<div dir="ltr"><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Mar 28, 2018 at 9:34 AM, Patrick Brosset <span dir="ltr"><<a href="mailto:pbrosset@mozilla.com" target="_blank">pbrosset@mozilla.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>I guess one good way to preserve the functionality would be to extract the CSP logic from the GCLI command [1], and expose it through a UI in the network monitor's Security tab [2].</div></div></blockquote><div><br></div><div>Yeah, I think it's desirable to preserve that functionality to view a CSP. Ultimately I think the code within security.js could use some love, because I think that code hasn't been updated since it's introduction. Not sure if some of it is already outdated with regards to CSP. Nevertheless, I definitely support preserving that functionality and putting it in the network monitor's security tab sounds like a good option to me. Since it's only shown for HTTPS pages at the moment, would it be very engineering intensive to also show it for HTTP pages?</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><br></div><div>Right now this tab is only shown for sites that are served over HTTPS because it shows information about the certificate. We could change it so it has 2 sections: one about the certificate, and one about CSP.</div><div><br></div><div>[1] /devtools/shared/gcli/<wbr>commands/security.js</div><div>[2] <a href="https://developer.mozilla.org/en-US/docs/Tools/Network_Monitor#Security" target="_blank">https://developer.mozilla.org/<wbr>en-US/docs/Tools/Network_<wbr>Monitor#Security</a><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Mar 28, 2018 at 1:29 AM, Daniel Veditz <span dir="ltr"><<a href="mailto:dveditz@mozilla.com" target="_blank">dveditz@mozilla.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><span class="m_-3277725156044285797gmail-">On Tue, Mar 27, 2018 at 8:09 AM, Patrick Brosset <span dir="ltr"><<a href="mailto:pbrosset@mozilla.com" target="_blank">pbrosset@mozilla.com</a>></span> wrote:<br></span><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><span class="m_-3277725156044285797gmail-">On Tue, Mar 27, 2018 at 3:35 PM, Ehsan Akhgari <span dir="ltr"><<a href="mailto:ehsan.akhgari@gmail.com" target="_blank">ehsan.akhgari@gmail.com</a>></span> wrote:<br></span><span class="m_-3277725156044285797gmail-"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><div>Every
now and then I have used the "security csp" command to view the CSP
policy of a site.<br></div></div></div></blockquote><br></span><span class="m_-3277725156044285797gmail-">You're right, the network monitor sidebar tab shortens long headers, and that makes it harder to read/copy them.<div>I guess one option is to click on the "raw headers" button above to see them a little more clearly that way.</div></span></div></blockquote><div><br></div><div>A site's effective CSP can be the intersection of multiple CSP headers. In addition the CSP can be specified in a <meta> tag in the document rather than a header. The GCLI view was more accurate as well as more convenient than trying to figure it out from headers. It would be nice if the CSP view could be migrated to somewhere else in devtools, though I'm not sure what would make sense.<br></div></div><div class="gmail_quote"><br></div><div class="gmail_quote">-<div>Dan Veditz</div><br></div></div></div>
</blockquote></div><br></div></div>
</blockquote></div><br></div></div>