Prefix and Unify Dom:Security console warning




4 years ago
3 years ago


(Reporter: ckerschb, Unassigned)


Firefox Tracking Flags

(Not tracked)


(Whiteboard: [domsecurity-backlog2])


(1 attachment)

Created attachment 8594880 [details]

For CSP, CORS and other security warnings displayed in the console we usually prefix them with the name of the security feature (see attached screenshot when browsing
Would be great if we also do that for Tracking Protection.
Francois, what do you think - sounds good?
Flags: needinfo?(francois)
Sounds good to me.
Blocks: 1029886
Flags: needinfo?(francois)


4 years ago
Assignee: nobody → sengel


4 years ago
Assignee: sengel → nobody


4 years ago
Assignee: nobody → senglehardt
Here's a pointer to where the console warning gets logged:

You will have to do a little more digging to see what "TrackingUriBlocked" maps to and how to get a prefix in.
Taking a second look at this, the way CSP does prefixing is this:

It appends to the message string that is later passed to console->LogMessage.  That makes sense for CSP that has many different error messages that don't mention CSP specifically:

But Tracking Protection just has one warning that says "tracking protection" in it.  So I'm not sure if this prefix is necessary or redundant:

Same question for Mixed Content Blocker - should we prepend messages with "Mixed Content Blocker"?
Prepending the category does make it easy to scan down the console output and see what each message relates to, even if there is only a single message possible as there is with Tracking Protection.

As an alternative to doing this for each category separately, we could prepend the category sent with the message prior to output. (See: But these categories are less descriptive than the current ones (e.g. CSP instead of Content Security Policy).

I think it makes sense to just do the updates individually for tracking protection and mixed content -- thoughts?
Looking at the insecure password warning, we have the same problem where there is no prefix (test page

So maybe the best fix is to: 
1) Update the category names (ex: change CSP to Content Security Policy)
2) Prefix the strings for all CATEGORY_SECURITY bugs with their category name
3) Remove the custom prefixing CSP:
Assignee: englehardt+bugzilla → nobody


3 years ago
Component: DOM: Security → Safe Browsing
Product: Core → Toolkit
Priority: -- → P5
If we go with Tanvi's suggestion from comment 6, then I guess we should retitle the bug and move it back to DOM::Security since it would apply to CSP, CORS, mixed content and TP?
Flags: needinfo?(ckerschb)
Yeah, let's re-classify to Dom:Security. In fact it would be awesome if we unify our Console Warnings to use the same style of Prefix and warning style throughout the codebase.
Component: Safe Browsing → DOM: Security
Flags: needinfo?(ckerschb)
Priority: P5 → P2
Product: Toolkit → Core
Summary: Prefix tracking protection console message with "Tracking Protection:" → Prefix and Unify Dom:Security console warning
Whiteboard: [domsecurity-backlog]


3 years ago
Priority: P2 → P3
Whiteboard: [domsecurity-backlog] → [domsecurity-backlog2]
You need to log in before you can comment on or make changes to this bug.