I am a member of a team in charge of building a packaged Firefox OS application.
Due to the restricted CSP policy for Firefox OS privileged applications I’ve added the ng-csp directive to the body of the application:
<body ng-app="the-app" ng-csp>
The CSP specification for Firefox OS privileged apps is:
default-src *; script-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline'
According to the logs I can get from the Firefox OS device Angular seems to be calling eval() or the Function() constructor and both are blocked in Firefox OS privileged apps and the app simply stops rendering.
I would like to know if this is expected behavior, a known issue or am I applying the directive incorrectly?
Anyone with a similar problem?
Thanks in advance.
Angular Version: v1.0.1
Error Log:
05-07 19:31:10.048: ERROR/GeckoConsole(1397): [JavaScript Error: "CSP ERROR: Couldn't parse invalid source 'unsafe-inline'"]
05-07 19:31:10.048: ERROR/GeckoConsole(1397): [JavaScript Warning: "CSP WARN: Failed to parse unrecognized source 'unsafe-inline'"]
<-- Dropped CSS tags -->
05-07 19:31:13.892: ERROR/GeckoConsole(1397): [JavaScript Error: "Error: call to Function() blocked by CSP" {file: "app://788ceebd-a9b7-4a98-a8b0-1ff248e40f52/scripts/vendor/d10639ae.angular.js" line: 6337}]
05-07 19:31:13.912: ERROR/GeckoConsole(1397): [JavaScript Warning: "CSP WARN: Directive eval script base restriction violated" {file: "app://788ceebd-a9b7-4a98-a8b0-1ff248e40f52/scripts/vendor/d10639ae.angular.js" line: 6337 column: 0 source: "call to eval() or related function blocked by CSP"}]