On 09.10.2014 07:38, Junichi Hashimoto wrote: > Hi > > Is there any example of specifying CSP in manifest file? > > I added a following line for a web-previleged app but inline-script is > still active. > > "csp":"default-src *; script-src 'self'; object-src 'none'; style-src > 'self'" >
Do you mean inline style instead of inline script? The only change you seem to have made from the default policy is removing 'unsafe-inline' from the style-src directive, making it a bit stricter. The result would be disallowing inline styles (i.e., tags like <style> css code here </style> and attributes like style="css code here") Is this what you intend to do? I can confirm that I am still able to do inline styling with this stricter manifest CSP in place. This sounds like a comeback of thsi bug <https://bugzilla.mozilla.org/show_bug.cgi?id=1021972>, maybe? If you tried to do something else, I want to highlight that the manifest CSP directive should only ever be able to make the existing CSP stricter: You will not find ways to relax the CSP we have in place for Firefox OS apps. > # firefoxOS is version 2.1 > _______________________________________________ > dev-b2g mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-b2g _______________________________________________ dev-b2g mailing list [email protected] https://lists.mozilla.org/listinfo/dev-b2g
