Option to manually disable warnings

Question

Option to manually disable warnings

IlCallo opened this issue 7 years ago · 4 comments

I with you that having Warnings and Notices is a wonderful thing while developing, but it seems that it's not possible to manually disable them in any way.

Use cases:

we want to support Edge pre-15, so we must put the "unsafe-inline". Our CSP is build in order to leverage CSP3 and 2 where possible and fallback to CSP1 only where really needed, but actually we find ourselves filled with warnings about a decision we know we did for a reason;
we are enhancing security step-by-step and for this reason we preferred to disable HSTS for now. We know we did, we are going to enable it later, still we apparently have no way to disable those errors.

If there were some way to selectively disable some warnings (of course they must be enabled by default), it would be great

Answer 1 · 2018-01-22T11:16:00.000Z

reportMissingException might be partially what you're looking for. Though I agree it might be good to be able to selectively mute any error (like the CSP ones for example). You're now reminding me of something I've been meaning to fix – I think SecureHeaders will warn for 'unsafe-inline' when a hash/nonce is used, but it shouldn't be (using a nonce/hash will disable 'unsafe-inline' – this being a backwards compat convenience to pretty much fit the situation you're describing).

Answer 2 · 2018-01-22T11:31:14.000Z

Just to rephrase slightly – for the first situation if you're using hashes and nonces in addition to 'unsafe-inline' then SecureHeaders shouldn't be giving a warning anyway.
For the second situation you should be able to mute the HSTS warning, but I think the API call might need to be exposed as a config option from @mikefrancis's library (so giving him a ping here 😜).

Answer 3 · 2018-01-22T11:38:36.000Z

Yes, my first use case is exactly the "degrade gracefully" one you described.
And the reportMissingException is what I was seaching, ty. It wasn't mentioned on the README and I guess I missed that part of the Wiki

Answer 4 · 2018-01-22T20:39:59.000Z

I'll re-open this to keep a pin in it so I remember to add the ability to turn off specific warnings/notices :)

In principle I wouldn't recommend ignoring the CSP warnings for example (at least when they're doing the right thing). Though if a user really doesn't want to see a particular warning, I would rather they muted a single warning type than everything in bulk and being blind to all problems – so I think it is worthwhile adding this granularity.