Closed Bug 967724 Opened 11 years ago Closed 11 years ago

Validator should indicate if we accept certain js libraries

Categories

(Marketplace Graveyard :: Validation, defect, P3)

Product:
Marketplace Graveyard
Component:
Validation
Version:
Avenir
Platform:
x86
macOS
Type:
defect

Tracking

(Not tracked)

Status:
VERIFIED FIXED
Milestone:
2014-10-28

People

(Reporter: jweathersby, Assigned: mat)

Details

(Whiteboard: [repoman])

When using external libraries in a packaged app, the user is warned of CSP violations using the validator and it still passes validation. Are these apps still approved in the Marketplace even if they are privileged? If so which libraries are ok. It would be nice to give the developer some more details on which libraries are ok to use with a privileged app.
Agreed, this is a confusing matter. Maybe we should consider hosting some libraries on our platform? I guess this is what Google does with their CDN service. Or we could whitelist theirs.
Priority: -- → P3
see https://github.com/mozilla/amo-validator/blob/master/extras/jslibfetcher.py where the addon validator does the same thing. Note we wouldn't necessarily want all the same libraries.
Agreed, we are losing a lot of time with developers about this, and it creates a lot of frustrations on their side.
Whiteboard: [repoman]
So, is this just a matter of porting that from amo-validator over to app-validator? Which libraries do you want in there? Do we need documentation written in MDN or elsewhere about what libraries to accept?
Flags: needinfo?(awilliamson)
(In reply to Andy McKay [:andym] from comment #4) > So, is this just a matter of porting that from amo-validator over to > app-validator? I think so. > Which libraries do you want in there? jquery to start with. we can add more as nessecary. > Do we need documentation written in MDN or elsewhere about what libraries to accept? probably :) Though it doesn't need to be an exclusive list like with AMO - we will accept versions and libraries outside of the whitelist
Flags: needinfo?(awilliamson)
We already have a whitelist system similar to the one in AMO (*) - It's just that nobody maintained the list of libraries and nobody has re-ran the script to build the hashes. (*) Looks like it's based on an old version of amo-validator - we should try to update it.
Assignee: nobody → mpillard
I don't think there have been any changes to the functionality of jslibfetcher in the past 2 years since the fork, its just been updated with the latest versions. But I think just jquery at this point .
There have been some changes we'll want to pick up, like https://github.com/mozilla/amo-validator/commit/1557fa06a96966a6fbacd1733383ae83ad3b0614 which adds a comment beside each hash so that you know what the hash actually maps to :) I'll probably just copy the latest version over.
Status: NEW → ASSIGNED
Fixed in https://github.com/mozilla/app-validator/commit/36bf9c00a9bf098abc8adc6931a03ffe134f076b I chose to whitelist roughly what AMO whitelists, so the following libs are whitelisted: jquery, extjs, dojo, mootools, prototype, scriptaculous, underscore, swfobject, yui To test: - Make a packaged app - Include jquery in the .zip file (from http://jquery.com/download/) - Test that it validates without CSP warnings.
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → 2014-10-28
Verified as fixed in FF36(Win7) in marketplace-dev.allizom.org I have included the jquery in a packaged app and no CSP warning were displayed. Closing.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.