2

I have just started doing research, but I assume that other people might have the same question: Is it possible to read data from different sources for a FirefoxOS application, such as reading from RSS feeds from different domains?

Are you constrained by same-origin policy or is there a way to bypass it?

Dimitrios Mistriotis
  • 2,626
  • 3
  • 28
  • 45

2 Answers2

6

Yes you can! If you create a standard web app, just build a web app like you normally would outside of Firefox OS. If you create a packaged app, include a request for the network-http permission in your web app manifest. This will give you unrestricted HTTP access.

See the manifest spec for more information on permissions:

network-http - Make HTTP requests without any origin restrictions.

https://developer.mozilla.org/en-US/docs/Apps/Manifest

Edit: The permission has since been changed to systemXHR.

mattbasta
  • 13,492
  • 9
  • 47
  • 68
  • So this will allow unrestricted http access everywhere, no granularity/Access control list. Correct? – Dimitrios Mistriotis Oct 27 '12 at 09:00
  • On app install (behavior not yet finilized I think) Firefox OS will ask the user if it want to grant network-http to the app. Once the app is granted this permissions, yes, that app can access any http content. The user can still revoke this permission in the Settings app – Mathieu Oct 29 '12 at 18:44
  • Both answers are excellent, but approach the issue from different angles one from OS specific-perspective the other from web-app (which is also the case since FirefoxOS apps are also web-apps). Accepted answer this, since it is more specific (IMHO) – Dimitrios Mistriotis Oct 30 '12 at 10:07
  • 1
    No, there's no asking the user happening on install. In order to get access to the permission though the application has to be a "privileged app". This means that you have to write it as a packaged app and use CSP and then have the app reviewed by the firefox marketplace. That way the code review that happens will ensure that the app doesn't use the permission for evil. – Jonas Sicking Jan 19 '13 at 01:31
  • 1
    @RobinJ: The permission has since been changed to "systemXHR" – mattbasta Aug 04 '13 at 00:11
5

You can of course read data from external domains in a Firefox OS app just like you would in a website. You could read it with jsonp which is insecure or you could do it with CORS which is more secure. If you adhere to Content Security Policy (CSP) restrictions (this is the most secure) you will only be able to use secure methods like CORS.

There is nothing stopping you from making a Firefox OS app read external data like a website does. However, if you want to create a privileged packaged app then you must adhere to CSP.

(Sorry for the lack of links, Stack Overflow won't let me add more.)

kumar303
  • 674
  • 6
  • 7
  • Maybe SO will not allow you to add more links because of your low reputation, this should have been amended now that I +1 your post. I was aware of the JSONP and CORS methods, but did not know if there was some "privileged" mode that could potentially bypass them (similar to Android permissions or even more granular). – Dimitrios Mistriotis Oct 26 '12 at 16:18