Processing HTTP Headers by Firebug
Jan Odvarko
headers sent from the server (like. e.g. console-log: Print this
message in Firebug Console panel).
Are there any possible related security issues we should be aware of?
Honza
Boris Zbarsky
Obvious things like not treating the messages as HTML or XUL or anything
like that, right?
-Boris
Daniel Veditz
> One of the proposed new features is to handle some Firebug related
> headers sent from the server (like. e.g. console-log: Print this
> message in Firebug Console panel).
How many headers are "like" printing on the console? Seems like you'd
only need one to do that so what do the others do? Spitting out header
text can be done safely (e.g. the Live HTTP Headers addon), I'm more
concerned about what the other headers might be.
-Dan
Jan Odvarko
> like that, right?
Honza
Jan Odvarko
console-log: A log message
console-error: An error message
I could also imagine console-info, etc. so, it imitates similar
methods, which are available in Firebug's console (console.log,
console.error, console.info, etc.) This would help Firebug to
distinguish the incoming server-message meaning and use different
visual style (e.g. red color for error messages).
> Spitting out header text can be done safely (e.g. the Live HTTP
> Headers addon), I'm more concerned about what the other headers might be.
So, all these headers should be used just to pass the text from the
server.
Honza
John J. Barton
> I'm more
> concerned about what the other headers might be.
>
So what kind of answer would cause you concern? The header is text, so
worst case is? I guess we could even eval() it, functions and all if we
are in the page. It comes from a server of a web page, so we should be
able and limited to doing anything we can do with web content right?
jjb