Closed Bug 639533 Opened 9 years ago Closed 5 years ago

Request for CSP policy-uri or report-uri doesn't show up in Web Console

Categories

(Core :: DOM: Core & HTML, defect, P3)

defect

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: bsterne, Unassigned)

References

(Blocks 1 open bug, )

Details

The request for the policy-uri should show up in Web Console so authors can inspect and debug.

Steps to reproduce:
1. open Web Console
2. load http://people.mozilla.org/~bsterne/content-security-policy/tests/policy-uri-test.cgi
3. observe request for page and script file, but no policy-uri
Hey Dave, is there an easy way we can make this request show up on the Web Console:
http://mxr.mozilla.org/mozilla-central/source/content/base/src/CSPUtils.jsm#381
ddahl, ping.
(In reply to comment #1)
> Hey Dave, is there an easy way we can make this request show up on the Web
> Console:
> http://mxr.mozilla.org/mozilla-central/source/content/base/src/CSPUtils.jsm#381

There must be a way - right now our http listener will just drop this request before logging a page's requests as it cannot identify which document it belongs to.

Here is our httpobserver:
http://mxr.mozilla.org/mozilla-central/source/toolkit/components/console/hudservice/HUDService.jsm?force=1#2147

here is where we try to id the parent window:

http://mxr.mozilla.org/mozilla-central/source/toolkit/components/console/hudservice/HUDService.jsm?force=1#2168

Ccing Jason Duell for advice
If we have to special case CSP requests, it should be easy to do. I imagine we could add a property to the request like CSP: [OuterWindowID] and sniff for it in our observer.
Summary: Request for CSP policy-uri doesn't show up in Web Console → Request for CSP policy-uri or report-uri doesn't show up in Web Console
Jason, any thoughts on this?  This is quite a bad bug for people trying to debug CSP violations, who are forced to use an external HTTP proxy app.  This is doubly hard for HTTPS pages, because Nightly doesn't seem to allow us to add exceptions anymore for the MITM SSL cert.
(In reply to comment #3)
> There must be a way - right now our http listener will just drop this
> request before logging a page's requests as it cannot identify which
> document it belongs to.

I looked at your observer code and it's not clear to me what properties you aren't able to find when the request is dropped.  Could you explain that a bit more, and maybe I can do a better job of annotating the policy-uri and report-uri requests when I send them out?
(In reply to comment #5)
> This is doubly hard for HTTPS pages, because Nightly doesn't seem to allow
> us to add exceptions anymore for the MITM SSL cert.

Ignore this. My profile was screwed up. You can still add an SSL exception for the proxy cert.
Hey David and Sid,
This bug hasn't been updated in a while and it came up in the devtools work week.  Do we have a hook into the report-uri so that we can surface errors and warnings to the webconsole?
I don't know how to add stuff to the web console manually, but here's the code that causes reports to get sent out:

http://mxr.mozilla.org/mozilla-central/source/content/base/src/contentSecurityPolicy.js#257

This bug is about making the requests show up, right, not CSP errors?  If it's about putting CSP warnings and errors in the web console, we can add it inside CSPWarn and CSPError in CSPUtils.jsm.
The trick for getting messages into the web console is to change http://mxr.mozilla.org/mozilla-central/source/content/base/src/CSPUtils.jsm#90 to use initWithWindowID (http://mxr.mozilla.org/mozilla-central/source/js/xpconnect/idl/nsIScriptError.idl#112). Granted, that requires obtaining the window ID.
(In reply to Sid Stamm [:geekboy] from comment #9) 
> This bug is about making the requests show up, right, not CSP errors?

Yes you are right Sid.  There might be another but for CSP errors/warnings.  Will look for that, and if it doesn't exist I'll file one.
Priority: -- → P3
With the new CSP backend, we set the load groups for violation reports and they show up not in the messages of the web console but in the network pane of the web console.  This seems to work.
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.