New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 721329 link

Starred by 3 users
Status: Available
Owner: ----
Cc:
mkwst@chromium.org
andypaicu@chromium.org
clamy@chromium.org
creis@chromium.org
dgozman@chromium.org
alex...@chromium.org
arthurso...@chromium.org
nasko@chromium.org
wfh@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Task

Blocking:
issue 726178
issue 718942



Sign in to add a comment

Sending console messages from the browser to the devtool process without using the renderer.

Project Member Reported by arthurso...@chromium.org, May 11 2017 
AFAIU, the current way of sending console error message from the browser is to use RenderFrameHost::AddMessageToConsole(...)
The message first goes to the renderer process, then back to the browser 
process and finally it reaches the devtool process.

It would be nice being able to avoid the round-trip in the renderer. Indeed, console error messages sometimes contain sensitive information that we would like to avoid transmitting to a possibly compromised renderer. It includes the source location of the error and the content of the message.

The first time this was mentioned was in issue 718940.

Comment 1 by dgozman@chromium.org, May 11 2017 

Note that console messages are stored in the renderer until DevTools connect. If we host them directly in the browser, we also need a storage for them.
Project Member

Comment 2 by sheriffbot@chromium.org, May 11 2018

Labels: Hotlist-Recharge-Cold
Status: Untriaged (was: Available)
This issue has been Available for over a year. If it's no longer important or seems unlikely to be fixed, please consider closing it out. If it is important, please re-triage the issue.

Sorry for the inconvenience if the bug really should have been left as Available.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 3 by arthurso...@chromium.org, May 11 2018

Cc: andypaicu@chromium.org
Status: Available (was: Untriaged)
Making this issue to be available again. This would be a nice-to-have feature.
In particular, it would allow us to display more useful console error messages when a CSP is violated. Some information in the console error message are currently removed to avoid leaking sensitive informations to a potentially compromised renderer process.
See RenderFrameHostImpl::SanitizeDataForUseInCspViolation().

However I don't intend to work on it in the near future.

+CC andypaicu@. FYI, because you are currently working on the 'navigate-to' CSP which also needs to sanitize the console error messages.

Comment 4 by alex...@chromium.org, May 11 2018

Labels: -Hotlist-Recharge-Cold

Comment 5 by arthurso...@chromium.org, Dec 19

Blocking: 726178

Comment 6 by lukasza@chromium.org, Jan 8 

This issue means that even with Site Isolation in place, we may leak cross-origin URLs (which in some cases may contain some "secrets" - see https://security.googleblog.com/2012/08/content-hosting-for-modern-web.html).

Given above, should we reprioritize?

Sign in to add a comment