On 12.11.2014 12:37, [email protected] wrote: > inline > > Thanks > Axel > >> -----Original Message----- >> From: dev-b2g [mailto:dev-b2g- >> [email protected]] On Behalf Of Frederik >> Braun >> Sent: Wednesday, November 12, 2014 11:21 AM >> To: [email protected] >> Subject: Re: [b2g] Allow inline script in priviledged apps for app html >> >> Hey Axel, >> >> the sentiment behind enforcing a strict Content Security Policy (CSP) for >> packaged apps is to prevent cross site scripting (XSS) vulnerabilities from >> doing serious harm. >> >> XSS is the most prevalent security issues in applications today. It is hard >> to fix >> from a developer standpoint but easy to mitigate with the browser's support >> (i.e., CSP). >> >> Applications that want to have more permissions than a normal web site >> should be protected with extra layers of security, so that this power does >> not >> fall into the wrong hands. > > How is XSS a problem for b2g apps and how does banning inline script prevent > it? >
All attacks that exploit XSS need to execute JavaScript from strings (i.e. inline JavaScript, javascript: URLs, eval, ...). This is all disallowed, as you may have read in the MDN link you just posted earlier: <https://developer.mozilla.org/en-US/Apps/Build/installable_apps_for_Firefox_OS/CSP> > My app (currently) never accepts user input (text) which could be interpreted > as script. > My app currently downloads files from a server, parses them and stores values > in an indexedDB. > These strings and images are displayed in the app's UI but not using inline > script. > There are other sources for script execution than user supplied strings (e.g. location.hash). This restriction is not about your app in particular. >> >> >> There is a way to port your application to Firefox OS and honoring CSP at the >> same time. > > Well... Would be nice if the cordova app that runs on Android and ios would > run on b2g without html modifications It's quite unfortunate that you are running into this so late. Maybe Cordova should show a warning, when apps use code patterns that are incompatible with Firefox OS. I will file a bug. > >> >> >>> Ps: when I move all the inline script into js-files I seems that the >>> global variables defined in that scripts are not global and therefore >>> not visible to other scripts... >> >> They are surely global! Maybe you are facing a race condition? > > The index.html loads a javascript GetText and another loaded js code tries to > access the GetText global variable and fails. > We can't really help you without looking at the code. I recommend you create a minimal, reproducible test case and bring this to IRC. _______________________________________________ dev-b2g mailing list [email protected] https://lists.mozilla.org/listinfo/dev-b2g
