Closed Bug 1012665 Opened 7 years ago Closed 7 years ago

[System] Remove inline style for CSP compliance

Categories

(Firefox OS Graveyard :: Gaia::System, defect)

ARM
Gonk (Firefox OS)
defect
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: gerard-majax, Assigned: vingtetun)

References

Details

Attachments

(1 file)

Confere bug 968907 and bug 858787. We need to remove all CSS inline usage in certified apps.

https://github.com/mozilla-b2g/gaia/blob/master/apps/system/js/devtools_view.js#L106
Depends on: 817674
The link above doesn't work for me, so maybe this is gone, but we need to remove the <style> tag from the main index (https://github.com/mozilla-b2g/gaia/blob/master/apps/system/index.html#L388)
Also from looking at the system app in the profile, the application.zip file has a file called net_error.html in it. The source file in gaia seems ok, but the file in the zip seems to have all of its CSS inclined as well as inline script.... I have no idea how that would ever work at the moment, since CSP should definitely block inline script already.
(In reply to Alexandre LISSY :gerard-majax from comment #0)
> Confere bug 968907 and bug 858787. We need to remove all CSS inline usage in
> certified apps.
> 
> https://github.com/mozilla-b2g/gaia/blob/master/apps/system/js/devtools_view.
> js#L106

The patch in bug 971008 should remove the devtools part.
(In reply to Paul Theriault [:pauljt] from comment #2)
> Also from looking at the system app in the profile, the application.zip file
> has a file called net_error.html in it. The source file in gaia seems ok,
> but the file in the zip seems to have all of its CSS inclined as well as
> inline script.... I have no idea how that would ever work at the moment,
> since CSP should definitely block inline script already.

This file is loaded by the platform, in the scope of the app with special privileges. The CSP should not apply to it.
Attached patch csp.system.patchSplinter Review
Tim is there any issue if we move this css declaration here ?
Attachment #8437352 - Flags: review?(timdream)
Comment on attachment 8437352 [details] [diff] [review]
csp.system.patch

For the purpose of the review I can r+ this for you to land this patch.

I however don't know the answer to your question. I don't understand Gecko well enough to say if this patch will cause FOUC or not, especially since we are talking about packaged apps here.
Attachment #8437352 - Flags: review?(timdream) → review+
Try is green. https://github.com/mozilla-b2g/gaia/commit/fd6aa50c8c2bd2449d33974fcfb6eddaccb6692d
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.