Hi
I'm so sorry for late reply.
The bug describes what I looked for.
I want to forbid a packaged webapp from introducing external js.
Thank you.
On 14/10/9 18:42 , Frederik Braun wrote:
On 09.10.2014 07:38, Junichi Hashimoto wrote:
Hi
Is there any example of specifying CSP in manifest file?
I added a following line for a web-previleged app but inline-script is
still active.
"csp":"default-src *; script-src 'self'; object-src 'none'; style-src
'self'"
Do you mean inline style instead of inline script?
The only change you seem to have made from the default policy is
removing 'unsafe-inline' from the style-src directive, making it a bit
stricter. The result would be disallowing inline styles (i.e., tags like
<style> css code here </style> and attributes like style="css code here")
Is this what you intend to do?
I can confirm that I am still able to do inline styling with this
stricter manifest CSP in place. This sounds like a comeback of thsi bug
<https://bugzilla.mozilla.org/show_bug.cgi?id=1021972>, maybe?
If you tried to do something else, I want to highlight that the manifest
CSP directive should only ever be able to make the existing CSP
stricter: You will not find ways to relax the CSP we have in place for
Firefox OS apps.
# firefoxOS is version 2.1
_______________________________________________
dev-b2g mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-b2g
_______________________________________________
dev-b2g mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-b2g
_______________________________________________
dev-b2g mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-b2g
