The issue wasn't caused by the inclusion of jQuery, it was caused by injection of a script tag that loads Google Maps in one of the files. Linking JS from outside the (privileged) packaged app will cause CSP errors. Unfortunately we didn't properly articulate the nature of the issue, but emails have been sent and bugs have been filed.
You can see Jeena's app on Github:
The bit of CSP-violating code in question, for those interested, has since been removed:
Unfortunately, static analysis is a hard problem to solve (especially in JS) and the messages produced by the validator are quite noisy. We're working to improve that. Combine that with the mystic and unusual nature of the CSP and you've got a recipe for confusion and disappointment.
Again, the app was NOT rejected because it included jQuery. If you're building FXOS apps, please use your favorite JS libraries (as long as they don't violate the CSP!) and keep on hacking!
Edit: I should also note that while the validator DOES report potential CSP issues, they are only warnings. While an app will obviously be rejected for actually violating the CSP (i.e.: the app is broken), it won't be rejected for simply raising warnings. It should also be noted that your app can be rejected for using jQuery if you use it in a way that violates the CSP (e.g.: using JSONP, or parsing HTML that contains remote script tags). There are loads of docs in the Marketplace developer hub and on MDN that talk about this and explain why it's the case.
If anyone has questions or would like to know more, please hit Mozilla or myself up directly: email@example.com, @mattbasta, firstname.lastname@example.org
You're also welcome to check out the source for the validator:
On http://jquerymobile.com there is a tool which lets you make your own custom jQuery mobile which has everything you need and this tool also added this extra file which I never needed for my app anyway.
Sorry for causing so much confusion.
Disclaimer: I am a Mozilla Rep. When you face this kind of issue there are some quick ways that you can reach us for feedback and issue solving:
1) You can write to email@example.com
2) You can talk on IRC channel: #app-reviewers on irc.mozilla.org
The IRC is the best option in my opinion because there are always a bunch of people there and its quicker to talk to a human than to exchange emails.
Some marketplace tools are still evolving and its only getting better. Whenever you find false positives or bugs in the app submission process, you can fill a bug report on bugzilla. People will notice and act upon it.
Also remember that the Firefox Marketplace is not your only venue for distribution, you can distribute your app on your own site using the Open Web Apps API (http://wiki.mozilla.org/WebAPI). This API works well for hosted apps and even though it is documented for packaged apps as well I am not sure it works for privileged packaged apps yet.
Firefox OS is a great system with lots of potential and Mozilla is more open about its processes than other vendors. I hope you stick around with us and keep developing great apps. I am sure your RSS reader will be aproved soon, can't wait to use it (and I like the flat version more than the previous one).
I am definitely sticking around, just the fact that I can write apps and run them on my own hardware without applying for permission every year is worth more then the money I gave apple for it. And as others stated, at Mozilla you still can talk to real people through some other channels, so you don't just have to give up.
so even Firefox OS is a walled garden? Telcos controlled what can be on your phone, Apple was able to wrestle them and overtake that control - control means money. Google follows the suit, forcing their in-app billing etc... Why would Mozilla support that ugly ancient "tradition"?
At the very least, the immediate first step needs to be an obvious method for dialogue with the app reviewers.
If its this hard to get an HTML/JS based app approved, maybe Mozilla should release some kind of supported library or SDK? It's amazing that you had to jump through this many hoops just to get XMLHTTPRequest support.
Having to play games with jQuery to strip out or alter some of its functionality just to get it to appease Mozilla really isn't much different than any other bug that might need to be patched to get jQuery to work in a certain situation.
"So I grabbed their code and tried checked if it would also produce warnings, and it did, almost as many as mine."
So, no, not so much. I believe you're confusing this with a statement made after it that does relate to jQuery Mobile.
If jQuery's build system has options to create a version that is compliant with our CSP, I don't see any reason to be up in arms.
As the one person on the list mentioned, the warnings should not be the reason for the rejection because they were kind of false positives, the only problematic thing is that they were.
They are still working out the issues I assume, it is a really young platform yet so it kind of could have been expected. I just wish there was a possibility to talk to the reviewer and ask them more questions.
I am using Jquery Mobile, Backbone Js for my app and planning to port it to Firefox OS. Please clarify.
Afterwards, the OP communicated with the mailing lists and was assured that these warnings are false positives, to be removed soon and hence should be ignored by reviewers, however, the OP managed to rewrite the app using only bare JS and avoiding jQuery before the first version was reviewed again. The second version was then submitted to the marketplace, didn’t throw any warnings and was supposedly much faster, too.
From memory, so there might well be some mistakes there.
Here is a link to the markdowned text:
Do you have any caching mechanisms?
(Rule #1 for submitting a blog post to a high-traffic site like HN is to first make sure you've got some sort of reasonable caching mechanism turned on.)
Edit: Also, Chrome and curl at least are using 256-bit AES for the TLS connection. This is overkill and can impact performance. Consider altering your configuration to use 128.
Before the next submit I will redo the website as static files, since I removed the comments there is no point of doing things dynamically anyway.
Unfortunate for a platform that's already launched.
At the bottom of every review email, it says you can just reply to the email if you have any questions. And as mentioned elsewhere in this thread, reviewers also hang out in #app-reviewers on irc.mozilla.org. We're really trying to make it as easy as possible to reach a real person!
You can still develop for Android with cordova instead.