inline
> -----Original Message-----
> From: Frederik Braun [mailto:[email protected]]
> Sent: Wednesday, November 12, 2014 12:54 PM
> To: Nennker, Axel; [email protected]
> Subject: Re: [b2g] Allow inline script in priviledged apps for app html
>
> On 12.11.2014 12:37, [email protected] wrote:
> > inline
> >
> > Thanks
> > Axel
> >
> >> -----Original Message-----
> >> From: dev-b2g [mailto:dev-b2g-
> >> [email protected]] On Behalf Of
> >> bounces+Frederik
> >> Braun
> >> Sent: Wednesday, November 12, 2014 11:21 AM
> >> To: [email protected]
> >> Subject: Re: [b2g] Allow inline script in priviledged apps for app
> >> html
> >>
> >> Hey Axel,
> >>
> >> the sentiment behind enforcing a strict Content Security Policy (CSP)
> >> for packaged apps is to prevent cross site scripting (XSS)
> >> vulnerabilities from doing serious harm.
> >>
> >> XSS is the most prevalent security issues in applications today. It
> >> is hard to fix from a developer standpoint but easy to mitigate with
> >> the browser's support (i.e., CSP).
> >>
> >> Applications that want to have more permissions than a normal web
> >> site should be protected with extra layers of security, so that this
> >> power does not fall into the wrong hands.
> >
> > How is XSS a problem for b2g apps and how does banning inline script
> prevent it?
> >
>
> All attacks that exploit XSS need to execute JavaScript from strings (i.e.
> inline
> JavaScript, javascript: URLs, eval, ...).
> This is all disallowed, as you may have read in the MDN link you just posted
> earlier:
> <https://developer.mozilla.org/en-
> US/Apps/Build/installable_apps_for_Firefox_OS/CSP>
I fail to see the difference between code that is inlined in a html file that
is part of the app and code that is loaded from a js file.
Would it work if I move all inline script snippets into files?
Instead of "<p><script>alert("XSS");</script></p>" I would write "<p><script
src='alert.js"/></p>"
With alert.js containing "alert('XSS');"
If this works than how does it improve security?
>
> > My app (currently) never accepts user input (text) which could be
> interpreted as script.
> > My app currently downloads files from a server, parses them and stores
> values in an indexedDB.
> > These strings and images are displayed in the app's UI but not using inline
> script.
> >
>
> There are other sources for script execution than user supplied strings (e.g.
> location.hash). This restriction is not about your app in particular.
>
> >>
> >>
> >> There is a way to port your application to Firefox OS and honoring
> >> CSP at the same time.
> >
> > Well... Would be nice if the cordova app that runs on Android and ios
> > would run on b2g without html modifications
>
> It's quite unfortunate that you are running into this so late.
> Maybe Cordova should show a warning, when apps use code patterns that
> are incompatible with Firefox OS. I will file a bug.
>
>
> >
> >>
> >>
> >>> Ps: when I move all the inline script into js-files I seems that the
> >>> global variables defined in that scripts are not global and
> >>> therefore not visible to other scripts...
> >>
> >> They are surely global! Maybe you are facing a race condition?
> >
> > The index.html loads a javascript GetText and another loaded js code tries
> to access the GetText global variable and fails.
> >
>
> We can't really help you without looking at the code. I recommend you
> create a minimal, reproducible test case and bring this to IRC.
_______________________________________________
dev-b2g mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-b2g
