I'm making the firefox OS webApp by jQuery.
The application type is privileged for using systemXHR.
So I define the permission at manifest file. App is working well at simulator.
But when I push the app to device and click an any button, CSP error detected.
Error: Error: call to eval() blocked by CSP
Source File: app://0cd689b3-a514-4a1c-b1c4-efe372189761/js/jquery-1.9.1.js Line: 603
Device information
Example code is
<div data-role="page" id="signinPageId">
<script src="js/signin_controller.js"></script>
<div data-role="header">
<h3>Sign In</h3>
<a href="#" data-icon="arrow-l" data-rel="back">Back</a>
</div>
<div data-role="content">
<a id="signinBtn" href="#" data-role="button" class="ui-disabled">Sign In</a>
</div>
</div>
Other script codes are described at signin_controller.js
function enableSigninBtn(inputEl){
if(inputEl.val().length==0){
$("#signinBtn").addClass("ui-disabled");
}
else{
$("#signinBtn").removeClass("ui-disabled");
}
}
................
................
$('#signinPageId').on('pagebeforeshow',function(){
$('#emailForm').bind('keyup',function(){
if($(':input[type=password]').val().length)
{
enableSigninBtn($(this));
}
});
$('#passwordForm').bind('keyup',function(){
if($(':input[type=email]').val().length)
{
enableSigninBtn($(this));
}
});
$('#signinBtn').bind('click',function(){
initSignIn($(':input[type=email]').val(),$(':input[type=password]').val());
});
});
So I define the csp at manifest file
"csp" : "default-src *; script-src 'self' 'unsafe-eval'; object-src 'none'; style-src 'self' 'unsafe-inline'",
"default_locale": "en",
"type": "privileged",
"permissions": {
"systemXHR": {
"description": "Required for comunication with otehr sever"
}
}
How can I avoid this csp?
You can find information about privileged apps' CSP rules on MDN: https://developer.mozilla.org/en-US/docs/Web/Apps/CSP
I think by including unsafe-eval
you're causing this error, because the CSP policy error you pasted is complaining about an unsafe eval.
Actually there is an open issue related to this in jquery: http://bugs.jquery.com/ticket/13862
Firefox OS privileged apps using csp like this: "default-src *; script-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline'"
(https://developer.mozilla.org/en-US/Apps/Developing/Packaged_apps)
So you are unable to relax CSP with that line in your manifest.
The only way to avoid this is to use a CSP compliant framework.
Instead of using a jQuery AJAX call, you can directly call your login service using XHR as:
var xhr = new XMLHttpRequest({mozSystem: true});
This way you won't be using jQuery's eval().
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With