Hacker News new | comments | ask | show | jobs | submit login

Firefox Marketplace developer here:

The issue wasn't caused by the inclusion of jQuery, it was caused by injection of a script tag that loads Google Maps in one of the files. Linking JS from outside the (privileged) packaged app will cause CSP errors. Unfortunately we didn't properly articulate the nature of the issue, but emails have been sent and bugs have been filed.

You can see Jeena's app on Github:


The bit of CSP-violating code in question, for those interested, has since been removed:


Unfortunately, static analysis is a hard problem to solve (especially in JS) and the messages produced by the validator are quite noisy. We're working to improve that. Combine that with the mystic and unusual nature of the CSP and you've got a recipe for confusion and disappointment.

Again, the app was NOT rejected because it included jQuery. If you're building FXOS apps, please use your favorite JS libraries (as long as they don't violate the CSP!) and keep on hacking!

Edit: I should also note that while the validator DOES report potential CSP issues, they are only warnings. While an app will obviously be rejected for actually violating the CSP (i.e.: the app is broken), it won't be rejected for simply raising warnings. It should also be noted that your app can be rejected for using jQuery if you use it in a way that violates the CSP (e.g.: using JSONP, or parsing HTML that contains remote script tags). There are loads of docs in the Marketplace developer hub and on MDN that talk about this and explain why it's the case.

If anyone has questions or would like to know more, please hit Mozilla or myself up directly: dev-webapps@lists.mozilla.org, @mattbasta, basta@mozilla.com

You're also welcome to check out the source for the validator:


Thank you very much for the explanation, just read it on the mailing list too. I will update my article accordingly.

On http://jquerymobile.com there is a tool which lets you make your own custom jQuery mobile which has everything you need and this tool also added this extra file which I never needed for my app anyway.

Sorry for causing so much confusion.

Is it okay to link directly the github source? It's a public github repository sure however jeena hasn't taken the initiative to publish the github URL maybe he doesn't want this to be public yet. He may just not have the money to make the repository private.

It's under the MIT license and in a public github repo - shouldn't that be enough? If you don't want your code public, don't put it in a public repo (if you can't afford a private one, just use git locally) and certainly don't stick an open-source license on it.

Yes it is obviously ok, I also liked to it from my own article.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact