On Thu, Aug 1, 2013 at 1:50 AM, Paul Theriault <[email protected]> wrote: > > On Aug 1, 2013, at 9:48 AM, Jonas Sicking wrote: > >> On Tue, May 28, 2013 at 2:39 AM, <[email protected]> wrote: >>> To test Firefox OS capabilities, I’m writing a privileged app that can have >>> access to various APIs on the device, but I got stuck in the development. I >>> hope you can help me, I cannot find any useful documentation... >>> I’d like to have access to Google Maps APIs from my app, but this requires >>> a script to be loaded outside of app package ( Something like <script >>> type="text/javascript" >>> src="http://maps.googleapis.com/maps/api/js?.....";></script> ). >>> Because of CSP restrictions in privileged apps, this works just with the >>> simulator, but on my device I cannot load these APIs. >>> Is there any way to disable CSP restrictions (for test purposes only) or >>> any walk around for this problem? I tried >>> >>> <iframe src="frame.html" sandbox="allow-same-origin >>> allow-scripts"></iframe>, >>> >>> But neither frame.html is able to load these scripts... >> >> The iframe should load the scripts. Please file a bug with a small >> testcase if that's not the case. > > Are you sure about this Jonas? In the example above, I assume frame.html is > located within the app package. Doesn't that mean that the resource needs to > be loaded with a CSP policy (as if the frame.html was served with a CSP > policy)? (regardless of the sandbox attribute?)
Oh, indeed. I read the example as loading the contents of the iframe from a server, but that is obviously not the case. You might be able to use <iframe src="..." sandbox="allow-scripts"> since that would mean that the sandboxed document isn't same-origin with the app. In general, it would be nice if we had some way of loading a resource from the package such that it didn't have permission to use any privileged APIs, but that it didn't have CSP applied. Though ideally such an iframe would run out-of-process for security reasons. / Jonas _______________________________________________ dev-webapps mailing list [email protected] https://lists.mozilla.org/listinfo/dev-webapps
