Experiment with a "Security Diagnostic" tool

NEW
Unassigned

Status

()

Firefox
Developer Tools: Graphic Commandline and Toolbar
P3
enhancement
5 years ago
28 days ago

People

(Reporter: paul, Unassigned)

Tracking

Trunk
x86
Mac OS X
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment, 4 obsolete attachments)

Comment hidden (empty)
(Reporter)

Comment 1

5 years ago
Created attachment 650050 [details] [diff] [review]
experimental patch - v0.007
(Reporter)

Comment 2

5 years ago
First approach:

How to use:
1) start tracking a page by typing: "security-report-start" in the command line
2) type "security-report-show" to open the report (click on the update button update the page)
3) "security-report-stop" stops the tracking process

Right now, it only tracks the number of click on the page (useless, just for testing purpose).

The interesting parts are:
- browser/devtools/security-report/security-recorder.jsm
Where you build the "tracking" process.
- browser/devtools/security-report/security-renderer.jsm
Where you render the collected data.

Comment 3

5 years ago
Looks like there is a bug in the makefile.  I did an hg pull and update, applied the patch, and tried to build.  I get this error:


make -C security-report export
make[7]: Entering directory `/Users/tvyas/dev/mozilla-central/obj-ff-dbg/browser/devtools/security-report'
Makefile:18: *** missing separator.  Stop.
make[7]: Leaving directory `/Users/tvyas/dev/mozilla-central/obj-ff-dbg/browser/devtools/security-report'
make[6]: *** [export] Error 2
make[6]: Leaving directory `/Users/tvyas/dev/mozilla-central/obj-ff-dbg/browser/devtools'
make[5]: *** [export] Error 2
make[5]: Leaving directory `/Users/tvyas/dev/mozilla-central/obj-ff-dbg/browser'
make[4]: *** [export_tier_app] Error 2
make[4]: Leaving directory `/Users/tvyas/dev/mozilla-central/obj-ff-dbg'
make[3]: *** [tier_app] Error 2
make[3]: Leaving directory `/Users/tvyas/dev/mozilla-central/obj-ff-dbg'
make[2]: *** [default] Error 2
make[2]: Leaving directory `/Users/tvyas/dev/mozilla-central/obj-ff-dbg'
make[1]: *** [realbuild] Error 2
make: *** [build] Error 2
(Reporter)

Comment 4

5 years ago
Created attachment 650818 [details] [diff] [review]
experimental patch - v0.008

fixed build problem
(Reporter)

Updated

5 years ago
Attachment #650050 - Attachment is obsolete: true
Created attachment 668461 [details] [diff] [review]
experimental patch - v0.009?

Un-bitrotted
Attachment #650818 - Attachment is obsolete: true
Created attachment 710666 [details] [diff] [review]
experimental patch - v0.009?

Un-bitrotted for Ameya to work on
Attachment #668461 - Attachment is obsolete: true
Do we have any documentation regarding what kind of security properties we can/want to detect?

Comment 8

5 years ago
(In reply to David Rajchenbach Teller [:Yoric] from comment #7)
> Do we have any documentation regarding what kind of security properties we
> can/want to detect?

https://etherpad.mozilla.org/securityreport
Created attachment 726191 [details] [diff] [review]
experimental patch - v0.009?

Updated to reflect build changes
Attachment #710666 - Attachment is obsolete: true
Comment on attachment 726191 [details] [diff] [review]
experimental patch - v0.009?

Review of attachment 726191 [details] [diff] [review]:
-----------------------------------------------------------------

::: browser/devtools/commandline/CmdSecurityReport.jsm
@@ +17,5 @@
> + * Security Report commands
> + */
> +
> +gcli.addCommand({
> +  name: "security-report-show",

4 things:
- JSM loading is slow, so we should have fewer of them. We've been adding mostly to BuiltinCommands.jsm when there isn't a better owner, but this also goes for reporter/security-recorder/security-renderer also.
- We should consider using subcommands. See the 'addon' set of command in BuiltinCommands.jsm
- I think we need a strategy around reporting commands in general.
  We might need "report security start" or something. We'll need to think about this
- Perhaps the show should happen automatically with the stop?

@@ +29,5 @@
> +  },
> +});
> +
> +gcli.addCommand({
> +  name: "security-report-start",

Can we not be 'started' at all times? Does this slow things down?

::: browser/devtools/moz.build
@@ +19,5 @@
>      'responsivedesign',
>      'framework',
>      'profiler',
>      'fontinspector',
> +    'security-report',

Could we lose the '-' please?

::: browser/devtools/security-report/security-report.html
@@ +1,5 @@
> +<html xmlns="http://www.w3.org/1999/xhtml">
> +  <head>
> +    <title>Security Report</title>
> +    <link rel="icon" type="image/png" id="favicon" href="chrome://global/skin/icons/warning-16.png" />
> +    <style>

Perhaps we should split this out so it could be themed?
Severity: normal → enhancement
Component: Developer Tools → Developer Tools: Graphic Commandline and Toolbar
Priority: -- → P3
You need to log in before you can comment on or make changes to this bug.