[meta] Improve CSP console logging
Categories
(Core :: DOM: Security, task, P5)
Tracking
()
People
(Reporter: ckerschb, Unassigned)
References
(Depends on 7 open bugs, Blocks 1 open bug)
Details
(Keywords: meta, Whiteboard: [domsecurity-meta])
No description provided.
Updated•8 years ago
|
Reporter | ||
Updated•8 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Comment 2•5 years ago
|
||
I'm not sure which of the dep bugs applies here, so sorry for commenting on the meta bug.
I've just been trying to generate an appropriate CSP header value for treeherder.mozilla.org (bug 1270157), however the LastPass extension triggers unhelpful CSP violation reports (that we've just started collecting) that caused a lot of confusion until I realised they were from an extension.
Chrome marks Web extension violations as having a blocked-uri
property of chrome-extension
, which makes them much easier to debug.
In comparison, Firefox Nightly reports a blocked-uri
of inline
with a source-file
of the HTML page and a column/line number of 1
.
Is this something that's tracked somewhere? (Making blocked-uri
clearer that is; the proposal to stop CSP applying to web extensions is separate/longer term)
Updated•5 years ago
|
Reporter | ||
Comment 3•5 years ago
|
||
(In reply to Ed Morley [:emorley] from comment #2)
Is this something that's tracked somewhere? (Making
blocked-uri
clearer that is; the proposal to stop CSP applying to web extensions is separate/longer term)
Sorry for the lag here. As you mentioned correctly, those messages are unhelpful. I agree, we should consider using some sort of 'extension' keyword in the console message so developers have an idea what is happening. I think bug 965637 will be really helpful to sort out those kinds of problems. We are actively working on Bug 965637 and I hope to get that out the door soon. Sorry for not having any better answers than that for now.
Updated•5 years ago
|
Updated•2 years ago
|
Updated•2 years ago
|
Description
•