在Firefox OS设备上通过AJAX执行脚本 [英] Executing a script via AJAX on Firefox OS device
问题描述
我的问题是关于Apps CSP https://developer.mozilla.org/zh-美国/应用程序/CSP
My question regards the Apps CSP https://developer.mozilla.org/en-US/Apps/CSP
在这里说,所有远程脚本,内联脚本,javascript URI和其他安全性问题在Firefox OS应用程序上均不起作用.
Here it says that all the remote script, inline script, javascript URIs, and other security issues won't work on a Firefox OS app.
因此,我尝试下载应用程序所需的脚本(Flurry和Ad服务),但两个脚本都无法在该设备上运行.我拨打电话的方式是使用AJAX,这样我就避免了两个脚本都使用的远程和内联脚本.在模拟器中可以完美运行,但是在设备上广告永远不会展示,并且Flurry会话也永远不会开始.
So, I tried to download a script that is necessary for my app (Flurry and Ad service) and neither would work on the device. The way I made the call was with AJAX, that way I would avoid the remote and inline scripting that both scripts ment. In the simulator works perfectly, but on the device the ads never show and the Flurry session never starts.
这是我的代码部分,其中我对Flurry进行了AJAX调用:
Here is the part of my code where I make the AJAX call for Flurry:
$.ajax({
url: 'https://cdn.flurry.com/js/flurry.js',
dataType: "script",
xhrFields: {
mozSystem: true
},
success: function(msg){
console && console.log("Script de Flurry: luego de la descarga en AJAX "+msg);
flurryLibrary = true;
FlurryAgent.startSession("7ZFX9Z4CVT66KJBVP7CF");
},
error:function(object,status,errortxt){
console && console.log("The script wasn't downloaded as text. The error:" +errortxt);
flurryLibrary = false;
},
always: function(object,status,errortxt){
console && console.log("The script may or may not be downloaded or executed. The error could be:" +errortxt);
}
});
在我的应用程序中,我使用systemXHR权限,并使用以下命令拨打其他网站的电话:
In my app I use the systemXHR permission and make the calls for other websites using this line:
request = new XMLHttpRequest({ mozSystem: true });
与在AJAX调用中使用xhrFields {mozSystem:true}相同.
Wich is the same as using the xhrFields{mozSystem:true} in the AJAX call.
我认为这不是跨域问题,因为在我的应用程序的其余部分中,我对不在我的域中的xml文件进行调用,并且调用成功返回.
I believe it's not a cross domain problem because in the rest of my app I make calls for xml files that are not in my domain, and the calls are returned succesfully.
所以,我的问题是,Firefox OS应用程序可以执行通过AJAX下载的脚本吗?有办法解决这个问题吗?
So, my question is, can a Firefox OS app execute scripts that are downloaded via AJAX? Is there a way to get around this problem?
谢谢您的时间.
PS:我忘记添加我的应用程序的特权,以防万一您询问
PS: I forgot to add that my app is privileged, just in case you ask
推荐答案
我认为这是一项安全功能,对您问题的简短回答将是否".引用您链接到自己的CSP文档:
I believe that is a security feature and the short answer to your question would be NO. To quote the CSP doc that you linked to yourself:
您不能将a指向远程JavaScript文件.这意味着您引用的所有JS文件都必须包含在应用程序的程序包中.
You cannot point a at a remote JavaScript file. This means that all JS files that you reference must be included in your app's package.
如果使用ajax从远程服务器加载JS文件,则该JS不包含在您的应用程序包中.您应注意遵守CSP限制.在不完全遵守CSP的情况下,有可能使很多事情在模拟器甚至手机中运行,但这并不意味着可以.当您将来将应用程序提交到任何可靠的市场(例如Firefox Marketplace)时,将对其进行仔细检查,以确保其不违反CSP限制.根据一般经验,我想说,任何动态评估JS代码的尝试都将带来安全风险,并且很可能会受到CSP法规的禁止.
If you load a JS file using ajax from a remote server, that JS is not included in your app package. You should be careful to obey CSP restrictions. It is possible to get many things working in the simulator or even the phone while developing without fully complying to CSP, but that does not mean it is OK. When you submit your app in future to any credible marketplace (such as Firefox Marketplace), it will be reviewed carefully to make sure it does not violate CSP restrictions. As a general rule of thumb, I would say any attempt at dynamically evaluating JS code will be a security risk and most likely banned by CSP regulations.
这篇关于在Firefox OS设备上通过AJAX执行脚本的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
