Re: Content Security Policies (CSP) on FirefoxOS privileged apps

Thu, 01 Aug 2013 01:51:26 -0700 

On Aug 1, 2013, at 9:48 AM, Jonas Sicking wrote:

> On Tue, May 28, 2013 at 2:39 AM,  <[email protected]> wrote:
>> To test Firefox OS capabilities, I’m writing a privileged app that can have 
>> access to various APIs on the device, but I got stuck in the development. I 
>> hope you can help me, I cannot find any useful documentation...
>> I’d like to have access to Google Maps APIs from my app, but this requires a 
>> script to be loaded outside of app package ( Something like <script 
>> type="text/javascript" 
>> src="http://maps.googleapis.com/maps/api/js?.....";></script> ).
>> Because of CSP restrictions in privileged apps, this works just with the 
>> simulator, but on my device I cannot load these APIs.
>> Is there any way to disable CSP restrictions (for test purposes only) or any 
>> walk around for this problem? I tried
>> 
>> <iframe src="frame.html" sandbox="allow-same-origin allow-scripts"></iframe>,
>> 
>> But neither frame.html is able to load these scripts...
> 
> The iframe should load the scripts. Please file a bug with a small
> testcase if that's not the case.

Are you sure about this Jonas? In the example above, I assume frame.html is 
located within the app package. Doesn't that mean that the resource needs to be 
loaded with a CSP policy (as if the frame.html was served with a CSP policy)? 
(regardless of the sandbox attribute?)

Enrico, it isn't possible to import scripts into any domain which is 
same-origin with a privileged app domain (i.e. the synthetic app://{appid} 
domain that gets applied to packaged apps). The security model for privileged 
apps is such that apps are granted permission by virtue of having of being 
reviewed by the marketplace. As such we can't allow third-party or dynamic 
scripts to be loaded into the app://{appid}  domain since this domain is 
granted the extended permissions. 

There is nothing stopping you however loading content from other other external 
domains (<iframe src='https://foo.com'>) and these pages wont get the CSP 
applied, since they don't get access to the sensitive permissions.


> 
> / Jonas
> _______________________________________________
> dev-webapps mailing list
> [email protected]
> https://lists.mozilla.org/listinfo/dev-webapps

_______________________________________________
dev-webapps mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-webapps

Reply via email to