Open Bug 1449501 Opened 4 years ago Updated 3 years ago

Making it easier to view CSP policy for a site

Categories

(DevTools :: Netmonitor, enhancement, P3)

enhancement

Tracking

(Not tracked)

People

(Reporter: Honza, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: dev-doc-needed)

Attachments

(1 file)

Developer Toolbar (aka GCLI) is going to be removed from Firefox (Bug 1429421) and we should make sure to preserve related CSP functionality in DevTools Toolbox.

GCLI supports a command that allows to view the CSP policy of a site:
`security csp`

(see the attached screenshot)

This information could be exposed through DevTools Toolbox in the Network panel UI. 

The Network panel Side bar looks like the right place, but it's not clear what side panel should be used.

Some options:

1) Extend the existing Security panel (and make it available even for non https protocol). There could be two collapsible sections, one about the certificate, and one about CSP. 

2) Since SCP is closely related to HTTP headers we might improve the Headers side panel, so it's easier to inspect HTTP CSP headers. This might also complement #1, Bug 1447267 is already going in the right direction.

3) We could also introduce entire new CSP panel.

Honza

---

See also this thread:
Making it easier to view CSP policy for a site
https://mail.mozilla.org/pipermail/firefox-dev/2018-March/006296.html

See also this thread:
Intent to unship Developer Toolbar (aka GCLI)
https://mail.mozilla.org/pipermail/firefox-dev/2018-March/006262.html
Priority: -- → P3
Product: Firefox → DevTools
I don't see a version for this. Is the feature ready to be documented? I don't see anything in Nightly.
Flags: needinfo?(odvarko)
(In reply to Irene Smith from comment #1)
> I don't see a version for this. Is the feature ready to be documented? I
> don't see anything in Nightly.
Not ready yet

But it's ok to use the dev-doc-needed keyword even if the bug report is not yet resolved and closed, correct?

Honza
Flags: needinfo?(odvarko) → needinfo?(ismith)
(In reply to Jan Honza Odvarko [:Honza] (need-info? me) from comment #2)
> (In reply to Irene Smith from comment #1)
> > I don't see a version for this. Is the feature ready to be documented? I
> > don't see anything in Nightly.
> Not ready yet
> 
> But it's ok to use the dev-doc-needed keyword even if the bug report is not
> yet resolved and closed, correct?
> 
> Honza

Sorry, I wasn't ignoring your question. I did not work Friday. I suppose it is, as long as you don't mind silly questions. :)
Flags: needinfo?(ismith)
Can I assume that this is not going to happen for 64? I need to know so I can either postpone it or try to get it done.
Flags: needinfo?(odvarko)
Correct, this just tracks the enhancement.
Severity: normal → enhancement
Flags: needinfo?(odvarko)

I still don't see anything in the 65 UI about CSP. Am I missing something?

Flags: needinfo?(odvarko)

(In reply to Irene Smith from comment #6)

I still don't see anything in the 65 UI about CSP.

Correct, this feature is not implemented yet.
(not even in 66)

Honza

Flags: needinfo?(odvarko)

I was going through old but unfinished issues and I saw this one: MDN/Sprints #859 which asks me to document this change. Can I get an update?

Flags: needinfo?(odvarko)

This feature is still not implemented yet.
Honza

Flags: needinfo?(odvarko)

(In reply to Jan Honza Odvarko [:Honza] (always need-info? me) from comment #9)

This feature is still not implemented yet.
Honza

Thanks for the update!

You need to log in before you can comment on or make changes to this bug.