<div dir="ltr"><div>I guess one good way to preserve the functionality would be to extract the CSP logic from the GCLI command [1], and expose it through a UI in the network monitor's Security tab [2].</div><div><br></div><div>Right now this tab is only shown for sites that are served over HTTPS because it shows information about the certificate. We could change it so it has 2 sections: one about the certificate, and one about CSP.</div><div><br></div><div>[1] /devtools/shared/gcli/commands/security.js</div><div>[2] <a href="https://developer.mozilla.org/en-US/docs/Tools/Network_Monitor#Security">https://developer.mozilla.org/en-US/docs/Tools/Network_Monitor#Security</a><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Mar 28, 2018 at 1:29 AM, Daniel Veditz <span dir="ltr"><<a href="mailto:dveditz@mozilla.com" target="_blank">dveditz@mozilla.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><span class="gmail-">On Tue, Mar 27, 2018 at 8:09 AM, Patrick Brosset <span dir="ltr"><<a href="mailto:pbrosset@mozilla.com" target="_blank">pbrosset@mozilla.com</a>></span> wrote:<br></span><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><span class="gmail-">On Tue, Mar 27, 2018 at 3:35 PM, Ehsan Akhgari <span dir="ltr"><<a href="mailto:ehsan.akhgari@gmail.com" target="_blank">ehsan.akhgari@gmail.com</a>></span> wrote:<br></span><span class="gmail-"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><div>Every
now and then I have used the "security csp" command to view the CSP
policy of a site.<br></div></div></div></blockquote><br></span><span class="gmail-">You're right, the network monitor sidebar tab shortens long headers, and that makes it harder to read/copy them.<div>I guess one option is to click on the "raw headers" button above to see them a little more clearly that way.</div></span></div></blockquote><div><br></div><div>A site's effective CSP can be the intersection of multiple CSP headers. In addition the CSP can be specified in a <meta> tag in the document rather than a header. The GCLI view was more accurate as well as more convenient than trying to figure it out from headers. It would be nice if the CSP view could be migrated to somewhere else in devtools, though I'm not sure what would make sense.<br></div></div><div class="gmail_quote"><br></div><div class="gmail_quote">-<div>Dan Veditz</div><br></div></div></div>
</blockquote></div><br></div></div>