On 9/4/15 2:26 AM,
star...@gmail.com wrote:
> Thank you for your reply, a few more questions then.
>
>> Dynamically loading scripts, especially remote ones, will always be
>> flagged by the validator.
>
> When you say "especially remote ones", does it mean that there's some way to dynamically load at least local scripts?
>
> Validator rejects any .createElement('script') regardless of where the src parameter is pointing - neither remote URLs, local URLs nor even static code is accepted.
>
> Interesting that if I try to put a script with a remote src into .insertAdjacentHTML - it will be also rejected, but the message from validator is different: for this case it suggests trying local resource:// URI. And this way it is accepted, but seems useless as the js code added via .insertAdjacentHTML isn't getting evaluated anyway.
All forms of script injection are flagged, since they are all
potentially dangerous. How reviewers respond to those flags depends on
the circumstances. This is why I highlighted remote scripts in this
case, since they are generally not allowed, while local scripts are.
> And... At all, what's the problem with the remote scripts located on the same domain as the site being modified by an add-on? I agree that loading unknown remote code from other domains is dangerous and should be prohibited (but, probably, with some sort of whitelisting for official jquery hosting etc.), but what's wrong with the scripts that are local for current site? I mean those scripts, src of which is relative to site and doesn't contain a domain part.
That's an exception we can make, if it's obvious from the code.
>> In the future, reviewers will be able to
>> choose which flags to ignore in followup versions of the add-on,
>> provided the code around the flag doesn't change. So, a reviewer could
>> accept your add-on and mark it so future versions aren't flagged for
>> that particular issue.
>
> Just in case, this way might only static script URLs be accepted, or will I be able to dynamically build relative to site src-s? Or there's currently no policy for such cases?
The exceptions would be added per validator flag, depending on context.
So, if we're okay with the way you inject scripts, we can add an
exception for that so they don't show up again during validation, unless
the surrounding code changes.
> And, the last one, is there any approximate date when such functionality for validator will go live?
It's all being worked on now, so a few weeks at most.
Jorge