1416967 - Support payment request development over file: with CSP and a debugging console

Status: RESOLVED FIXED

(Firefox :: WebPayments UI, enhancement, P1)

Description

[Matthew N. [:MattN]]

* Switch to relative URLs for the unprivileged dialog content so that development can be done on a local server or over file://…
* Add a default CSP rule as defense-in-depth against XSS
* Add a debugging console to make it easier to refresh dialog contents when loaded in the browser chrome. This will also be useful to dump/manipulate the dialog state more easily like in https://reviewboard.mozilla.org/r/196014/diff/4#file5723916

Comment 1

[Matthew N. [:MattN]]

Attachment: Bug 1416967 - Support payment request development over file: with CSP and a debugging console.

Review commit: https://reviewboard.mozilla.org/r/199294/diff/#index_header
See other reviews: https://reviewboard.mozilla.org/r/199294/

Comment 2

[Jared Wein [:jaws] (please needinfo? me)]

Comment on attachment 8928062 [details]
Bug 1416967 - Support payment request development over file: with CSP and a debugging console.

https://reviewboard.mozilla.org/r/199294/#review205098

::: toolkit/components/payments/.eslintrc.js:1
(Diff revision 1)
>  "use strict";
>  
>  module.exports = {
>    rules: {

This should just be using /tools/lint/eslint/eslint-plugin-mozilla/lib/configs/recommended.js instead of defining its own .eslintrc.js.

::: toolkit/components/payments/docs/index.rst:17
(Diff revision 1)
>  Debugging
>  =========
>  
>  Set the pref ``dom.payments.loglevel`` to "Debug".
>  
> -To open a debugger in the context of the remote payment frame, run the following while the dialog is the most recent window:
> +To open a debugger in the context of the remote payment frame, run the following while the dialog is the most recent window::

This extra colon doesn't seem necessary.

::: toolkit/components/payments/res/paymentRequest.css:9
(Diff revision 1)
>  
>  html {
>    background: -moz-dialog;
>  }
>  
> +#debugging-console {

We ought to have something on file to make sure we clean up the debugging bits before this ships.

Comment 3

[Matthew N. [:MattN]]

Comment on attachment 8928062 [details]
Bug 1416967 - Support payment request development over file: with CSP and a debugging console.

https://reviewboard.mozilla.org/r/199294/#review205098

> This should just be using /tools/lint/eslint/eslint-plugin-mozilla/lib/configs/recommended.js instead of defining its own .eslintrc.js.

Sure, but that's an existing issue so I'll file a follow-up for that. It's not as easy as just deleting everything since it should be the recommended rules plus some stricter things that aren't yet in recommended but our team already follows.

> This extra colon doesn't seem necessary.

Are you sure? I added it to get proper block formatting for rst

http://docutils.sourceforge.net/docs/ref/rst/restructuredtext.html#literal-blocks

> We ought to have something on file to make sure we clean up the debugging bits before this ships.

I'm not sure it's that bad for it to ship, possibly even good… it will be very useful for bug reports with the features that I plan to add and can be seen in attachment 8924777 [details].

Comment 4

[Matthew N. [:MattN]]

Comment on attachment 8928062 [details]
Bug 1416967 - Support payment request development over file: with CSP and a debugging console.

https://reviewboard.mozilla.org/r/199294/#review205098

> Sure, but that's an existing issue so I'll file a follow-up for that. It's not as easy as just deleting everything since it should be the recommended rules plus some stricter things that aren't yet in recommended but our team already follows.

Filed bug 1417698

Comment 5

[Pulsebot]

Pushed by mozilla@noorenberghe.ca:
https://hg.mozilla.org/integration/autoland/rev/882aabb22057
Support payment request development over file: with CSP and a debugging console. r=jaws

Comment 6

[Raul Gurzau (:RaulG)]

https://hg.mozilla.org/mozilla-central/rev/882aabb22057