Investigate server logging in ESR45

Server applications can get things logged to the user's browser console. We should investigate whether that is a problem in our context (first, does this only have an affect if the user has the console open and is monitoring network requests?).

We probably should bind that to a pref as I can imagine this is quite handy for debugging purposes.

added component::applications/tor browser in Legacy / Trac ff45-esr in Legacy / Trac owner::tbb-team in Legacy / Trac priority::medium in Legacy / Trac resolution::fixed in Legacy / Trac severity::normal in Legacy / Trac status::closed in Legacy / Trac type::task in Legacy / Trac labels

Trac:
Cc: mcs, brade to mcs, brade, arthuredelstein

Here's a link to Mozilla's Server Logging documentation. https://developer.mozilla.org/en-US/docs/Tools/Web_Console/Console_messages#Server

Trac:

This feature allows the server to send JSON data for display in the web or browser console. I don't see any particular danger from this, particularly because it does not result in any data being sent from the client to the server, as far as I can tell. (Am I missing something?) Additionally, the feature is preffed off by default:

pref("devtools.webconsole.filter.servererror", false);
pref("devtools.webconsole.filter.serverwarn", false);
pref("devtools.webconsole.filter.serverinfo", false);
pref("devtools.webconsole.filter.serverlog", false);

and

pref("devtools.browserconsole.filter.servererror", false);
pref("devtools.browserconsole.filter.serverwarn", false);
pref("devtools.browserconsole.filter.serverinfo", false);
pref("devtools.browserconsole.filter.serverlog", false);

although it is easy for the user to turn on, by pressing the "Server" button above the console.

When the prefs are disabled, does the browser still parse the data sent in the X-ChromeLogger-Data headers? I don't think this feature raises an obvious security or privacy issue, but it would be bad to leave server logging enabled if it turns out that there is a bug in how the JSON data is parsed or presented.

Replying to mcs:

When the prefs are disabled, does the browser still parse the data sent in the X-ChromeLogger-Data headers? I don't think this feature raises an obvious security or privacy issue, but it would be bad to leave server logging enabled if it turns out that there is a bug in how the JSON data is parsed or presented.

Good question. I added a dump statement to the part of the code where the "X-ChromeLogger-Data" header value is parsed. I was able to manually confirm that this code is not called except when "Server" logging is enabled (through the button in the devtools UI, or in the prefs). Here's my test code in case anyone is interested:

https://github.com/arthuredelstein/tor-browser/commit/18996

(Note this patch is for testing purposes only.)

Replying to arthuredelstein:

Good question. I added a dump statement to the part of the code where the "X-ChromeLogger-Data" header value is parsed. I was able to manually confirm that this code is not called except when "Server" logging is enabled (through the button in the devtools UI, or in the prefs).

Thanks for investigating. I think this ticket can be closed, assuming gk agrees.

Trac:
Status: new to closed
Resolution: N/A to fixed

closed

moved from legacy/trac#18996 (moved)

added Task label and removed 1 deleted label

removed 1 deleted label