Open
Bug 1376953
Opened 7 years ago
Updated 8 months ago
Provide a way to limit CSP error spam in the developer console
Categories
(DevTools :: Console, enhancement, P3)
DevTools
Console
Tracking
(firefox57 wontfix)
NEW
Tracking | Status | |
---|---|---|
firefox57 | --- | wontfix |
People
(Reporter: April, Unassigned)
References
(Blocks 2 open bugs)
Details
I have a webextension that injects the following CSP header into webRequest.onHeadersReceived:
> request.responseHeaders.push({
> name: 'Content-Security-Policy',
> value: `object-src 'none'; script-src 'none'`,
> });
For a complex site, this can generate hundreds of console log errors. While most users will never notice this, developers who use tools like Laboratory or NoScript (set to block via CSP) will have tons console log spam that can be very irritating. You can disable the entire Security tab, but then you miss other Security errors unrelated to CSP.
It would be great if we could do one or both of:
a) have a dev tools preference to disable/enable CSP logging, or
b) have a CSP directive (such as `ff-no-console-log`) that can be set in a CSP header that will disable the logging of CSP errors to the console log (but not to reporting endpoints)
Comment 1•7 years ago
|
||
(In reply to April King [:April] from comment #0)
> a) have a dev tools preference to disable/enable CSP logging, or
Brian, is it feasible to add a devtools pref to disable CSP logging and expose that to webextensions, or would that have to be a pref in CSP?
Flags: needinfo?(bgrinstead)
Comment 2•7 years ago
|
||
The error has a 'category' property that's set to CSP so from the frontend we can do custom filtering. But tricky part would be how to surface this to the UI/addon. Some options:
1) Add a button in the UI to hide CSP messages - I don't think there's room in the current filter bar to add a button for each error category though and we've been trying to avoid reintroducing the nested popups on filter buttons
2) Introduce some kind of search syntax in the filter box to remove certain types of messages, such as `-category:csp`. Or `-text:NoScript` if we included the extension that caused the error in the message text - see (4) below.
3) Somehow let a web extension set a pref to hide them - although I'm not sure if webextensions can set arbitrary prefs. And also I think we'd want to make sure it didn't hide CSP errors that didn't originate from the extension - see (4) below.
4) Is there a way to detect that the header came from a web extension? If so maybe we could hide CSP errors from web extensions by default (assuming you could still debug the requests in the netmonitor).
I'd generally lean towards 4 or 2 depending on what's possible from the platform end
Flags: needinfo?(bgrinstead)
Priority: -- → P3
Updated•7 years ago
|
status-firefox57:
--- → wontfix
Updated•6 years ago
|
Product: Firefox → DevTools
Looks like Bug 1525624 might help.
Depends on: 1525624
Blocks: devtools-csp
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•