1242016 - (csp-console-logging) [meta] Improve CSP console logging

Status: NEW

(Core :: DOM: Security, task, P5)

Comment 1

[Frederik Braun [:freddy]]

Taking per bug 1322255 comment 2

Comment 2

[Ed Morley [:emorley]]

I'm not sure which of the dep bugs applies here, so sorry for commenting on the meta bug.

I've just been trying to generate an appropriate CSP header value for treeherder.mozilla.org (bug 1270157), however the LastPass extension triggers unhelpful CSP violation reports (that we've just started collecting) that caused a lot of confusion until I realised they were from an extension.

Chrome marks Web extension violations as having a blocked-uri property of chrome-extension, which makes them much easier to debug.

In comparison, Firefox Nightly reports a blocked-uri of inline with a source-file of the HTML page and a column/line number of 1.

Is this something that's tracked somewhere? (Making blocked-uri clearer that is; the proposal to stop CSP applying to web extensions is separate/longer term)

Comment 3

[Christoph Kerschbaumer [:ckerschb]]

(In reply to Ed Morley [:emorley] from comment #2)

Is this something that's tracked somewhere? (Making blocked-uri clearer that is; the proposal to stop CSP applying to web extensions is separate/longer term)

Sorry for the lag here. As you mentioned correctly, those messages are unhelpful. I agree, we should consider using some sort of 'extension' keyword in the console message so developers have an idea what is happening. I think bug 965637 will be really helpful to sort out those kinds of problems. We are actively working on Bug 965637 and I hope to get that out the door soon. Sorry for not having any better answers than that for now.