Hacker News new | comments | show | ask | jobs | submit login
My Firefox OS app was rejected for using jQuery in a privileged app (jeena.net)
54 points by jeena on Aug 25, 2013 | hide | past | web | favorite | 43 comments



Firefox Marketplace developer here:

The issue wasn't caused by the inclusion of jQuery, it was caused by injection of a script tag that loads Google Maps in one of the files. Linking JS from outside the (privileged) packaged app will cause CSP errors. Unfortunately we didn't properly articulate the nature of the issue, but emails have been sent and bugs have been filed.

You can see Jeena's app on Github:

https://github.com/jeena/FeedMonkey

The bit of CSP-violating code in question, for those interested, has since been removed:

https://github.com/jeena/FeedMonkey/commit/f262509adbdcf5d06...

Unfortunately, static analysis is a hard problem to solve (especially in JS) and the messages produced by the validator are quite noisy. We're working to improve that. Combine that with the mystic and unusual nature of the CSP and you've got a recipe for confusion and disappointment.

Again, the app was NOT rejected because it included jQuery. If you're building FXOS apps, please use your favorite JS libraries (as long as they don't violate the CSP!) and keep on hacking!

Edit: I should also note that while the validator DOES report potential CSP issues, they are only warnings. While an app will obviously be rejected for actually violating the CSP (i.e.: the app is broken), it won't be rejected for simply raising warnings. It should also be noted that your app can be rejected for using jQuery if you use it in a way that violates the CSP (e.g.: using JSONP, or parsing HTML that contains remote script tags). There are loads of docs in the Marketplace developer hub and on MDN that talk about this and explain why it's the case.

If anyone has questions or would like to know more, please hit Mozilla or myself up directly: dev-webapps@lists.mozilla.org, @mattbasta, basta@mozilla.com

You're also welcome to check out the source for the validator:

https://github.com/mozilla/app-validator


Thank you very much for the explanation, just read it on the mailing list too. I will update my article accordingly.

On http://jquerymobile.com there is a tool which lets you make your own custom jQuery mobile which has everything you need and this tool also added this extra file which I never needed for my app anyway.

Sorry for causing so much confusion.


Is it okay to link directly the github source? It's a public github repository sure however jeena hasn't taken the initiative to publish the github URL maybe he doesn't want this to be public yet. He may just not have the money to make the repository private.


It's under the MIT license and in a public github repo - shouldn't that be enough? If you don't want your code public, don't put it in a public repo (if you can't afford a private one, just use git locally) and certainly don't stick an open-source license on it.


Yes it is obviously ok, I also liked to it from my own article.


Hi Jenna,

Disclaimer: I am a Mozilla Rep. When you face this kind of issue there are some quick ways that you can reach us for feedback and issue solving:

1) You can write to app-reviewers@mozilla.org 2) You can talk on IRC channel: #app-reviewers on irc.mozilla.org

The IRC is the best option in my opinion because there are always a bunch of people there and its quicker to talk to a human than to exchange emails.

Some marketplace tools are still evolving and its only getting better. Whenever you find false positives or bugs in the app submission process, you can fill a bug report on bugzilla. People will notice and act upon it.

Also remember that the Firefox Marketplace is not your only venue for distribution, you can distribute your app on your own site using the Open Web Apps API (http://wiki.mozilla.org/WebAPI). This API works well for hosted apps and even though it is documented for packaged apps as well I am not sure it works for privileged packaged apps yet.

Firefox OS is a great system with lots of potential and Mozilla is more open about its processes than other vendors. I hope you stick around with us and keep developing great apps. I am sure your RSS reader will be aproved soon, can't wait to use it (and I like the flat version more than the previous one).


Thanks for the tips, perhaps the email and the IRC channel could be promoted a bit more prominent during the submission process. I was writing on two lists b2g-dev and web-apps, and I was on IRC in #b2g sadly no one mentioned the app-reviewers channels.

I am definitely sticking around, just the fact that I can write apps and run them on my own hardware without applying for permission every year is worth more then the money I gave apple for it. And as others stated, at Mozilla you still can talk to real people through some other channels, so you don't just have to give up.


Indeed you can self-host and use the owa API to let user install your hosted or packaged application. This will not let you install privileged apps though since they have to be reviewed.


>This will not let you install privileged apps though since they have to be reviewed.

so even Firefox OS is a walled garden? Telcos controlled what can be on your phone, Apple was able to wrestle them and overtake that control - control means money. Google follows the suit, forcing their in-app billing etc... Why would Mozilla support that ugly ancient "tradition"?


Safety. If you don't have restrictions, you get something like Windows/os x. Everyone can install anything they want from any source and that is also what makes Windows/os x much more vulnerable then Android or iOS. Priveleged apps are special applications with more permissions then normal apps, for example they can access the sd-card, while normal (web-installed) applications cannot. For more information you could take a look at: https://developer.mozilla.org/en-US/docs/Web/Apps/App_permis...


Title kinda stinks. Seems like they're working out the quirks in their review process. Nothing to see here, really.


This is at once better and worse than it seems. They're not rejecting jQuery as a matter of policy, but their review mechanism seems seriously broken, and isn't even conceptually an improvement on Apple's, except that the nature of Mozilla's organization means you can go outside it to try and get real answers.

At the very least, the immediate first step needs to be an obvious method for dialogue with the app reviewers.


Congrats on sticking with it long enough (and rewriting it) to get it approved.

If its this hard to get an HTML/JS based app approved, maybe Mozilla should release some kind of supported library or SDK? It's amazing that you had to jump through this many hoops just to get XMLHTTPRequest support.


This is a special case, it is a privileged application that is getting more permissions then normal ones. Therefore they don't want you to load code from the internet and run it on peoples phones.


So every Firefox app needing jQuery needs to include it in its code base? Doesn't the OS have shared libraries or something? Especially jQuery which, my estimate is, will be used a lot by app developers to interact with the DOM.


I assume it is because the libs are just a couple of KB and it also only is for privileged apps which are not allowed to link to external servers (which then would use the normal cache mechanisms). And because of all the version incompatibility it is just not worth the effort.


The OP title is accurate, that's the title of the post linked to, but it is still misleading since the app was not rejected for using jQuery, you can use jQuery to build Firefox OS apps, you just have to build it a certain way.


Hm you're right, perhaps I should change it to "My Firefox OS app was rejected for using jQuery in a privileged app", I will try to change it.


No, that's still not right, because it wasn't for using jQuery. It was for using versions of jQuery that did unsafe things. You can use versions of builds of jQuery that does eval JavaScript and not get rejected.


If that is so then I didn't get how to compile a version of jQuery that does not do unsafe things, and I even tried the jQuery version which they themselves use in the Marketplace code but it also did unsafe things, at least according to their automatic analyser.


That's sort of a useless distinction to make, in practice. If jQuery isn't usable as-is, then it could very well be said that this problem is at least partially due to using jQuery.

Having to play games with jQuery to strip out or alter some of its functionality just to get it to appease Mozilla really isn't much different than any other bug that might need to be patched to get jQuery to work in a certain situation.


Can you use jQuery with Firefox OS, yes or no?. The answer is yes. The Firefox OS devs even provided the author with a version of jQuery that works as-is. Thus the title is misleading. Maybe it should say it is not compatible with jQuery Mobile, which would be less surprising, because it is a giant everything and the kitchen sink of a library that more closely resembles jQuery UI than jQuery. I've had trouble with jQuery Mobile and Android in the past.


You're reciting how things are supposed to work, not how they are working. The provided jQuery version did not work. I do not believe you carefully read the entire blog post.


I did read it, the provided jQuery did not work with jQuery Mobile, but it does work with Firefox OS.


To quote the post:

"So I grabbed their code and tried checked if it would also produce warnings, and it did, almost as many as mine."

So, no, not so much. I believe you're confusing this with a statement made after it that does relate to jQuery Mobile.


"appeasing Mozilla" is not the reason that trigger these warning or errors. Privileged apps have access to more powerful apis but are also subject to a more stringent CSP (content security policy) to prevent running malicious code that would potentially hurt the user.

If jQuery's build system has options to create a version that is compliant with our CSP, I don't see any reason to be up in arms.


It doesn't, or at least it is not obvious from the documentation how to do it (yet).

As the one person on the list mentioned, the warnings should not be the reason for the rejection because they were kind of false positives, the only problematic thing is that they were.

They are still working out the issues I assume, it is a really young platform yet so it kind of could have been expected. I just wish there was a possibility to talk to the reviewer and ask them more questions.


For those who are interested, my app just got approved, you can find it here: https://marketplace.firefox.com/app/feedmonkey/


Misleading title, you can use jQuery! Just follow the advice from the reviewers. They seem to be quite open, responsive and supportive. And reasonable to, if may I say so.


Just to be clear can we use Jquery Mobile for Firefox Marketplace app or not ?

I am using Jquery Mobile, Backbone Js for my app and planning to port it to Firefox OS. Please clarify.


Why am I seeing "Edit | Destroy" links on your blog.


Ah I made a static copy of the html when I was logged in so it would be faster to load, didn't think about the edit links.


Site is not responding. Anyone want to summarize?


The OP rebuild his TinyTinyRSS client for Firefox OS using jQuery, which then threw a bunch of warnings (because the app needs elevated permissions to connect to arbitrary servers, it is checked more thoroughly) when he submitted it to the Firefox OS marketplate, causing the app to be rejected.

Afterwards, the OP communicated with the mailing lists and was assured that these warnings are false positives, to be removed soon and hence should be ignored by reviewers, however, the OP managed to rewrite the app using only bare JS and avoiding jQuery before the first version was reviewed again. The second version was then submitted to the marketplace, didn’t throw any warnings and was supposedly much faster, too.

From memory, so there might well be some mistakes there.


Sorry for that, it is almost never that there is so much traffic on the little server I host on and the rails app is not helping.

Here is a link to the markdowned text:

https://gist.github.com/jeena/6337097/raw/aed33410c3376ec3ca...


> the rails app is not helping

Do you have any caching mechanisms?

(Rule #1 for submitting a blog post to a high-traffic site like HN is to first make sure you've got some sort of reasonable caching mechanism turned on.)

Edit: Also, Chrome and curl at least are using 256-bit AES for the TLS connection. This is overkill and can impact performance. Consider altering your configuration to use 128.


Not really, I had already a different blog post on the frontpage here and it went well, so I assumed it is stable enough, which it is not.

Before the next submit I will redo the website as static files, since I removed the comments there is no point of doing things dynamically anyway.


The tl;dr seems to be that Mozilla's static analysis tools have some significant issues, their review team's apparent understanding of policies seems at odds with the understanding of at least some important Mozilla devs, and the review process itself lacks a mechanism for dialogue with the reviewers.

Unfortunate for a platform that's already launched.


Still, he did manage to find a human being to talk to (so it's better than Google, which appears not to employee carbon-based lifeforms) and the human beings had the ability to deal with the issue (so it's better than Apple, which does employ lifeforms but doesn't authorise them to make any decisions).


Firefox Marketplace app review manager here...

At the bottom of every review email, it says you can just reply to the email if you have any questions. And as mentioned elsewhere in this thread, reviewers also hang out in #app-reviewers on irc.mozilla.org. We're really trying to make it as easy as possible to reach a real person!


Oddly enough I never got an email, I just saw my rejection on the website.


Wow I haven't used jQuery Mobile in over a year and it's still slow and terrible as ever? Well at least it wasn't just me.


"My Firefox OS app was rejected for using potentially unsafe code in a priviliged app"

You can still develop for Android with cordova instead.




Applications are open for YC Winter 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: