javascriptjqueryajaxfirefox-os

Executing a script via AJAX on Firefox OS device


My question regards the Apps CSP https://developer.mozilla.org/en-US/Apps/CSP

Here it says that all the remote script, inline script, javascript URIs, and other security issues won't work on a Firefox OS app.

So, I tried to download a script that is necessary for my app (Flurry and Ad service) and neither would work on the device. The way I made the call was with AJAX, that way I would avoid the remote and inline scripting that both scripts ment. In the simulator works perfectly, but on the device the ads never show and the Flurry session never starts.

Here is the part of my code where I make the AJAX call for Flurry:

$.ajax({
            url: 'https://cdn.flurry.com/js/flurry.js',
            dataType: "script",
            xhrFields: {
                mozSystem: true
            },
            success: function(msg){
                console && console.log("Script de Flurry: luego de la descarga en AJAX "+msg);
                flurryLibrary = true;
                FlurryAgent.startSession("7ZFX9Z4CVT66KJBVP7CF");
            },
            error:function(object,status,errortxt){
                console && console.log("The script wasn't downloaded as text. The error:" +errortxt);
                flurryLibrary = false;
            },
            always: function(object,status,errortxt){
                console && console.log("The script may or may not be downloaded or executed. The error could be:" +errortxt);
            }
        });

In my app I use the systemXHR permission and make the calls for other websites using this line:

request = new XMLHttpRequest({ mozSystem: true });

Wich is the same as using the xhrFields{mozSystem:true} in the AJAX call.

I believe it's not a cross domain problem because in the rest of my app I make calls for xml files that are not in my domain, and the calls are returned succesfully.

So, my question is, can a Firefox OS app execute scripts that are downloaded via AJAX? Is there a way to get around this problem?

Thank you for your time.

PS: I forgot to add that my app is privileged, just in case you ask


Solution

  • I believe that is a security feature and the short answer to your question would be NO. To quote the CSP doc that you linked to yourself:

    You cannot point a at a remote JavaScript file. This means that all JS files that you reference must be included in your app's package.

    If you load a JS file using ajax from a remote server, that JS is not included in your app package. You should be careful to obey CSP restrictions. It is possible to get many things working in the simulator or even the phone while developing without fully complying to CSP, but that does not mean it is OK. When you submit your app in future to any credible marketplace (such as Firefox Marketplace), it will be reviewed carefully to make sure it does not violate CSP restrictions. As a general rule of thumb, I would say any attempt at dynamically evaluating JS code will be a security risk and most likely banned by CSP regulations.