
My Firefox OS app was rejected for using jQuery in a privileged app - jeena
https://jeena.net/firefox-os-app-rejected
======
bastawhiz
Firefox Marketplace developer here:

The issue wasn't caused by the inclusion of jQuery, it was caused by injection
of a script tag that loads Google Maps in one of the files. Linking JS from
outside the (privileged) packaged app will cause CSP errors. Unfortunately we
didn't properly articulate the nature of the issue, but emails have been sent
and bugs have been filed.

You can see Jeena's app on Github:

[https://github.com/jeena/FeedMonkey](https://github.com/jeena/FeedMonkey)

The bit of CSP-violating code in question, for those interested, has since
been removed:

[https://github.com/jeena/FeedMonkey/commit/f262509adbdcf5d06...](https://github.com/jeena/FeedMonkey/commit/f262509adbdcf5d068be1df1277b136667ce868b#L6L61)

Unfortunately, static analysis is a hard problem to solve (especially in JS)
and the messages produced by the validator are quite noisy. We're working to
improve that. Combine that with the mystic and unusual nature of the CSP and
you've got a recipe for confusion and disappointment.

Again, the app was NOT rejected because it included jQuery. If you're building
FXOS apps, please use your favorite JS libraries (as long as they don't
violate the CSP!) and keep on hacking!

Edit: I should also note that while the validator DOES report potential CSP
issues, they are only warnings. While an app will obviously be rejected for
_actually_ violating the CSP (i.e.: the app is broken), it won't be rejected
for simply raising warnings. It should also be noted that your app _can_ be
rejected for using jQuery if you use it in a way that violates the CSP (e.g.:
using JSONP, or parsing HTML that contains remote script tags). There are
loads of docs in the Marketplace developer hub and on MDN that talk about this
and explain why it's the case.

If anyone has questions or would like to know more, please hit Mozilla or
myself up directly: dev-webapps@lists.mozilla.org, @mattbasta,
basta@mozilla.com

You're also welcome to check out the source for the validator:

[https://github.com/mozilla/app-validator](https://github.com/mozilla/app-
validator)

~~~
hartator
Is it okay to link directly the github source? It's a public github repository
sure however jeena hasn't taken the initiative to publish the github URL maybe
he doesn't want this to be public yet. He may just not have the money to make
the repository private.

~~~
bdonlan
It's under the MIT license and in a public github repo - shouldn't that be
enough? If you don't want your code public, don't put it in a public repo (if
you can't afford a private one, just use git locally) and certainly don't
stick an open-source license on it.

------
soapdog
Hi Jenna,

Disclaimer: I am a Mozilla Rep. When you face this kind of issue there are
some quick ways that you can reach us for feedback and issue solving:

1) You can write to app-reviewers@mozilla.org 2) You can talk on IRC channel:
#app-reviewers on irc.mozilla.org

The IRC is the best option in my opinion because there are always a bunch of
people there and its quicker to talk to a human than to exchange emails.

Some marketplace tools are still evolving and its only getting better.
Whenever you find false positives or bugs in the app submission process, you
can fill a bug report on bugzilla. People will notice and act upon it.

Also remember that the Firefox Marketplace is not your only venue for
distribution, you can distribute your app on your own site using the Open Web
Apps API ([http://wiki.mozilla.org/WebAPI](http://wiki.mozilla.org/WebAPI)).
This API works well for hosted apps and even though it is documented for
packaged apps as well I am not sure it works for privileged packaged apps yet.

Firefox OS is a great system with lots of potential and Mozilla is more open
about its processes than other vendors. I hope you stick around with us and
keep developing great apps. I am sure your RSS reader will be aproved soon,
can't wait to use it (and I like the flat version more than the previous one).

~~~
fabrice_d
Indeed you can self-host and use the owa API to let user install your hosted
or packaged application. This will not let you install privileged apps though
since they have to be reviewed.

~~~
VladRussian2
>This will not let you install privileged apps though since they have to be
reviewed.

so even Firefox OS is a walled garden? Telcos controlled what can be on your
phone, Apple was able to wrestle them and overtake that control - control
means money. Google follows the suit, forcing their in-app billing etc... Why
would Mozilla support that ugly ancient "tradition"?

~~~
gnur
Safety. If you don't have restrictions, you get something like Windows/os x.
Everyone can install anything they want from any source and that is also what
makes Windows/os x much more vulnerable then Android or iOS. Priveleged apps
are special applications with more permissions then normal apps, for example
they can access the sd-card, while normal (web-installed) applications cannot.
For more information you could take a look at:
[https://developer.mozilla.org/en-
US/docs/Web/Apps/App_permis...](https://developer.mozilla.org/en-
US/docs/Web/Apps/App_permissions)

------
zenocon
Title kinda stinks. Seems like they're working out the quirks in their review
process. Nothing to see here, really.

------
nknighthb
This is at once better and worse than it seems. They're not rejecting jQuery
as a matter of policy, but their review mechanism seems seriously broken, and
isn't even conceptually an improvement on Apple's, except that the nature of
Mozilla's organization means you can go outside it to try and get real
answers.

At the very least, the immediate first step needs to be an obvious method for
dialogue with the app reviewers.

------
nacs
Congrats on sticking with it long enough (and rewriting it) to get it
approved.

If its this hard to get an HTML/JS based app approved, maybe Mozilla should
release some kind of supported library or SDK? It's amazing that you had to
jump through this many hoops just to get XMLHTTPRequest support.

~~~
jeena
This is a special case, it is a privileged application that is getting more
permissions then normal ones. Therefore they don't want you to load code from
the internet and run it on peoples phones.

------
pearjuice
So every Firefox app needing jQuery needs to include it in its code base?
Doesn't the OS have shared libraries or something? Especially jQuery which, my
estimate is, will be used a lot by app developers to interact with the DOM.

~~~
jeena
I assume it is because the libs are just a couple of KB and it also only is
for privileged apps which are not allowed to link to external servers (which
then would use the normal cache mechanisms). And because of all the version
incompatibility it is just not worth the effort.

------
leokun
The OP title is accurate, that's the title of the post linked to, but it is
still misleading since the app was not rejected for using jQuery, you can use
jQuery to build Firefox OS apps, you just have to build it a certain way.

~~~
jeena
Hm you're right, perhaps I should change it to "My Firefox OS app was rejected
for using jQuery in a privileged app", I will try to change it.

~~~
leokun
No, that's still not right, because it wasn't for using jQuery. It was for
using versions of jQuery that did unsafe things. You can use versions of
builds of jQuery that does eval JavaScript and not get rejected.

~~~
PommeDeTerre
That's sort of a useless distinction to make, in practice. If jQuery isn't
usable as-is, then it could very well be said that this problem is at least
partially due to using jQuery.

Having to play games with jQuery to strip out or alter some of its
functionality just to get it to appease Mozilla really isn't much different
than any other bug that might need to be patched to get jQuery to work in a
certain situation.

~~~
leokun
Can you use jQuery with Firefox OS, yes or no?. The answer is yes. The Firefox
OS devs even provided the author with a version of jQuery that works as-is.
Thus the title is misleading. Maybe it should say it is not compatible with
jQuery Mobile, which would be less surprising, because it is a giant
everything and the kitchen sink of a library that more closely resembles
jQuery UI than jQuery. I've had trouble with jQuery Mobile and Android in the
past.

~~~
nknighthb
You're reciting how things are _supposed_ to work, not how they _are_ working.
The provided jQuery version did _not_ work. I do not believe you carefully
read the entire blog post.

~~~
leokun
I did read it, the provided jQuery did not work with jQuery Mobile, but it
does work with Firefox OS.

~~~
nknighthb
To quote the post:

"So I grabbed their code and tried checked if it would also produce warnings,
and it did, almost as many as mine."

So, no, not so much. I believe you're confusing this with a statement made
after it that _does_ relate to jQuery Mobile.

------
jeena
For those who are interested, my app just got approved, you can find it here:
[https://marketplace.firefox.com/app/feedmonkey/](https://marketplace.firefox.com/app/feedmonkey/)

------
chatman
Misleading title, you can use jQuery! Just follow the advice from the
reviewers. They seem to be quite open, responsive and supportive. And
reasonable to, if may I say so.

------
govindk22
Just to be clear can we use Jquery Mobile for Firefox Marketplace app or not ?

I am using Jquery Mobile, Backbone Js for my app and planning to port it to
Firefox OS. Please clarify.

------
obilgic
Why am I seeing "Edit | Destroy" links on your blog.

~~~
jeena
Ah I made a static copy of the html when I was logged in so it would be faster
to load, didn't think about the edit links.

------
kevingadd
Site is not responding. Anyone want to summarize?

~~~
nknighthb
The tl;dr seems to be that Mozilla's static analysis tools have some
significant issues, their review team's apparent understanding of policies
seems at odds with the understanding of at least some important Mozilla devs,
and the review process itself lacks a mechanism for dialogue with the
reviewers.

Unfortunate for a platform that's already launched.

~~~
lisabrewster
Firefox Marketplace app review manager here...

At the bottom of every review email, it says you can just reply to the email
if you have any questions. And as mentioned elsewhere in this thread,
reviewers also hang out in #app-reviewers on irc.mozilla.org. We're really
trying to make it as easy as possible to reach a real person!

~~~
jeena
Oddly enough I never got an email, I just saw my rejection on the website.

------
programminggeek
Wow I haven't used jQuery Mobile in over a year and it's still slow and
terrible as ever? Well at least it wasn't just me.

------
artificialidiot
"My Firefox OS app was rejected for using potentially unsafe code in a
priviliged app"

You can still develop for Android with cordova instead.

