(bcc dev-b2g) TLDR: Not urgent, but in certified apps, we need to move away from <style> tags or style attributes in HTML since these will be blocked once we have a CSP 1.0 compliant implementation on Firefox OS.
The currently CSP implementation on b2g18 does not block inline styles in certified even though the default policy says it does [1]. This is since our old CSP implementation did not support inline style blocking, but changes landing in FF21 will bring our CSP parser into line with the 1.0 spec (bug 783049). The old CSP parser will remain in the codebase, and only be turned on in Firefox OS based on a preference value (bug 858787) - and obviously only once we actually take this code into a release. So its not urgent, but I wanted gaia devs to be aware this change is coming, because currently a quick glance at the certified apps in Gaia shows that they will break with this restriction. No inline styles means: - No <style> tags in HTML: http://mxr.mozilla.org/mozilla-central/gaia/search?string=%3Cstyle%3E&find=.html&findi=&filter=^[^\0]*%24&hitlimit=&tree=gaia - No style attributes on elements: http://mxr.mozilla.org/mozilla-central/gaia/search?string=style%3D&find=.html&findi=&filter=^[^\0]*%24&hitlimit=&tree=gaia So all styles need to be in CSS files, and all style changes done by manipulating the element.style in script, not by injecting style tags or attributes into HTML. Any concerns, questions etc, please raise them. - Paul [1] https://developer.mozilla.org/en-US/docs/Apps/CSP#Default_Policies
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ dev-b2g mailing list [email protected] https://lists.mozilla.org/listinfo/dev-b2g
