Hello
I would be curious to learn more about what exactly will be in the
Security tab vs in the normal console. For example, I would be sad if
the fact that CSP blocked something is not in the dev console, because
otherwise developers would be really confused. Similar for mixed
content warnings. If there is a security tab, it is quite possible
that only the security team keeps an eye on it, and for many security
issues it is better that the developer currently working on the
feature sees the issue and fixes it right there. Not to say that a
security tab won't be useful, but I would be curious what would go
there.
I can buy that the TLS connection parameters can be useful and I think
the reason why I agree is that TLS is a site-wide policy. Unlike, CSP
errors which are often in some corner of a page after a particular set
of actions is performed.
Re CSP information: to be honest, the presence/absence of more
information in CSP isn't really that big an issue for CSP deployment.
When the dev console shows an error, it is usually pretty easy to
pinpoint the problem. The harder part is finding all the places that
could break due to CSP. The reporting functionality is *very*
important for this and reducing report noise (due to extensions and
other things) would be extremely helpful. And if we want removal of
"unsafe-inline", the script-sample stuff would be really useful too.
cheers
Dev
On 9 December 2014 at 16:27, 'Lucas Garron' via Security-dev