Closed Bug 713605 Opened 13 years ago Closed 12 years ago

Strongly advise against using contentScript rather than contentScriptFile for complex scripts.

Categories

(Add-on SDK Graveyard :: Documentation, defect, P1)

Product:
Add-on SDK Graveyard
Component:
Documentation
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: kmag, Assigned: wbamberg)

Details

Attachments

(1 file, 1 obsolete file)

Reworded warning to mention AMO approval
6.64 KB, patch
dietrich
: review+
Details | Diff | Splinter Review 
The page-mod documentation should advise that contentScriptFile should be used rather than contentScript for complex scripts and that it should never be used with non-static strings. 

We get a lot of submissions to AMO with improperly sanitized, non-static strings used for content scripts (and elsewhere), and a fair number with unreadable, unformated, multiply concatenated strings. The former are a bug-prone security hazard, and the latter are nearly impossible to review and which can't be validated by our validator. I've rejected a lot of add-ons for using non-static strings, and wasted quite a lot of reviewing the the complex strings before giving a warning that it needs to be changed.
Assignee: nobody → wbamberg
Bumping to major since I'm rejecting quite a lot of add-ons for this.
Severity: normal → major
Attached patch big red warning (obsolete) — Splinter Review 

        Attachment #588232 -
        Flags: review?(dietrich)

    
    

    
  
Comment on attachment 588232 [details] [diff] [review]
big red warning

Review of attachment 588232 [details] [diff] [review]:
-----------------------------------------------------------------

r=me on this change.

I do wonder, however, if we should include a warning about the consequences of not heeding the warning - something about problems getting add-on approval on AMO.

        Attachment #588232 -
        Flags: review?(dietrich) → review+

    
    

    
  


  
Sorry to ask again, but I thought it was worth another check. I also made the warning a bit less jarring.

        Attachment #588232 -
        Attachment is obsolete: true

        Attachment #589767 -
        Flags: review?(dietrich)

        Attachment #589767 -
        Flags: review?(dietrich) → review+

    
    

    
  
Commit pushed to https://github.com/mozilla/addon-sdk

https://github.com/mozilla/addon-sdk/commit/c6f71643d58285fdf7bf11af0dc05c8507fbc871
Bug 713605 - Strongly advise against using contentScript rather than contentScriptFile for complex scripts.; r=@dietrich

    
  
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED

    
    

    
  
Commit pushed to https://github.com/mozilla/addon-sdk

https://github.com/mozilla/addon-sdk/commit/7152df115768d271a881ba74fcbc411ecb482c26
Bug 713605 - Strongly advise against using contentScript rather than contentScriptFile for complex scripts.; r=@dietrich
(cherry picked from commit c6f71643d58285fdf7bf11af0dc05c8507fbc871)

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: