False Warning: Inline scripts blocked by default

[erosman]

Example:
https://reviewers.addons.mozilla.org/en-US/firefox/files/browse/812849/file/lib/chrome/background.html#top

Code:

<!DOCTYPE html>
  <html>
    <head><meta charset="utf-8"></head>
    <body>
      <script src="../config.js"></script>
      <script src="chrome.js"></script>
      <script id="common"></script>
    </body>
  </html>

[andymckay]

Isn't this reflecting what Firefox does though? Even though the script is empty it can't be run. Here's the error I get in Firefox when inserting a console.log.

Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src moz-extension://3cfb34ac-7f68-4306-b5b3-669662d32c5e”). Source: console.log('in background page');

Is there a value to having an inline script that doesn't do anything?

[erosman]

Is there a value to having an inline script that doesn't do anything?

It can be filled, programmatically.
The Firefox error is another issue.

In this case, I was wondering if the linter warning was appropriate,

[andymckay]

The CSP prevents it from doing anything though.

[erosman]

The CSP prevents it from doing anything though.

For example (not in that addon), developer may want to select a local JS depending on some factors. In that case,

document.getElementById('common').src = 'script1.js';

As long as it is local, there should be no problem AFA CSP is concerned.

Of course, we are talking hypothetically and the discussion is academic. ;)

[andymckay]

That's true. But its a valid warning and will help developers avoid the most common use case of writing something inline. It's only a warning and doesn't block them. I think we should keep it as it is.