I’m a die-hard fan of Mozilla Firefox. I always wanted to contribute to Mozilla in one or the other ways. This year only, it happened that I started getting involved in Open Source projects. Good Luck that I was familiar with Git as I used it merely for the purpose of storing my college projects :). Mozilla’s Open Source projects inspired me to contribute this time. Meanwhile, I heard the news of FIREFOX-OS, yeah, FIREFOX-OS(FOS) is a Linux-based open source operating system for smartphones and tablet computers being developed by MOZILLA.
So the journey begins from here. I found an article to get started with developing FIREFOX-OS Applications, apps nothing more than Open web pages, that is HTML5 Apps. Yeah! right, directly reuse the prior knowledge about front-end development to create awesome applications running on firefox OS phones.
Here it is! Beautiful official FIREFOX-OS website.
I follow the procedure to submit an FOS app on firefox marketplace. I use App Validator just to ensure me that my App is too good :). App Validation failed with errors and warnings. Crap! Wait! What’s that? CSP validation errors and warnings. Ah, that’s what Mozilla always focus on, Security.
A primary goal of CSP is to mitigate and report XSS attacks. XSS attacks exploit the browser’s trust of the content received from the server. Malicious scripts are executed by the victim’s browser because the browser trusts the source of the content, even when it’s not coming from where it seems to be coming from.
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware.
CSP is designed to be fully backward compatible; browsers that don’t support it still work with servers that implement it, and vice-versa. Browsers that don’t support CSP simply ignore it, functioning as usual, defaulting to the standard same-origin policy for web content. If the site doesn’t offer the CSP header, browsers likewise use the standard same-origin policy.
Here is a list of Default CSP restrictions
eval() is one such Default_CSP_restriction and was also the core of my Calcultor app :)
Include ‘use strict’ in your script files. Strict Mode is a new feature in ECMAScript 5 that allows you to place a program, or a function, in a “strict” operating context. This strict context prevents certain actions from being taken and throws more exceptions.
A nice Reference to it by Mozilla. Strict_mode
Initialized my own load method named init as
Functions like onclick, onmousedown, and so on called within HTML file are restricted. So I suggest using data-type attribute and listening events in the method defined as handleEvent
Note: this.disp.value is containing the arithmetic expression given as an input by the user in the text field.