New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 22 users

Issue metadata

Status: WontFix
Closed: Dec 2017
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Bug

Sign in to add a comment

Issue 420813: ☂ Security UX for (Web) Developers

Reported by, Oct 6 2014 Project Member

Issue description

Every once in a while, someone suggests that we should expose certain security information somewhere in dev tools. I don't think anyone currently has an overview of what those should be.

Given that security is a core tenet of Chrome, and that there are lots of interacting security features under development, I think it might even be warranted to introduce a "Security" pane to the Chrome developer tools some day. For now, I just want to keep track of things so that things don't get *less* usable (i.e. related features spread out in different places

Comment 1 by, Oct 7 2014  – Mark insecure resources in network panel (dev tools)

Comment 2 by, Oct 7 2014  – Indicate when requests are rerouted due to HSTS

Comment 3 by, Oct 7 2014

Blockedon: chromium:160571 chromium:420774
Labels: Cr-Platform-DevTools-UX
Status: Assigned

Comment 4 by, Oct 7 2014

I'm not aware of many security-specific features in dev tools, but I've started a document to keep track of them:

Comment 5 by, Oct 7 2014

Blockedon: chromium:365779
Found by Adrienne:  – Notify in console when an API fails because it needs to be called during a user action.

Comment 6 by, Oct 7 2014

Blockedon: chromium:421248  – Move the Connection Tab info from the Origin Info Bubble into the Dev Tools console

(Thanks to palmer@ for filing 421248 today.)

Comment 7 by, Oct 8 2014

Summary: Security UX for (Web) Developers (was: Security UX in Dev Tools)

Comment 8 by, Oct 14 2014


Comment 9 Deleted

Comment 10 Deleted

Comment 11 by, Oct 15 2014

From an email thread about "Click to Play" for Flash: we should start notifying web developers if Flash is run from an insecure source.

Comment 12 by, Oct 16 2014

Labels: Cr-Platform-DevTools

Comment 13 by, Oct 16 2014

Blockedon: chromium:401386
401386 – 	Provide tools, guidance for web development when security features (such as HTTPS) are in play

(Thanks for CCing me on 401386, Paul!)

Comment 14 by, Oct 17 2014

Blockedon: chromium:149962
149962 - 	Implement a heuristic to cross out the "HTTPS" in the address bar when auth cookies are not secure.

In order for 149962 to be useful, we need to make it clear to devs what specifically happened, and why it's insecure.

Comment 15 by, Oct 21 2014

Blockedon: chromium:331110 - Improve UI for net-internals#hsts: add way to see all hsts entries

Comment 16 Deleted

Comment 17 Deleted

Comment 18 Deleted

Comment 19 Deleted

Comment 20 Deleted

Comment 21 by, Oct 24 2014

[For future reference: Two commits were originally added to this issue by accident. I'd normally leave them here to avoid messing with the record, but I've deleted them because I expect this issue to be long-lived.
Their contents have been copied to  – A new kind of interstitial for when the clock is wrong]

Comment 22 by, Nov 17 2014

Related to 365779 and 365779: felt@ found that some permissions are blocked haphazardly on file:// URIs, without a warning on the console. We should:

- Make sure there is *some* universal policy for permissions across all origins (including file:// or data: URIs).
- Clearly display (and explain) failures to developers.

Comment 23 by, Nov 26 2014

Blockedon: chromium:436917  The inevitable Service Worker / DevTools meta-bug!

(Achievement unlocked: meta-meta bug status!)

Comment 24 by, Dec 1 2014

Blockedon: chromium:437466  Surface certificate warning root cause in the certificate details menu

Comment 25 by, Jan 7 2015

Blockedon: chromium:446723 Web API Permission Inconsistencies

Comment 26 by, Jan 8 2015

Blockedon: chromium:445359  DevTools: Add Security Tab

Comment 27 by, Jan 8 2015  DevTools: Add Security Tab

Comment 28 by, Jan 14 2015

Blockedon: chromium:442590  Inform developers that support for EME APIs on HTTP origins will be deprecated

Comment 29 by, Jan 23 2015

Blockedon: chromium:441605  Command line option for whitelisting specific origins to ease development and testing of websites using Secure Origin only features

Comment 30 by, Jan 28 2015

Blockedon: chromium:282927
 Issue 282927 :	Don't show SSL interstitials for localhost

Comment 31 by, Jan 29 2015

Labels: Cr-Security-UX-WebDev

Comment 32 by, Feb 6 2015

Blockedon: chromium:425158
 Issue 425158 :	Detailed connection info on Clank

Comment 33 by, Mar 31 2015

Blockedon: chromium:472256

Comment 34 by, May 19 2015

Summary: ☂ Security UX for (Web) Developers (was: Security UX for (Web) Developers)

Comment 35 by, Jun 10 2015

Blockedon: chromium:498921

Comment 36 by, Mar 9 2016

Components: -Security>UX>WebDev
Labels: Hotlist-Security-UX-WebDev

Comment 37 by, Nov 23 2016

Components: -Platform>DevTools Platform>DevTools>Security

Comment 38 by, Nov 23 2016

Components: -Security>UX UI>Browser>Bubbles>PageInfo

Comment 39 by, Nov 10 2017

Labels: Hotlist-EnamelAndFriendsFixIt

Comment 40 by, Dec 1 2017

Status: WontFix (was: Assigned)
I think this bug is too broad to be useful, especially now that the devtools security panel has launched which seems to have been the main purpose of this bug.

Sign in to add a comment