The issue wasn't caused by the inclusion of jQuery, it was caused by injection of a script tag that loads Google Maps in one of the files. Linking JS from outside the (privileged) packaged app will cause CSP errors. Unfortunately we didn't properly articulate the nature of the issue, but emails have been sent and bugs have been filed.
Unfortunately, static analysis is a hard problem to solve (especially in JS) and the messages produced by the validator are quite noisy. We're working to improve that. Combine that with the mystic and unusual nature of the CSP and you've got a recipe for confusion and disappointment.
Again, the app was NOT rejected because it included jQuery. If you're building FXOS apps, please use your favorite JS libraries (as long as they don't violate the CSP!) and keep on hacking!
Edit: I should also note that while the validator DOES report potential CSP issues, they are only warnings. While an app will obviously be rejected for actually violating the CSP (i.e.: the app is broken), it won't be rejected for simply raising warnings. It should also be noted that your app can be rejected for using jQuery if you use it in a way that violates the CSP (e.g.: using JSONP, or parsing HTML that contains remote script tags). There are loads of docs in the Marketplace developer hub and on MDN that talk about this and explain why it's the case.
If anyone has questions or would like to know more, please hit Mozilla or myself up directly: dev-webapps@lists.mozilla.org, @mattbasta, basta@mozilla.com
You're also welcome to check out the source for the validator:
Thank you very much for the explanation, just read it on the mailing list too. I will update my article accordingly.
On http://jquerymobile.com there is a tool which lets you make your own custom jQuery mobile which has everything you need and this tool also added this extra file which I never needed for my app anyway.
Is it okay to link directly the github source? It's a public github repository sure however jeena hasn't taken the initiative to publish the github URL maybe he doesn't want this to be public yet. He may just not have the money to make the repository private.
It's under the MIT license and in a public github repo - shouldn't that be enough? If you don't want your code public, don't put it in a public repo (if you can't afford a private one, just use git locally) and certainly don't stick an open-source license on it.
Disclaimer: I am a Mozilla Rep. When you face this kind of issue there are some quick ways that you can reach us for feedback and issue solving:
1) You can write to app-reviewers@mozilla.org
2) You can talk on IRC channel: #app-reviewers on irc.mozilla.org
The IRC is the best option in my opinion because there are always a bunch of people there and its quicker to talk to a human than to exchange emails.
Some marketplace tools are still evolving and its only getting better. Whenever you find false positives or bugs in the app submission process, you can fill a bug report on bugzilla. People will notice and act upon it.
Also remember that the Firefox Marketplace is not your only venue for distribution, you can distribute your app on your own site using the Open Web Apps API (http://wiki.mozilla.org/WebAPI). This API works well for hosted apps and even though it is documented for packaged apps as well I am not sure it works for privileged packaged apps yet.
Firefox OS is a great system with lots of potential and Mozilla is more open about its processes than other vendors. I hope you stick around with us and keep developing great apps. I am sure your RSS reader will be aproved soon, can't wait to use it (and I like the flat version more than the previous one).
Thanks for the tips, perhaps the email and the IRC channel could be promoted a bit more prominent during the submission process. I was writing on two lists b2g-dev and web-apps, and I was on IRC in #b2g sadly no one mentioned the app-reviewers channels.
I am definitely sticking around, just the fact that I can write apps and run them on my own hardware without applying for permission every year is worth more then the money I gave apple for it. And as others stated, at Mozilla you still can talk to real people through some other channels, so you don't just have to give up.
Indeed you can self-host and use the owa API to let user install your hosted or packaged application. This will not let you install privileged apps though since they have to be reviewed.
>This will not let you install privileged apps though since they have to be reviewed.
so even Firefox OS is a walled garden? Telcos controlled what can be on your phone, Apple was able to wrestle them and overtake that control - control means money. Google follows the suit, forcing their in-app billing etc... Why would Mozilla support that ugly ancient "tradition"?
Safety.
If you don't have restrictions, you get something like Windows/os x. Everyone can install anything they want from any source and that is also what makes Windows/os x much more vulnerable then Android or iOS.
Priveleged apps are special applications with more permissions then normal apps, for example they can access the sd-card, while normal (web-installed) applications cannot. For more information you could take a look at: https://developer.mozilla.org/en-US/docs/Web/Apps/App_permis...
This is at once better and worse than it seems. They're not rejecting jQuery as a matter of policy, but their review mechanism seems seriously broken, and isn't even conceptually an improvement on Apple's, except that the nature of Mozilla's organization means you can go outside it to try and get real answers.
At the very least, the immediate first step needs to be an obvious method for dialogue with the app reviewers.
Congrats on sticking with it long enough (and rewriting it) to get it approved.
If its this hard to get an HTML/JS based app approved, maybe Mozilla should release some kind of supported library or SDK? It's amazing that you had to jump through this many hoops just to get XMLHTTPRequest support.
This is a special case, it is a privileged application that is getting more permissions then normal ones. Therefore they don't want you to load code from the internet and run it on peoples phones.
So every Firefox app needing jQuery needs to include it in its code base? Doesn't the OS have shared libraries or something? Especially jQuery which, my estimate is, will be used a lot by app developers to interact with the DOM.
I assume it is because the libs are just a couple of KB and it also only is for privileged apps which are not allowed to link to external servers (which then would use the normal cache mechanisms). And because of all the version incompatibility it is just not worth the effort.
The OP title is accurate, that's the title of the post linked to, but it is still misleading since the app was not rejected for using jQuery, you can use jQuery to build Firefox OS apps, you just have to build it a certain way.
No, that's still not right, because it wasn't for using jQuery. It was for using versions of jQuery that did unsafe things. You can use versions of builds of jQuery that does eval JavaScript and not get rejected.
If that is so then I didn't get how to compile a version of jQuery that does not do unsafe things, and I even tried the jQuery version which they themselves use in the Marketplace code but it also did unsafe things, at least according to their automatic analyser.
That's sort of a useless distinction to make, in practice. If jQuery isn't usable as-is, then it could very well be said that this problem is at least partially due to using jQuery.
Having to play games with jQuery to strip out or alter some of its functionality just to get it to appease Mozilla really isn't much different than any other bug that might need to be patched to get jQuery to work in a certain situation.
Can you use jQuery with Firefox OS, yes or no?. The answer is yes. The Firefox OS devs even provided the author with a version of jQuery that works as-is. Thus the title is misleading. Maybe it should say it is not compatible with jQuery Mobile, which would be less surprising, because it is a giant everything and the kitchen sink of a library that more closely resembles jQuery UI than jQuery. I've had trouble with jQuery Mobile and Android in the past.
You're reciting how things are supposed to work, not how they are working. The provided jQuery version did not work. I do not believe you carefully read the entire blog post.
"appeasing Mozilla" is not the reason that trigger these warning or errors. Privileged apps have access to more powerful apis but are also subject to a more stringent CSP (content security policy) to prevent running malicious code that would potentially hurt the user.
If jQuery's build system has options to create a version that is compliant with our CSP, I don't see any reason to be up in arms.
It doesn't, or at least it is not obvious from the documentation how to do it (yet).
As the one person on the list mentioned, the warnings should not be the reason for the rejection because they were kind of false positives, the only problematic thing is that they were.
They are still working out the issues I assume, it is a really young platform yet so it kind of could have been expected. I just wish there was a possibility to talk to the reviewer and ask them more questions.
Misleading title, you can use jQuery! Just follow the advice from the reviewers. They seem to be quite open, responsive and supportive. And reasonable to, if may I say so.
The OP rebuild his TinyTinyRSS client for Firefox OS using jQuery, which then threw a bunch of warnings (because the app needs elevated permissions to connect to arbitrary servers, it is checked more thoroughly) when he submitted it to the Firefox OS marketplate, causing the app to be rejected.
Afterwards, the OP communicated with the mailing lists and was assured that these warnings are false positives, to be removed soon and hence should be ignored by reviewers, however, the OP managed to rewrite the app using only bare JS and avoiding jQuery before the first version was reviewed again. The second version was then submitted to the marketplace, didn’t throw any warnings and was supposedly much faster, too.
From memory, so there might well be some mistakes there.
(Rule #1 for submitting a blog post to a high-traffic site like HN is to first make sure you've got some sort of reasonable caching mechanism turned on.)
Edit: Also, Chrome and curl at least are using 256-bit AES for the TLS connection. This is overkill and can impact performance. Consider altering your configuration to use 128.
The tl;dr seems to be that Mozilla's static analysis tools have some significant issues, their review team's apparent understanding of policies seems at odds with the understanding of at least some important Mozilla devs, and the review process itself lacks a mechanism for dialogue with the reviewers.
Unfortunate for a platform that's already launched.
Still, he did manage to find a human being to talk to (so it's better than Google, which appears not to employee carbon-based lifeforms) and the human beings had the ability to deal with the issue (so it's better than Apple, which does employ lifeforms but doesn't authorise them to make any decisions).
At the bottom of every review email, it says you can just reply to the email if you have any questions. And as mentioned elsewhere in this thread, reviewers also hang out in #app-reviewers on irc.mozilla.org. We're really trying to make it as easy as possible to reach a real person!
The issue wasn't caused by the inclusion of jQuery, it was caused by injection of a script tag that loads Google Maps in one of the files. Linking JS from outside the (privileged) packaged app will cause CSP errors. Unfortunately we didn't properly articulate the nature of the issue, but emails have been sent and bugs have been filed.
You can see Jeena's app on Github:
https://github.com/jeena/FeedMonkey
The bit of CSP-violating code in question, for those interested, has since been removed:
https://github.com/jeena/FeedMonkey/commit/f262509adbdcf5d06...
Unfortunately, static analysis is a hard problem to solve (especially in JS) and the messages produced by the validator are quite noisy. We're working to improve that. Combine that with the mystic and unusual nature of the CSP and you've got a recipe for confusion and disappointment.
Again, the app was NOT rejected because it included jQuery. If you're building FXOS apps, please use your favorite JS libraries (as long as they don't violate the CSP!) and keep on hacking!
Edit: I should also note that while the validator DOES report potential CSP issues, they are only warnings. While an app will obviously be rejected for actually violating the CSP (i.e.: the app is broken), it won't be rejected for simply raising warnings. It should also be noted that your app can be rejected for using jQuery if you use it in a way that violates the CSP (e.g.: using JSONP, or parsing HTML that contains remote script tags). There are loads of docs in the Marketplace developer hub and on MDN that talk about this and explain why it's the case.
If anyone has questions or would like to know more, please hit Mozilla or myself up directly: dev-webapps@lists.mozilla.org, @mattbasta, basta@mozilla.com
You're also welcome to check out the source for the validator:
https://github.com/mozilla/app-validator