SummerOfCode/2013/SecurityReport/WeeklyUpdates/2013-06-10

From MozillaWiki
Jump to: navigation, search

This Week

Monday, 10 June

In security report tool it is important to capture Error messages from Error Console (now known as Browser Console)

  • How to capture messages in Error Console?
    • Listen for "console­-api-­log-­event" topic of "consoleAPI"
      • This event doesn't fire on "console.log" method of jetpack. Because Jetpack's console.log is not the same as the Web Console's. This event fires when we call "console.log" method from Web Console.
    • Register event listener on "nsIConsoleService"
      • It captures messages from "console.log" method of JetPack extension.
      • It also captures all error messages that are logged to Error Console (a.k.a Browser Console).

Tuesday, 11 June

I registered an event listener on nsIConsoleService. It captures all Errors and Warning messages displayed in Error Console (a.k.a. Browser Console).

For example: 

JavaScript Error: "TypeError: aUrl is undefined" {file: "chrome://browser/content/urlbarBindings.xml" line: 642}


I used https://csptest.computerist.org website to for testing messages captured by our securityReport add-on: (messages captured are given below): 

  csptest.computerist.org:443 uses an invalid security certificate.

  The certificate expired on Sunday 17 March 2013 11:25 AM. The current time is Monday 10 June 2013 12:20 PM.

  (Error code: sec_error_expired_certificate)

JavaScript Warning: "The X-Content-Security-Policy and X-Content-Security-Report-Only headers will be deprecated in the future. Please use the Content-Security-Policy and Content-Security-Report-Only headers with CSP spec compliant syntax instead." {file: "https://csptest.computerist.org/" line: 0}

JavaScript Error: "The character encoding of the HTML document was not declared. The document will render with garbled text in some browser configurations if the document contains characters from outside the US-ASCII range. The character encoding of the page must be declared in the document or in the transfer protocol." {file: "https://csptest.computerist.org/" line: 0}

JavaScript Warning: "CSP WARN: Directive default-src https://csptest.computerist.org:443 violated by 'https://people.mozilla.com/~mgoodwin/images/me.jpg'"

JavaScript Warning: "SyntaxError: octal literals and octal escape sequences are deprecated" {file: 'chrome://pippki/content/pippki.js' line: 132 column: 39 source: ' fos.init(file, 0x02 | 0x08 | 0x20, 00644, 0); '}


Messages captured using nsIconsoleService listener shows that Security error messages are wrongly categorized in Firefox browser as JavaScript Errors or Warnings. Some messages such as SSL certificate Errors are not all categorized.

The main challenge for this project is now to categorized security errors/warnings correctly.

Wednesday, 12 June

Thursday, 13 June

  • To access category information of each message displayed we need to use nsIScriptError interface. The nsIScriptError interface provides category information.
  • When "nsIConsoleService" event listener is invoked, it provides "nsIConsoleMessage" interface object to the event listener. Hence our next task is to query that object for nsIScriptError interface.
  • Mark provided followign code sample to query nsIScriptError on nsIConsoleMessgae object and it worked. 
 let error = aMessage.QueryInterface(Ci.nsIScriptError);
  • Now I can get category information of a message displayed in Browser console using "error.category".

Friday, 14 June

Retrieved from "https://wiki.mozilla.org/index.php?title=SummerOfCode/2013/SecurityReport/WeeklyUpdates/2013-06-10&oldid=666634"