Start a new topic

CSP (Content Security Policy) restrictions

We are trying to use the video player on a KaiOS phone and we are facing some issue due to the restriction that are imposed by this OS. In fact few rules related to the CSP restrictions, prevent the video player to be executed on the firefox browser installed in this device. In particular R4 and R5 listed below are not respected.  : 

  • [R1] <script> content are not allowed in the HTML page (Javascript must be in separate file).
  • [R2] Creating <script> elements dynamically is not allowed.
  • [R3] Using the eval() function is not allowed.
  • [R4] Using the Function() class to build a function from as character string is not allowed.
  • [R5] Using setTimeout or setInterval function with a character string is not allowed.

Do you have any plan to support this restriction and this OS? 

Thanks 


Hello,


KaiOS is not so popular, so we do not have plans to provide special support for it. Being an HTML5 compliant, Firefox should support the playback with our player.

Do you have some special CSP headers in your http responses?


The MDN docs says:


The 'unsafe-eval' source expression controls several script execution methods that create code from strings. If 'unsafe-eval' isn't specified with the script-srcdirective, the following methods are blocked and won't have any effect:


Can you share a test page or at least a full list of the http response headers?



Well, KaiOS is quite new your are right but it is growing quite fast. you can refer to this news for example 

https://react-etc.net/entry/kaios-2nd-most-popular-mobile-os-after-android-ios-drop


We will try to provide you the information you have requested. 

thanks 

some details about the KaiOS restriction can be found here: 


Specific page about KaiOS :

https://developer.mozilla.org/en-US/docs/Archive/B2G_OS/Firefox_OS_apps/Building_apps_for_Firefox_OS/Manifest#csp

This page says application manifest can have a CSP field, but

The default policies applied to Firefox OS privileged and internal/certified apps are as follows:

Privileged CSP
default-src *; script-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline'
Certified/Internal CSP
default-src *; script-src 'self'; object-src 'none'; style-src 'self'

These defaults can’t be overridden,only added to, i.e.the CSP policy in the manifest can only make the actual CSP applied more restrictivein the case of privileged/internal apps.

Hello,


Do you try to run the player within a "native" app, or just open a web page?

The above restrictions are more or less related to the native apps.


Login to post a comment