fix the error, but I still get around 200 warnings about CSP violations in the enyojs source...
  • Are you deploying a minified version of your app? The enyo.depends() based loader isn't CSP safe, but after minification it should be OK.
  • edited February 12
    zefanjas, did you ever find a general solution? The FxOS app validator (https://marketplace.firefox.com/developers/validator) complains about the usual inline scripting
     <script>
    new App().renderInto(document.body);
    I've been ignoring it (the Marketplace accepts my app), but I worry this will come back and bite me some time.

    There are 34 warnings in the minified code, such as

    setPositionReorderContainerTimeout: function() {
    this.clearPositionReorderContainerTimeout(), this.positionReorderContainerTimeout = setTimeout(enyo.bind(this, function() {
    this.$.reorderContainer.removeClass("enyo-animatedTopAndLeft"), this.clearPositionReorderContainerTimeout();
  • To work around the inline script, you can just move that to a separate .js file and use a script tag to load that line. If you're using enyo 2.3 or later, you can also add that to your source and use enyo.ready() to register the render to happen after the DOM has loaded.

    What are the actual messages for those warnings?
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In with Twitter