inline Thanks Axel
> -----Original Message----- > From: dev-b2g [mailto:dev-b2g- > [email protected]] On Behalf Of Frederik > Braun > Sent: Wednesday, November 12, 2014 11:21 AM > To: [email protected] > Subject: Re: [b2g] Allow inline script in priviledged apps for app html > > Hey Axel, > > the sentiment behind enforcing a strict Content Security Policy (CSP) for > packaged apps is to prevent cross site scripting (XSS) vulnerabilities from > doing serious harm. > > XSS is the most prevalent security issues in applications today. It is hard > to fix > from a developer standpoint but easy to mitigate with the browser's support > (i.e., CSP). > > Applications that want to have more permissions than a normal web site > should be protected with extra layers of security, so that this power does not > fall into the wrong hands. How is XSS a problem for b2g apps and how does banning inline script prevent it? My app (currently) never accepts user input (text) which could be interpreted as script. My app currently downloads files from a server, parses them and stores values in an indexedDB. These strings and images are displayed in the app's UI but not using inline script. > > > There is a way to port your application to Firefox OS and honoring CSP at the > same time. Well... Would be nice if the cordova app that runs on Android and ios would run on b2g without html modifications > > > > Ps: when I move all the inline script into js-files I seems that the > > global variables defined in that scripts are not global and therefore > > not visible to other scripts... > > They are surely global! Maybe you are facing a race condition? The index.html loads a javascript GetText and another loaded js code tries to access the GetText global variable and fails. > > > > Kind regards, > Frederik > > P.S.: I wrote a comment in your bug. Let's keep the move the discussion here > or on IRC. > _______________________________________________ > dev-b2g mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-b2g _______________________________________________ dev-b2g mailing list [email protected] https://lists.mozilla.org/listinfo/dev-b2g
