search

webodf / WebODF

WebODF - JavaScript Document Engine
http://webodf.org/
792 stars 167 forks source link

Wodo.TextEditor does not comply to FirefoxOS Apps CSP (content security policy) #695

Open ghost opened 10 years ago

ghost commented 10 years ago

good,

I am the creator of WebOffice Firefox OS, currently the application works only for reading documents, want to implement the text editor but security policies some javascript functions are not allowed, is there any way to make it compatible, are they are restrinciones: https://developer.mozilla.org/en-US/Apps/CSP, webodf.js works perfectly the problem is in the other libraries such wodotexteditor.js among others, I await your prompt response

Sincerely Regards Keryc Diaz [kerycdiaz@gmail.com]

adityab commented 10 years ago

Hi, which CSP violations do you get when using wodotexteditor.js?

ghost commented 10 years ago

The function constructor is banned *You may not use the Function() constructor. Using it will throw a security error.

kossebau commented 10 years ago

Function(...) is getting in due to Dojo, from what my grepping skills showed me (cmp. dojo-amalgamation.js ). Nothing we can do about, until we switch to another toolkit for Wodo.TextEditor which hopefully is free from such things.

@kerycdiaz , a solution for your WebOffice would be to write your custom UI for the toolbar. We designed the editor code such that the actual logic behind the UI elements is abstracted in controllers, more or less. So the actual UI is just wiring up the buttons to the controllers API, and updating to the controllers' state changes or triggering the controllers' actions. Have a look here: https://github.com/kogmbh/WebODF/blob/master/programs/editor/Tools.js and https://github.com/kogmbh/WebODF/tree/master/programs/editor/widgets

I guess/hope FirefoxOS has some native widget toolkits, so WebOffice would look even more native when using that one instead of the Dojo coming with Wodo.TextEditor. Of course this means you can no longer simply use Wodo.TextEditor. But it just is meant as a beginner editor implementation anyway and should also serve as a coding example to start from.

peitschie commented 10 years ago

Some relevant dojo bugs:

https://bugs.dojotoolkit.org/ticket/17379 https://bugs.dojotoolkit.org/ticket/15950

And possible discussion:

http://dojo-toolkit.33424.n3.nabble.com/Content-Security-Policy-without-unsafe-eval-Possible-td3996920.html