Packaged apps always get validated, whereby on B2G only packaged apps with type privileged and certified require to be CSP compliant . This blocks partners who started with packaged apps not considering CSP. The expected behavior should be that only packaged apps of type "privileged" and "certified". Type undefined or web should not be validated (or validation set as warning and not blocking submission)! : http://mxr.mozilla.org/mozilla-central/source/b2g/app/b2g.js#359
Fixed as of here: https://github.com/mozilla/zamboni/commit/885cf517ed1ca920945cd5113a692c87b8ad9362
fyi, an app can also optionally specify a CSP in its manifest, see bug 773891, so it's good to see we took the path of giving warnings in this case :)
An app can specify its own CSP, but the CSP cannot be looser than the default CSP. This means that none of the errors generated by the validator will be invalid.
(In reply to Matt Basta [:basta] from comment #3) > An app can specify its own CSP, but the CSP cannot be looser than the > default CSP. This means that none of the errors generated by the validator > will be invalid. ah, I see, thanks for the clarification !