Devtools and Security

Why?

What's this got to do with the browser?

Wouldn't it be cool if the console...

CSP Tools

  1. Could we try a proposed CSP against a real page?

    See what fails (and why)?

  2. Could we ask the browser what CSP we could apply without making changes?

    with links to information that explains how it could (and why it should) be better?

Other Ideas

  1. Security Warning mode: E.g.

    Visible warning if a password field is on an http page and/or a form that's submit action is over http.

  2. "Compliance" mode

    highlight factors that are out of compliance (like some of the ideas we've mentioned or potentially configured by the developer).

    (this kind of thing is massively useful for devs and security people in large corporations)

  3. Could we highlight use of 3rd party js?

    sometimes people lose sight of where they're getting stuff from

Anything else?

  1. Firefox can be useful as a tool for security people

    Things like DOMinator (the only DOM XSS tool I've seen that works)

  2. Useful stuff to remember

    It's important to expose new-ish functionality in a way that's useful for tooling (e.g. WebSockets)

Discuss…

/

#