980342 - Wrong CSP warning on setTimeout

Status: RESOLVED WONTFIX

(Marketplace Graveyard :: Validation, defect, P3)

Description

[Clochix]

When validating a packaged application, I get warnings about possible CSP violations on call to setTimeout, even if the first parameter of the call is a function.

See https://marketplace.firefox.com/developers/upload/878076a27c36471ba0df6171e3f569e2 for the full report (I know that some warning are accurate, but others not).

Comment 1

[Mathieu Pillard [:mat]]

The code looks like this:

function foo(handler) {
    setTimeout(handler, 0);
}

The validator doesn't know if "handler" will be a variable or a function, so it warns. Not sure what we can do to avoid it.

Comment 2

[Garrett Nay]

This bug affects me too. I'm using ampersand-router as a dependency in my app, which has a piece of code that looks like this:

this._checkUrlInterval = setInterval(this.checkUrl, this.interval);

//...

checkUrl: function (e) {
        var current = this.getFragment();
        if (current === this.fragment) return false;
        this.loadUrl();
}

So this.checkUrl is clearly a function, but it still fails validation. Does that mean the validator doesn't do any real static code analysis? Is there any way to get around this short of changing the dependency?

Comment 3

[Garrett Nay]

Sorry, I guess this.checkUrl in my example above could theoretically be changed to something else, so there's no way to know for sure ahead of time. Still, I wish there were a way to get around this, especially since it comes up in a third-party dependency and not my own code.

Comment 4

[Mathieu Pillard [:mat]]

You summed up the issue :) It's just a warning though.