-
Notifications
You must be signed in to change notification settings - Fork 147
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CSP: Consider a flag to turn off console logging for Report-Only #508
Comments
This sounds like a great idea! Definitely be interested in seeing something like this land in CSP3. |
Isn't this more of a debug tools issue? For example if browsers implemented a way for developers to hide/filter the messages away from normal console. The direction of all browsers seems to be heading towards having a security tab to see these types of messages for example. Granted these messages can be noisy, confusing and could be improved but hiding them at a CSP level will prevent a developer from using them when he really needs to and remote logs are not indicative of an actual browser session that invariably gets pushed in front of you to fix. |
I'm not sure about others but Chrome already does but that doesn't solve the issue of removing the warnings away from the end user who may have no idea about what a CSP actually is. Perfect example of the confusion it can create 😛
That's a great start but the my aim here is the ability to have the CSP warnings only show for those need to see them (namely developers implementing it). Another nice solution would be to be able to toggle this on and off via an option but leave it unchecked by default. |
Again seems an issue with developer tools too easy to access, this isn't something standards can solve either. For me there seems to be only two rationales to remove the console warnings:
Both don't really feel like use cases which CSP should be looking at. Perhaps a note in the spec advising implementers on when to hide. |
What about allowing a flag as a CSP directive to instruct developer tooling not to show the warnings? Without it, I feel the developer tools would need to do some rough regex checks to implement the hiding functionality (even if it was off by default). |
The use cases I mentioned above were regarding a flag, even then I think a 'global off' flag is a bad idea. The problem is the spec actually doesn't require the user agent to even log to the console (except for unknown or unparsable CSP's). For filtering, in terms of Firefox all errors go through a central method which could be modified to use a different console or adding parameters etc: https://dxr.mozilla.org/mozilla-central/source/dom/security/nsCSPUtils.cpp#81 last time I checked chromium source the errors were similar. |
User interfaces in general is never specified in standards. |
I don't see it as specifying user-interface details, but rather allowing the developer control of where logging goes. Right now the default without a URI is that it's user-agent only and I totally agree that beyond that should be a dev-tools issue. But imagine that console.log was your only way to do server logging (by setting some HTTP header with a logging endpoint), but that you couldn't send a server log without it also showing up in the console. Would be frustrating for developers and confusing for users. There are really two implicit booleans that have control here. clientLogging (always true) and serverLogging (true if URI present). Asking for control of the former, not how client logging is handled/displayed when it's on. |
@millisecond it sounds like your issues are with logging in general which would be an issue for the Console spec. The specific behaviour you are wanting to filter isn't standardised in CSP either so that would need to be ratified before additional behaviour like turning it off with a flag could happen (again I don't see the use case of doing so other than all console errors are an issue).
It isn't as Freddy said you can write a service worker to log all content. Using violation reports to discover what third party scripts are doing without intent of ever blocking isn't really what CSP was designed for.
Users shouldn't be looking at dev tools, that is a bug in the browsers themselves (This is likely what Freddy means by interface). |
I don't see how Console-spec would help as we don't control the source of the logging.
Some sites may use report-only for a day to discover problems and then transition to HTTPS, no big deal. Larger sites may take 12+ months and don't want to "give up" their console for that long. I do get your point that you don't want to specify UI/UA behavior, but it does seem like we're stuck in an odd circular dependency graph. Browsers have semi-standardized on a UI behavior that's undesirable in some situations but can't get any more hints on the situation without a flag in the spec but the spec doesn't specify behavior to begin with. |
I don't see them globally filtering console messages either by CSP however However the usecase you outline is specific for CSP warnings but as Filtering messages on demand doesn't have security implications and as I think you would get more traction opening bugs with browsers to ask for Implementing CSP on big sites is far easier to do in a staging environment On Fri, 4 Mar 2016 19:11 millisecond, [email protected] wrote:
|
I'd love this too. We are seeing a significant amount of our support tickets relate to this. The alert itself is also confusing. While the alert starts with 'report-only' later it mentions 'blocked'. This is confusing visitors. |
Adding my voice to this. It would be great to disable console logging. A bool true or false directive inside the rules. Can we expedite action on this |
As stated in other comments above, the CSP spec does not mandate user agent to log report violations to the console. I don't think that adding control for this in the CSP headers is a meaningful design. I think those kind of controls should be decoupled from the CSP spec. I would find reasonable to allow web developers more control on console logging. A separate header, or meta tag, or a separate javascript API for doing that would make sense to me. Something like |
We are using a CSP-Report-Only header to watch ad network behavior on sites (not something that will ever move to a blocking header) and are really spamming our console with warnings.
Would be great if there was an option to turn off console reporting if the header was a "Report-Only" variant and report-uri was specified.
The text was updated successfully, but these errors were encountered: