Closed Bug 1012665 Opened 11 years ago Closed 10 years ago

[System] Remove inline style for CSP compliance

Categories

(Firefox OS Graveyard :: Gaia::System, defect)

Product:
Firefox OS Graveyard
Component:
Gaia::System
Platform:
ARM
Gonk (Firefox OS)
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: gerard-majax, Assigned: vingtetun)

References

Details

Attachments

(1 file)

csp.system.patch
4.04 KB, patch
timdream
: review+
Details | Diff | Splinter Review
Confere bug 968907 and bug 858787. We need to remove all CSS inline usage in certified apps. https://github.com/mozilla-b2g/gaia/blob/master/apps/system/js/devtools_view.js#L106
Depends on: 817674
The link above doesn't work for me, so maybe this is gone, but we need to remove the <style> tag from the main index (https://github.com/mozilla-b2g/gaia/blob/master/apps/system/index.html#L388)
Also from looking at the system app in the profile, the application.zip file has a file called net_error.html in it. The source file in gaia seems ok, but the file in the zip seems to have all of its CSS inclined as well as inline script.... I have no idea how that would ever work at the moment, since CSP should definitely block inline script already.
(In reply to Alexandre LISSY :gerard-majax from comment #0) > Confere bug 968907 and bug 858787. We need to remove all CSS inline usage in > certified apps. > > https://github.com/mozilla-b2g/gaia/blob/master/apps/system/js/devtools_view. > js#L106 The patch in bug 971008 should remove the devtools part.
(In reply to Paul Theriault [:pauljt] from comment #2) > Also from looking at the system app in the profile, the application.zip file > has a file called net_error.html in it. The source file in gaia seems ok, > but the file in the zip seems to have all of its CSS inclined as well as > inline script.... I have no idea how that would ever work at the moment, > since CSP should definitely block inline script already. This file is loaded by the platform, in the scope of the app with special privileges. The CSP should not apply to it.
Attached patch csp.system.patchSplinter Review
Tim is there any issue if we move this css declaration here ?
Attachment #8437352 - Flags: review?(timdream)
Comment on attachment 8437352 [details] [diff] [review] csp.system.patch For the purpose of the review I can r+ this for you to land this patch. I however don't know the answer to your question. I don't understand Gecko well enough to say if this patch will cause FOUC or not, especially since we are talking about packaged apps here.
Attachment #8437352 - Flags: review?(timdream) → review+
Try is green. https://github.com/mozilla-b2g/gaia/commit/fd6aa50c8c2bd2449d33974fcfb6eddaccb6692d
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: