I am a member of the team responsible for creating the packaged Firefox OS application. Due to the limited CSP policy for privileged applications, Firefox OS Ive added the ng-csp directive to the application body:
<body ng-app="the-app" ng-csp>
CSP Specification for Preferred Firefox OS Applications: default-src *; script-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline' default-src *; script-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline'
According to the logs I can get from a Firefox OS device, Angular seems to call eval () or the Function () constructor, and both of them are blocked in Firefox OS privileged applications, and the application just stops rendering.
I would like to know if this is the expected behavior, a known problem, or am I applying this directive incorrectly?
Anyone with a similar problem?
Thanks in advance.
Angular Version: v1.0.1
Error Log:
05-07 19:31:10.048: ERROR/GeckoConsole(1397): [JavaScript Error: "CSP ERROR: Couldn't parse invalid source 'unsafe-inline'"] 05-07 19:31:10.048: ERROR/GeckoConsole(1397): [JavaScript Warning: "CSP WARN: Failed to parse unrecognized source 'unsafe-inline'"]
<- Dropped CSS tags →
05-07 19:31:13.892: ERROR/GeckoConsole(1397): [JavaScript Error: "Error: call to Function() blocked by CSP" {file: "app://788ceebd-a9b7-4a98-a8b0-1ff248e40f52/scripts/vendor/d10639ae.angular.js" line: 6337}] 05-07 19:31:13.912: ERROR/GeckoConsole(1397): [JavaScript Warning: "CSP WARN: Directive eval script base restriction violated" {file: "app://788ceebd-a9b7-4a98-a8b0-1ff248e40f52/scripts/vendor/d10639ae.angular.js" line: 6337 column: 0 source: "call to eval() or related function blocked by CSP"}]
source share