Closed Bug 1021970 Opened 6 years ago Closed 2 years ago

update default certified app CSP to disallow inline styles

Categories

(Firefox OS Graveyard :: General, defect, major)

defect
Not set
major

Tracking

(Not tracked)

RESOLVED WONTFIX

People

(Reporter: geekboy, Unassigned)

References

(Blocks 1 open bug)

Details

In order to migrate firefox os to our new CSP implementation (the one that is spec compliant) we need to flip a pref (bug 858787) and make sure certified apps don't use inline styles.  We can flip the pref now so we get better test coverage, but need to relax the CSP and then later follow up and fix all the inline styles in certified apps before tightening the CSP again.

So this bug is for tightening the certified app CSP once all the gaia apps have been brought into compliance.
Depends on: 968907
Depends on: 1006781
Depends on: 970728
Paul: do you know how we're doing in this remove-all-the-inline-stuff crusade?
Flags: needinfo?(ptheriault)
(In reply to Sid Stamm [:geekboy or :sstamm] from comment #1)
> Paul: do you know how we're doing in this remove-all-the-inline-stuff
> crusade?

So there are two main big blockers:

- Bug 1022996: HTML components uses scoped styles (<style scoped>...). There is no way to do scoped styles without inline styles. We either need to find a way to remove the dependency for scoped styles, or platform changes (ie scoped support for dynamic styles)

- Bug 1012652: Email app needs dynamic styles to render emails. We tried making email app privileged (bug 1018534) but this wasn't possible (see bug 1027185). So the only solution would be to somehow sandbox from the app such that CSP doesn't apply (iframe sandbox/mozbrowser are the only options I'm aware of). This however would greatly complicate email app logic, and impact performance. See [1] for more details. Maybe our only realistic option here might be to somehow override the default CSP just for the email app. That would require platform changes somehow though (unless we can maybe populate the webapps database with a specific CSP for the email directly maybe?)

It would be great if we could solve this for 2.2 but I'm not sure that is realistic.

Freddy, can I ask you to take ownership of this?


[1]https://bugzilla.mozilla.org/show_bug.cgi?id=1012652#c3
Assignee: nobody → fbraun
Flags: needinfo?(ptheriault)
Yeah, I can take this.

For bug 1012652, I could imagine somehow singling out the unprivileged(!) child frames in the email app and allowing inline styles in them.

I'm not sure how to approach scoped styles / HTML components though...
Fabrice, we recently removed the fast path for certified apps (see Bug 1030936), which also means that the B2G tree seems to not use any inline styles anymore. Does that also mean we could update default policy and remove 'unsafe-inline' for css?
Flags: needinfo?(fabrice)
(In reply to Christoph Kerschbaumer [:ckerschb] from comment #4)
> Fabrice, we recently removed the fast path for certified apps (see Bug
> 1030936), which also means that the B2G tree seems to not use any inline
> styles anymore. Does that also mean we could update default policy and
> remove 'unsafe-inline' for css?

Maybe Freddy also knows. I think it's only that line that needs to be updated, right?
http://mxr.mozilla.org/mozilla-central/source/b2g/app/b2g.js#410
Flags: needinfo?(fbraun)
(In reply to Christoph Kerschbaumer [:ckerschb] from comment #5)
> (In reply to Christoph Kerschbaumer [:ckerschb] from comment #4)
> > Fabrice, we recently removed the fast path for certified apps (see Bug
> > 1030936), which also means that the B2G tree seems to not use any inline
> > styles anymore. Does that also mean we could update default policy and
> > remove 'unsafe-inline' for css?
> 
> Maybe Freddy also knows. I think it's only that line that needs to be
> updated, right?
> http://mxr.mozilla.org/mozilla-central/source/b2g/app/b2g.js#410

Yes that's correct!
Flags: needinfo?(fabrice)
(In reply to Christoph Kerschbaumer [:ckerschb] from comment #4)
> which also means that the B2G tree seems to not use any inline
> styles anymore. Does that also mean we could update default policy and
> remove 'unsafe-inline' for css?

I'd love to have this removed, naturally. But having a quick look[1,2], it seems that quite a lot of apps still use inline styles.
How confident are we, this isn't used in certified apps?

[1] https://github.com/mozilla-b2g/gaia/search?l=html&q=style%3D&utf8=%E2%9C%93
[1] https://github.com/mozilla-b2g/gaia/search?utf8=%E2%9C%93&q=style+scoped&type=Code
Flags: needinfo?(fbraun)
I'm removing myself from this bug. Please close or re-assign as deemed necessary.
Assignee: fbraun → nobody
Firefox OS is not being worked on
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.