Firefox OS CSP 对特权应用程序的限制 [英] Firefox OS CSP restrictions on privileged apps

问题描述

为了测试 Firefox OS 的功能，我正在编写一个可以访问设备上各种 API 的特权应用程序，但我在开发中遇到了困难.我希望你能帮助我，我找不到任何有用的文档......我想从我的应用程序访问 Google Maps API，但这需要在应用程序包之外加载一个脚本(类似于 <script type="text/javascript" src="http://maps.googleapis.com/maps/api/js?....."></script>).由于特权应用程序中的 CSP 限制，这仅适用于模拟器，但在我的设备上我无法加载这些 API.有什么方法可以禁用 CSP 限制(仅用于测试目的)或解决此问题?我试过了

To test Firefox OS capabilities, I’m writing a privileged app that can have access to various APIs on the device, but I got stuck in the development. I hope you can help me, I cannot find any useful documentation... I’d like to have access to Google Maps APIs from my app, but this requires a script to be loaded outside of app package ( Something like <script type="text/javascript" src="http://maps.googleapis.com/maps/api/js?....."></script> ). Because of CSP restrictions in privileged apps, this works just with the simulator, but on my device I cannot load these APIs. Is there any way to disable CSP restrictions (for test purposes only) or any walk around for this problem? I tried

<iframe src="frame.html" sandbox="allow-same-origin allow-scripts"></iframe>,

但是 frame.html 都无法加载这些脚本...

But neither frame.html is able to load these scripts...

推荐答案

只有在构建/刷新自己的 Gaia 时，您才能禁用默认的 CSP 限制.然后你可以添加类似

You can disable the default CSP restrictions only if you're building/flashing your own Gaia. Then you can add something like

pref("security.apps.privileged.CSP.default", "default-src *; script-src *; object-src 'none'; style-src *");

到您的 Gaia 目录中的 build/custom-prefs.js 文件.请注意，虽然您可以这样做，但实际上这样做可能不是一个好主意，因为它不适用于任何未安装自定义 Gaia 的设备.特权应用需要具有打包应用中包含的所有脚本资源.

to the build/custom-prefs.js file on your Gaia directory. Note that this while you can do this, is probably not a good idea to actually do it since it won't work on any device that doesn't have your custom Gaia installed. Privileged apps need to have all the script resources included on the packaged app.

在您的情况下，更好的解决方案(并且唯一可以在真实设备上运行的解决方案)是在构建时获取 Google 的代码并将其包含在您的打包应用程序中(因此您将其用作 <scriptsrc='js/googlemapsapi.js'></script> 或类似的东西).

In your case, a better solution (and the only that would work on a real device) would be to fetch Google's code at build time and include it on your packaged app (so you use it as <script src='js/googlemapsapi.js'></script>or something like that).

这篇关于Firefox OS CSP 对特权应用程序的限制的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！