Last Comment Bug 841840 - Packaged app get CSP-validation even if they are not privileged
: Packaged app get CSP-validation even if they are not privileged
Status: RESOLVED FIXED
:
Product: Marketplace
Classification: Server Software
Component: Validation (show other bugs)
: 1.0
: All All
: -- major (vote)
: ---
Assigned To: Matt Basta [:basta]
:
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-02-15 11:29 PST by Harald Kirschner :digitarald
Modified: 2013-03-07 13:13 PST (History)
4 users (show)
See Also:
QA Whiteboard:
Iteration: ---
Points: ---


Attachments

Description Harald Kirschner :digitarald 2013-02-15 11:29:16 PST
Packaged apps always get validated, whereby on B2G only packaged apps with type privileged and certified require to be CSP compliant [1]. 

This blocks partners who started with packaged apps not considering CSP. 

The expected behavior should be that only packaged apps of type "privileged" and "certified". Type undefined or web should not be validated (or validation set as warning and not blocking submission)!

[1]: http://mxr.mozilla.org/mozilla-central/source/b2g/app/b2g.js#359
Comment 1 Matt Basta [:basta] 2013-02-15 16:00:07 PST
Fixed as of here:

https://github.com/mozilla/zamboni/commit/885cf517ed1ca920945cd5113a692c87b8ad9362
Comment 2 Ian Melven :imelven 2013-03-07 13:08:08 PST
fyi, an app can also optionally specify a CSP in its manifest, see bug 773891, so it's good to see we took the path of giving warnings in this case :)
Comment 3 Matt Basta [:basta] 2013-03-07 13:09:11 PST
An app can specify its own CSP, but the CSP cannot be looser than the default CSP. This means that none of the errors generated by the validator will be invalid.
Comment 4 Ian Melven :imelven 2013-03-07 13:13:42 PST
(In reply to Matt Basta [:basta] from comment #3)
> An app can specify its own CSP, but the CSP cannot be looser than the
> default CSP. This means that none of the errors generated by the validator
> will be invalid.

ah, I see, thanks for the clarification !

Note You need to log in before you can comment on or make changes to this bug.