Opened 4 years ago

Closed 4 years ago

#18996 closed task (fixed)

Investigate server logging in ESR45

Reported by: gk Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: ff45-esr
Cc: mcs, brade, arthuredelstein Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Server applications can get things logged to the user's browser console. We should investigate whether that is a problem in our context (first, does this only have an affect if the user has the console open and is monitoring network requests?).

We probably should bind that to a pref as I can imagine this is quite handy for debugging purposes.

Child Tickets

Attachments (1)

Screen Shot 2016-05-22 at 10.56.28 PM.png (34.6 KB) - added by arthuredelstein 4 years ago.

Download all attachments as: .zip

Change History (8)

comment:1 Changed 4 years ago by arthuredelstein

Cc: arthuredelstein added

comment:2 Changed 4 years ago by arthuredelstein

Here's a link to Mozilla's Server Logging documentation.
https://developer.mozilla.org/en-US/docs/Tools/Web_Console/Console_messages#Server

Changed 4 years ago by arthuredelstein

comment:3 Changed 4 years ago by arthuredelstein

This feature allows the server to send JSON data for display in the web or browser console. I don't see any particular danger from this, particularly because it does not result in any data being sent from the client to the server, as far as I can tell. (Am I missing something?) Additionally, the feature is preffed off by default:

pref("devtools.webconsole.filter.servererror", false);
pref("devtools.webconsole.filter.serverwarn", false);
pref("devtools.webconsole.filter.serverinfo", false);
pref("devtools.webconsole.filter.serverlog", false);

and

pref("devtools.browserconsole.filter.servererror", false);
pref("devtools.browserconsole.filter.serverwarn", false);
pref("devtools.browserconsole.filter.serverinfo", false);
pref("devtools.browserconsole.filter.serverlog", false);

although it is easy for the user to turn on, by pressing the "Server" button above the console.

comment:4 Changed 4 years ago by mcs

When the prefs are disabled, does the browser still parse the data sent in the X-ChromeLogger-Data headers? I don't think this feature raises an obvious security or privacy issue, but it would be bad to leave server logging enabled if it turns out that there is a bug in how the JSON data is parsed or presented.

comment:5 in reply to:  4 ; Changed 4 years ago by arthuredelstein

Replying to mcs:

When the prefs are disabled, does the browser still parse the data sent in the X-ChromeLogger-Data headers? I don't think this feature raises an obvious security or privacy issue, but it would be bad to leave server logging enabled if it turns out that there is a bug in how the JSON data is parsed or presented.

Good question. I added a dump statement to the part of the code where the "X-ChromeLogger-Data" header value is parsed. I was able to manually confirm that this code is not called except when "Server" logging is enabled (through the button in the devtools UI, or in the prefs). Here's my test code in case anyone is interested:

https://github.com/arthuredelstein/tor-browser/commit/18996

(Note this patch is for testing purposes only.)

comment:6 in reply to:  5 Changed 4 years ago by mcs

Replying to arthuredelstein:

Good question. I added a dump statement to the part of the code where the "X-ChromeLogger-Data" header value is parsed. I was able to manually confirm that this code is not called except when "Server" logging is enabled (through the button in the devtools UI, or in the prefs).

Thanks for investigating. I think this ticket can be closed, assuming gk agrees.

comment:7 Changed 4 years ago by gk

Resolution: fixed
Status: newclosed
Note: See TracTickets for help on using tickets.