CSP Violation Detected in Firefox OS validator

Question

I have this message in the firefox os validator :

Erreur: It appears that your code may be performing an action which violates the CSP (content security policy) for privileged apps. You can find more information about what is and is not allowed by the CSP on the Mozilla Developers website. https://developer.mozilla.org/en-US/docs/Security/CSP

www/index.html
16
17
<script type="text/javascript" src="js/select2.js"></script>
<script>

Code index.html :

<!DOCTYPE html> 
<html>
<head>
    <title>Chri App</title>
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <link href="js/jquery.css.min.css" rel="stylesheet"/>
    <script src="js/jquery-1.9.1.min.js"></script>
    <script src="js/jquery.mobile-1.3.1.min.js"></script>
            <meta charset='utf-8'> 
        <meta name="format-detection" content="telephone=no" />
                <link rel="stylesheet" type="text/css" href="css/index.css" />
        <meta name="viewport" content="width=device-width, initial-scale=1">  
        <link href="js/select2/select2.css" rel="stylesheet" > 
        <link href="css/web_app.css" rel="stylesheet" > 
        <script src="main.js"></script>
        <script type="text/javascript" src="js/select2/select2.js"></script> 
        <script>

        $(document).bind('pageinit',function(e ){


        $.support.cors = true;
        $.mobile.allowCrossDomainPages= true;
        $.mobile.selectmenu.prototype.options.nativeMenu = false;





            // When the testform is submitted
        $("#search-form-location").select2();
        $("#search-form-category").select2();
            $("#testform").submit(function() {

            $.mobile.loading('show');
.......

is that you have an idea?

Answer 1

If you are writing a privileged (or certified) application, it needs to comply with several requirements, to make it more robust - less vulnerable to different kinds of attacks. One of the restrictions bans inline javascript, that is javascript embeded in <script> tags - you should place these inline scripts into an external .js file, and link them via the src attribute.

Looking at your code, this should be why the validator is complaining (see the jQuery $(document).bind(... block you have there). Putting this block to an external file should solve this.

You can read more about the other CSP requirements and restrictions on MDN: Apps CSP.