Closed Bug 796739 Opened 12 years ago Closed 12 years ago

CSP violations warnings

Categories

(Firefox OS Graveyard :: Gaia, defect, P3)

defect

Tracking

(blocking-basecamp:+)

RESOLVED FIXED
blocking-basecamp +

People

(Reporter: ghtobz, Assigned: ochameau)

References

Details

(Whiteboard: [label:system], QARegressExclude)

Attachments

(12 files, 1 obsolete file)

166 bytes, text/html
kaze
: review+
Details
166 bytes, text/html
vingtetun
: review+
Details
166 bytes, text/html
vingtetun
: review+
Details
166 bytes, text/html
asuth
: review+
Details
166 bytes, text/html
vingtetun
: review+
Details
166 bytes, text/html
Details
166 bytes, text/html
djf
: review+
Details
166 bytes, text/html
ladamski
: feedback-
Details
166 bytes, text/html
iliu
: review+
Details
355 bytes, text/html
jj.evelyn
: review+
Details
166 bytes, text/html
fcampo
: review+
Details
166 bytes, text/html
jlal
: review+
Details
[GitHub issue by fabricedesre on 2012-09-25T20:56:31Z, https://github.com/mozilla-b2g/gaia/issues/5173] When the system app loads, we now have these warnings: E/GeckoConsole( 106): [JavaScript Warning: "CSP WARN: Directive inline script base restriction violated E/GeckoConsole( 106): " {file: "app://system.gaiamobile.org/index.html" line: 0 column: 0 source: "onload attribute on UNKNOWN element"}] E/GeckoConsole( 106): [JavaScript Warning: "CSP WARN: Directive inline script base restriction violated E/GeckoConsole( 106): " {file: "app://system.gaiamobile.org/index.html" line: 0 column: 0 source: "onsubmit attribute on FORM element"}] E/GeckoConsole( 106): [JavaScript Warning: "CSP WARN: Directive inline script base restriction violated E/GeckoConsole( 106): " {file: "app://system.gaiamobile.org/index.html" line: 0 column: 0 source: "onmousedown attribute on SECTION element"}] E/GeckoConsole( 106): [JavaScript Warning: "CSP WARN: Directive inline script base restriction violated E/GeckoConsole( 106): " {file: "app://system.gaiamobile.org/index.html" line: 0 column: 0 source: "onmousedown attribute on BUTTON element"}] E/GeckoConsole( 106): [JavaScript Warning: "CSP WARN: Directive inline script base restriction violated E/GeckoConsole( 106): " {file: "app://system.gaiamobile.org/index.html" line: 0 column: 0 source: "onmousedown attribute on DIV element"}] E/GeckoConsole( 106): [JavaScript Warning: "CSP WARN: Directive inline script base restriction violated E/GeckoConsole( 106): " {file: "app://system.gaiamobile.org/index.html" line: 0 column: 0 source: "onmousedown attribute on DIV element"}] E/GeckoConsole( 106): [JavaScript Warning: "CSP WARN: Directive inline script base restriction violated E/GeckoConsole( 106): " {file: "app://system.gaiamobile.org/index.html" line: 0 column: 0 source: "onmousedown attribute on DIV element"}] E/GeckoConsole( 106): [JavaScript Warning: "CSP WARN: Directive inline script base restriction violated E/GeckoConsole( 106): " {file: "app://system.gaiamobile.org/index.html" line: 0 column: 0 source: "onmousedown attribute on DIV element"}] E/GeckoConsole( 106): [JavaScript Warning: "CSP WARN: Directive inline script base restriction violated E/GeckoConsole( 106): " {file: "app://system.gaiamobile.org/index.html" line: 0 column: 0 source: "onmousedown attribute on BUTTON element"}] E/GeckoConsole( 106): [JavaScript Warning: "CSP WARN: Directive inline script base restriction violated E/GeckoConsole( 106): " {file: "app://system.gaiamobile.org/index.html" line: 0 column: 0 source: "onmousedown attribute on DIV element"}] E/GeckoConsole( 106): [JavaScript Warning: "CSP WARN: Directive inline script base restriction violated E/GeckoConsole( 106): " {file: "app://system.gaiamobile.org/index.html" line: 0 column: 0 source: "onmousedown attribute on BUTTON element"}]
[GitHub comment by nhirata on 2012-09-26T21:59:36Z] is this a dup of #5177?
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
@dale bug 803178 is under the calendar component and unrelated to this.
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
oh sorry didnt notice the component
Assignee: nobody → poirot.alex
I'll take a look at this if noone started working on this.
renominated for triage
blocking-basecamp: --- → ?
Blocks: 797657
blocking-basecamp: ? → +
Here is settings fixes. I'll do one pull request per app.
Attachment #674637 - Flags: review?(kaze)
The one for clock app.
Attachment #674640 - Flags: review?(iliu)
Priority: -- → P3
Attachment #677055 - Flags: review?(21)
Attachment #678301 - Flags: review?(bugmail)
Attachment #674637 - Flags: review?(kaze) → review+
Attachment #678301 - Flags: review?(bugmail) → review+
Are there other outstanding issues stopped us from enabling the full CSP policy? I'd like to wrap this up by the end of this week.
There is still one CSP violation in communications, then I think we are good to go. I've seen some inline script in showcase apps, but I think they are not involved in CSP secured policy, right? I'm currently working on the patch for communications.
I don't think the showcase apps are packaged or certified apps? If not then we should have a problem there.
Didn't knew who to ask for this review, feel free to forward it. But that isn't necessary a review for communications app developers as it is mostly about root `webapps.js` file.
Attachment #678462 - Flags: review?(21)
Vivien, same thing here. Please forward this r? to the right person. This time it is really for someone involved in Communnication!
Attachment #678475 - Flags: review?(21)
Lucas, I think we will be able to enable strict policy with all these pull requests being reviewed and merged. Feel free to give it a try in the meantime as I may easily have missed some CSP violation.
Attachment #678505 - Flags: review?(dflanagan)
Comment on attachment 678505 [details] Pull request 6181 - fix cubevid and crystallskull Looks good.
Attachment #678505 - Flags: review?(dflanagan) → review+
There is lot of CSP violations in UITests app. It doesn't seem worthwile to fix them, so I tried to use `csp` field in webapp manifest, without success. Would you happen to know why it doesn't work? https://developer.mozilla.org/en-US/docs/Apps/Manifest#Manifest_fields (Implemented in bug 773891)
Attachment #679164 - Flags: feedback?(ladamski)
Comment on attachment 679164 [details] Pull request 6244 - try to fix uitest by changing its csp The CSP property in the manifest is intersected with the system-enforced CSP policy, and so can only tighten the system policy further.
(In reply to Lucas Adamski from comment #21) > The CSP property in the manifest is intersected with the system-enforced CSP > policy, and so can only tighten the system policy further. Hum, even when we remove `type: "certified"` ? Otherwise do you think about any workaround that would prevent patching all these violations?
Non-certified/privileged applications don't have a required CSP policy. But then other things would break (like direct access to the Contacts API). I don't know of a strightforward way to solve this without changing the device-wide CSP pref, but that would not help with the core purpose of testing and would make anyone who wants to do testing would have to open a big security hole on their device. One way of doing it could be to have a device pref to enable an exception for enforcing the minimum CSP for specific apps, but that feels only slightly less terrible than the above suggestion.
Attachment #679164 - Flags: feedback?(ladamski) → feedback-
Just found one more: SMS app [JavaScript Warning: "CSP WARN: Directive eval script base restriction violated " {file: "app://sms.gaiamobile.org/shared/js/phoneNumberJS/PhoneNumber.js" line: 56 column: 0 source: "call to eval() or related function blocked by CSP"}] App seems to work ok.
Update on c24: Per agal PhoneNumber.js is moving to Gecko and can be ignored. App seems to work otherwise.
Component: Gaia → Gaia::System
Component: Gaia::System → Gaia
Attachment #682079 - Attachment description: Pull request 6438 - fix FTU → Pull request 6438 - fix bluetooth
Attached file Pull request 6437 - fix FTU (obsolete) —
Comment on attachment 682079 [details] Pull request 6438 - fix bluetooth It seems like onsubmit on buttons does nothing :)
Attachment #682079 - Flags: review?(ehung)
So here is the current status about CSP: - We have some minor violations in bluetooth and ftu apps, - tons of violations in uitest app, but we shouldn't block on this, and hopefully bug 801783 will land soon and we will then be able to make it work again, - one hard to fix violation in SMS app that isn't really harmfull as it doesn't completely break SMS app but kill the phone number normalization done in SMS. So if we consider bug 811539 as being bb+ and ensure that it is fixed before shipping, we can consider switching to strict CSP now.
Depends on: 811539, 801783
Comment on attachment 682079 [details] Pull request 6438 - fix bluetooth Ian, could you please take a look of this? I guess there are some follow-up works in your JS code. Thanks.
Attachment #682079 - Flags: review?(ehung) → review?(iliu)
Comment on attachment 683978 [details] Pointer to Github pull request: https://github.com/mozilla-b2g/gaia/pull/6554 We should add preventDefault() for the type="submit" button. Evelyn, could you help me to review the pr? Thank you.
Attachment #683978 - Flags: review?(ehung)
Comment on attachment 682079 [details] Pull request 6438 - fix bluetooth We should add the patch https://github.com/mozilla-b2g/gaia/pull/6554 with pr 6438. It will work fine. r=me
Attachment #682079 - Flags: review?(iliu) → review+
Comment on attachment 683978 [details] Pointer to Github pull request: https://github.com/mozilla-b2g/gaia/pull/6554 r=me, looks good.
Attachment #683978 - Flags: review?(ehung) → review+
Yet another rebase. That's the last CSP fix before enabling it by default.
Attachment #682083 - Attachment is obsolete: true
Attachment #686327 - Flags: review?(fernando.campo)
Attachment #686327 - Flags: review?(fernando.campo) → review+
One last, the test-agent app used to run gaia unit tests.
Attachment #686582 - Flags: review?(etienne)
So with this last pull request applied, only some test applications still fail on CSP violation: uitest and test receivers. Tested: FTU, sim dialog, all apps from apps folder (no deep test except dialer/sms), games.
Status: REOPENED → RESOLVED
Closed: 12 years ago12 years ago
Resolution: --- → FIXED
Attachment #686582 - Flags: review?(etienne) → review+
Whiteboard: [label:system] → [label:system], QARegressExclude
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: