Closed Bug 1063564 Opened 11 years ago Closed 10 years ago

l20n cause CSP violation for packaged App

Categories

(L20n :: General, defect)

Product:
L20n
Component:
General
Platform:
ARM
Gonk (Firefox OS)
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: gasolin, Unassigned)

Details

Attachments

(1 file)

pull request redirect to github
39 bytes, text/x-github-pull-request
stas
: review+
Details | Review
reproduce step: 1. pack webapp with l20n 2. upload to marketplace 3. got CSP error The reason is we need wrap callback in setTimeout http://stackoverflow.com/questions/12588634/refused-to-evaluate-script-because-it-violates-the-following-content-security-po https://developer.mozilla.org/en-US/Apps/CSP
Attachment #8484996 - Flags: review?(stas)
Fred, what's the CSP errors that you got from the Marketplace? 'callback' should already be a function, so there should not be a need to wrap it in another anonymous function. Also, the link the SO seems to be about a different issue: the code there was invoking the callback at the time of calling the setTimeout, which L20n doesn't do?
below is the message from marketplace https://marketplace.firefox.com/developers/upload/18d2e4d0869a46b0bab82b5ad7d6729f (please ignore others because this is not optimized version, other warning are expected) I think the reason is CSP validator does not know `callback` is a variable or a function, needs more explicit format to make it pass the validation. ======== ``` CSP Violation Detected Warning: An action that you're performing violates the CSP (content security policy). While this does not affect your app, if you decide to add permissions to your app in the future, you will be unable to do so until this problem is corrected. It is highly recommended that you remedy this. You can find more information about what is and is not allowed by the CSP on the Mozilla Developers website. https://developer.mozilla.org/Apps/CSP vendor/l20n/l20n.js 781 782 783 if (_isReady) { setTimeout(callback); } ```
Hi stas, I think it will be harder to patch marketplace lint for correct callback type reference, and the issue did prevent every packaged app to use l20n. I could add a comment in code like //XXX: give csp linter a function reference So it could be removed from l20n once the linter bug is fixed. is it reasonable?
Hi Fred, Sorry for the wait. I agree that this is easier to fix in L20n first. I'll merge your patch once I'm done with some branch maintenance which I wrote about here https://groups.google.com/forum/#!topic/mozilla.tools.l10n/MJ_sMgqOKT4. I'm planning to do it tonight.
Comment on attachment 8484996 [details] [review] pull request redirect to github Merged in https://github.com/l20n/l20n.js/commit/bbb761d7681fef6c87f0068c58f16e11b769c467. Thanks!
Attachment #8484996 - Flags: review?(stas) → review+
I released 1.0.2 on npm with this change.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Thanks Stas, I found https://github.com/l20n/builds does not have the related release, that cause bower can't get 1.0.2 from repository. Could you add the release for builds?
Flags: needinfo?(stas)
Ah, I forgot to create the tag in the builds repo, sorry! https://github.com/l20n/builds/releases/tag/1.0.2 I also updated the docs to make sure I don't forget next time: https://l20n.etherpad.mozilla.org/release
Flags: needinfo?(stas)
Now bower works, thanks!
Commit pushed to master at https://github.com/mozilla/web-platform-compat https://github.com/mozilla/web-platform-compat/commit/80e08090b0d580b5c337ccf15b1590b23d26ce40 bug 1063564 - Extract duplicate code Refactor shared loop code into a generator in verify and generate methods. Make sure sections have ending newlines in verify and generate.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: