Web developers need better tools to help them debug security issues. The Web Console, part of the Firefox Developer Tools, shows errors and warnings filtered into different categories. Firefox 23 adds a new category of messages to the Web Console: Security messages.
Toggle buttons for categories of messages in the Web Console
The Security toggle button and messages are red to warn developers, since some of these messages indicate that your site has a security vulnerability.
Once we had a dedicated place for security messages, we had to decide what kinds of issues should be reported to developers. Ivan Alagenchev, a security engineering intern, spent the summer improving security reporting to fulfill the following goals:
- Warn developers about altered site behavior that is due to a security feature (for example, resource loads blocked by the Mixed Content Blocker or the Same Origin Policy).
- Warn developers about mistakes made in implementing security features (for example, using deprecated CSP headers, or mistyping an HSTS header).
- Warn developers about common security risks (for example, putting password fields on insecure pages).
Here are example screenshots of some of the new Security messages:
Warnings for loading mixed content
Warning for detected password field on an insecure page.
These specific messages are available to current Nightly users and will be part of upcoming stable releases.
While security should be of paramount importance to any developer, it is a complex subject that is not always part of a web developer’s education and often appears at inconvenient times. This new messaging helps developers find security-related problems early on in the development life cycle so they can be resolved quickly and effectively.
Additionally, these messages help educate developers about common issues in web security. Many of the new messages end with a “Learn More” link that takes you to a wiki with background information and advice for mitigating the security issue.
Bug 863874 is the meta-bug for logging relevant security messages to the Web Console. If you have more ideas for useful features like the ones discussed here, or are interested in contributing, check out the metabug and its dependencies!