Bug 1525624 - Group CSP warning messages in the console. r=nchevobbe

Differential Revision: https://phabricator.services.mozilla.com/D163828
2023-01-10 09:23:47 +00:00 · 2023-01-10 09:23:47 +00:00 · e5559d744a
--- a/devtools/client/locales/en-US/webconsole.properties
+++ b/devtools/client/locales/en-US/webconsole.properties
@ -555,3 +555,6 @@ webconsole.input.selector.tooltip=Select evaluation context
 webconsole.group.cookieSameSiteLaxByDefaultEnabled2=Some cookies are misusing the “SameSite“ attribute, so it won’t work as expected
 # LOCALIZATION NOTE (webconsole.group.cookieSameSiteLaxByDefaultDisabled2): do not translate 'SameSite'.
 webconsole.group.cookieSameSiteLaxByDefaultDisabled2=Some cookies are misusing the recommended “SameSite“ attribute
+
+# LOCALIZATION NOTE (webconsole.group.csp): Do not translate "Content Security Policy".
+webconsole.group.csp=Content Security Policy warnings
--- a/devtools/client/webconsole/test/browser/_webconsole.ini
+++ b/devtools/client/webconsole/test/browser/_webconsole.ini
@ -160,6 +160,8 @@ support-files =
  test-trackingprotection-securityerrors.html
  test-trackingprotection-securityerrors-thirdpartyonly.html
  test-warning-groups.html
+  test-warning-group-csp.html
+  test-warning-group-csp.html^headers^
  test-websocket.html
  test-websocket.js
  test-worker-promise-error.html
@ -431,6 +433,7 @@ tags = trackingprotection
 [browser_webconsole_warning_group_storage_isolation.js]
 skip-if = true # Bug 1765369
 [browser_webconsole_warning_group_cookies.js]
+[browser_webconsole_warning_group_csp.js]
 [browser_webconsole_warning_groups_filtering.js]
 [browser_webconsole_warning_group_multiples.js]
 [browser_webconsole_warning_groups_outside_console_group.js]
--- a/devtools/client/webconsole/test/browser/browser_webconsole_warning_group_csp.js
+++ b/devtools/client/webconsole/test/browser/browser_webconsole_warning_group_csp.js
@ -0,0 +1,29 @@
+/* Any copyright is dedicated to the Public Domain.
+ * http://creativecommons.org/publicdomain/zero/1.0/ */
+
+// Load a page that generates multiple CSP parser warnings.
+
+"use strict";
+
+const TEST_FILE =
+  "browser/devtools/client/webconsole/test/browser/test-warning-group-csp.html";
+
+add_task(async function testCSPGroup() {
+  const GROUP_LABEL = "Content Security Policy warnings";
+
+  const hud = await openNewTabAndConsole("https://example.org/" + TEST_FILE);
+
+  info("Checking for warning group");
+  await checkConsoleOutputForWarningGroup(hud, [`▶︎⚠ ${GROUP_LABEL} 4`]);
+
+  info("Expand the warning group");
+  const node = findWarningMessage(hud, GROUP_LABEL);
+  node.querySelector(".arrow").click();
+  await checkConsoleOutputForWarningGroup(hud, [
+    `▼︎⚠ ${GROUP_LABEL} 4`,
+    `| Ignoring “http:” within script-src: ‘strict-dynamic’ specified`,
+    `| Ignoring “https:” within script-src: ‘strict-dynamic’ specified`,
+    `| Ignoring “'unsafe-inline'” within script-src: ‘strict-dynamic’ specified`,
+    `| Keyword ‘strict-dynamic’ within “script-src” with no valid nonce or hash might block all scripts from loading`,
+  ]);
+});
--- a/devtools/client/webconsole/test/browser/test-warning-group-csp.html
+++ b/devtools/client/webconsole/test/browser/test-warning-group-csp.html
@ -0,0 +1,11 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>CSP warning group</title>
+</head>
+<body>
+<h1>Look at the Content-Security-Policy header</h1>
+<pre>Content-Security-Policy: script-src 'strict-dynamic' http: https: 'unsafe-inline';</pre>
+</body>
+</html>
--- a/devtools/client/webconsole/test/browser/test-warning-group-csp.html^headers^
+++ b/devtools/client/webconsole/test/browser/test-warning-group-csp.html^headers^
@ -0,0 +1 @@
+Content-Security-Policy: script-src 'strict-dynamic' http: https: 'unsafe-inline';
--- a/devtools/client/webconsole/utils/messages.js
+++ b/devtools/client/webconsole/utils/messages.js
@ -654,6 +654,10 @@ function getWarningGroupLabel(firstMessage) {
    return l10n.getStr("webconsole.group.cookieSameSiteLaxByDefaultDisabled2");
  }

+  if (isCSPMessage(firstMessage)) {
+    return l10n.getStr("webconsole.group.csp");
+  }
+
  return "";
 }

@ -733,6 +737,10 @@ function getWarningGroupType(message) {
    return MESSAGE_TYPE.COOKIE_SAMESITE_GROUP;
  }

+  if (isCSPMessage(message)) {
+    return MESSAGE_TYPE.CSP_GROUP;
+  }
+
  return null;
 }

@ -813,6 +821,16 @@ function isCookieSameSiteMessage(message) {
  return category == "cookieSameSite";
 }

+/**
+ * Returns true if the message is a Content Security Policy (CSP) message.
+ * @param {ConsoleMessage} message
+ * @returns {Boolean}
+ */
+function isCSPMessage(message) {
+  const { category } = message;
+  return typeof category == "string" && category.startsWith("CSP_");
+}
+
 function getDescriptorValue(descriptor) {
  if (!descriptor) {
    return descriptor;
				`@ -0,0 +1 @@`
				`Content-Security-Policy: script-src 'strict-dynamic' http: https: 'unsafe-inline';`