Closed
Bug 639533
Opened 13 years ago
Closed 10 years ago
Request for CSP policy-uri or report-uri doesn't show up in Web Console
Categories
(Core :: DOM: Core & HTML, defect, P3)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: bsterne, Unassigned)
References
(Blocks 1 open bug, )
Details
The request for the policy-uri should show up in Web Console so authors can inspect and debug. Steps to reproduce: 1. open Web Console 2. load http://people.mozilla.org/~bsterne/content-security-policy/tests/policy-uri-test.cgi 3. observe request for page and script file, but no policy-uri
|
Reporter | |
Comment 1•13 years ago
|
||
Hey Dave, is there an easy way we can make this request show up on the Web Console: http://mxr.mozilla.org/mozilla-central/source/content/base/src/CSPUtils.jsm#381
|
|
Reporter | |
Comment 2•13 years ago
|
||
ddahl, ping.
|
||
Comment 3•13 years ago
|
||
(In reply to comment #1) > Hey Dave, is there an easy way we can make this request show up on the Web > Console: > http://mxr.mozilla.org/mozilla-central/source/content/base/src/CSPUtils.jsm#381 There must be a way - right now our http listener will just drop this request before logging a page's requests as it cannot identify which document it belongs to. Here is our httpobserver: http://mxr.mozilla.org/mozilla-central/source/toolkit/components/console/hudservice/HUDService.jsm?force=1#2147 here is where we try to id the parent window: http://mxr.mozilla.org/mozilla-central/source/toolkit/components/console/hudservice/HUDService.jsm?force=1#2168 Ccing Jason Duell for advice
|
|
||
Comment 4•13 years ago
|
||
If we have to special case CSP requests, it should be easy to do. I imagine we could add a property to the request like CSP: [OuterWindowID] and sniff for it in our observer.
|
|
Reporter | |
Updated•13 years ago
|
Summary: Request for CSP policy-uri doesn't show up in Web Console → Request for CSP policy-uri or report-uri doesn't show up in Web Console
|
|
Reporter | |
Comment 5•13 years ago
|
||
Jason, any thoughts on this? This is quite a bad bug for people trying to debug CSP violations, who are forced to use an external HTTP proxy app. This is doubly hard for HTTPS pages, because Nightly doesn't seem to allow us to add exceptions anymore for the MITM SSL cert.
|
|
Reporter | |
Comment 6•13 years ago
|
||
(In reply to comment #3) > There must be a way - right now our http listener will just drop this > request before logging a page's requests as it cannot identify which > document it belongs to. I looked at your observer code and it's not clear to me what properties you aren't able to find when the request is dropped. Could you explain that a bit more, and maybe I can do a better job of annotating the policy-uri and report-uri requests when I send them out?
|
|
Reporter | |
Comment 7•13 years ago
|
||
(In reply to comment #5) > This is doubly hard for HTTPS pages, because Nightly doesn't seem to allow > us to add exceptions anymore for the MITM SSL cert. Ignore this. My profile was screwed up. You can still add an SSL exception for the proxy cert.
|
||
Comment 8•12 years ago
|
||
Hey David and Sid, This bug hasn't been updated in a while and it came up in the devtools work week. Do we have a hook into the report-uri so that we can surface errors and warnings to the webconsole?
|
||
Comment 9•12 years ago
|
||
I don't know how to add stuff to the web console manually, but here's the code that causes reports to get sent out: http://mxr.mozilla.org/mozilla-central/source/content/base/src/contentSecurityPolicy.js#257 This bug is about making the requests show up, right, not CSP errors? If it's about putting CSP warnings and errors in the web console, we can add it inside CSPWarn and CSPError in CSPUtils.jsm.
|
||
Comment 10•12 years ago
|
||
The trick for getting messages into the web console is to change http://mxr.mozilla.org/mozilla-central/source/content/base/src/CSPUtils.jsm#90 to use initWithWindowID (http://mxr.mozilla.org/mozilla-central/source/js/xpconnect/idl/nsIScriptError.idl#112). Granted, that requires obtaining the window ID.
|
|
||
Comment 11•12 years ago
|
||
(In reply to Sid Stamm [:geekboy] from comment #9) > This bug is about making the requests show up, right, not CSP errors? Yes you are right Sid. There might be another but for CSP errors/warnings. Will look for that, and if it doesn't exist I'll file one.
|
|
||
Updated•11 years ago
|
Priority: -- → P3
|
|
||
Comment 12•10 years ago
|
||
With the new CSP backend, we set the load groups for violation reports and they show up not in the messages of the web console but in the network pane of the web console. This seems to work.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•