Packaged app get CSP-validation even if they are not privileged

RESOLVED FIXED

Status

Marketplace
Validation
--
major
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: Harald, Assigned: basta)

Tracking

Points:
---

Details

(Reporter)

Description

5 years ago
Packaged apps always get validated, whereby on B2G only packaged apps with type privileged and certified require to be CSP compliant [1]. 

This blocks partners who started with packaged apps not considering CSP. 

The expected behavior should be that only packaged apps of type "privileged" and "certified". Type undefined or web should not be validated (or validation set as warning and not blocking submission)!

[1]: http://mxr.mozilla.org/mozilla-central/source/b2g/app/b2g.js#359
Assignee: nobody → mattbasta
(Assignee)

Comment 1

5 years ago
Fixed as of here:

https://github.com/mozilla/zamboni/commit/885cf517ed1ca920945cd5113a692c87b8ad9362
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED

Comment 2

5 years ago
fyi, an app can also optionally specify a CSP in its manifest, see bug 773891, so it's good to see we took the path of giving warnings in this case :)
(Assignee)

Comment 3

5 years ago
An app can specify its own CSP, but the CSP cannot be looser than the default CSP. This means that none of the errors generated by the validator will be invalid.

Comment 4

5 years ago
(In reply to Matt Basta [:basta] from comment #3)
> An app can specify its own CSP, but the CSP cannot be looser than the
> default CSP. This means that none of the errors generated by the validator
> will be invalid.

ah, I see, thanks for the clarification !
You need to log in before you can comment on or make changes to this bug.