Question
I am a member of a team in charge of building a packaged Firefox OS application. Due to the restricted CSP policy for Firefox OS privileged applications I’ve added the ng-csp directive to the body of the application:
https://stackoverflow.com/questions/16466384
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian<body ng-app="the-app" ng-csp>
The CSP specification for Firefox OS privileged apps is:
default-src *; script-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline'
According to the logs I can get from the Firefox OS device Angular seems to be calling eval() or the Function() constructor and both are blocked in Firefox OS privileged apps and the app simply stops rendering.
I would like to know if this is expected behavior, a known issue or am I applying the directive incorrectly?
Anyone with a similar problem?
Thanks in advance.
Angular Version: v1.0.1
Error Log:
05-07 19:31:10.048: ERROR/GeckoConsole(1397): [JavaScript Error: "CSP ERROR: Couldn't parse invalid source 'unsafe-inline'"]
05-07 19:31:10.048: ERROR/GeckoConsole(1397): [JavaScript Warning: "CSP WARN: Failed to parse unrecognized source 'unsafe-inline'"]
<-- Dropped CSS tags -->
05-07 19:31:13.892: ERROR/GeckoConsole(1397): [JavaScript Error: "Error: call to Function() blocked by CSP" {file: "app://788ceebd-a9b7-4a98-a8b0-1ff248e40f52/scripts/vendor/d10639ae.angular.js" line: 6337}]
05-07 19:31:13.912: ERROR/GeckoConsole(1397): [JavaScript Warning: "CSP WARN: Directive eval script base restriction violated" {file: "app://788ceebd-a9b7-4a98-a8b0-1ff248e40f52/scripts/vendor/d10639ae.angular.js" line: 6337 column: 0 source: "call to eval() or related function blocked by CSP"}]
Solution
I've managed to spot the cause of this problem. Apparently Angular calls the Function constructor even in CSP-safe mode (ng-csp) if I attempt to create a watcher in the $rootscope of the application. I’ve already made a post in the Angular Google Groups since this appears to be a bug. I’ve made a modification in the Angular JS library and got it working on the Firefox OS device. The link to the post is the following:
Cheers
