Mozilla Connect

Hello, I feel like the JSON filtering behavior changed within the last few weeks. I use the "Filter JSON" bar a lot and it used to keep nested nodes expanded if I opened them during a filter. This was helpful so that I could clear the filter, scroll down to the expanded node I opened from the search, and look at the other fields in that object. But now, when I clear the filter, everything is collapsed/the way I left it before I ran the filter, and I have to manually find and expand the nested object I was looking for manually. I'm not sure why this behavior changed, but it would be nice if it could be brought back. Thank you! ... View more

Hello, I am a frontend developer. My team is currently implementing CSP with nonces. As per security standards, a nonce must be generated dynamically for every request, which I had successfully implemented. However, our frontend lead decided to generate the nonce statically during the build pipeline. This is the exact opposite of a secure CSP implementation. Could you please implement a security mechanism to block or warn about pages that repeat the same nonce on every request? This would help developers like me force our teams to adopt the correct, secure solution. Here is a proposal on how this could be approached at the browser engine level: Problem Statement: Generating CSP nonces statically during the CI/CD build pipeline creates a false sense of security, entirely neutralizing the XSS mitigation that the CSP specification is designed to provide. Proposed Solution: I propose implementing a strict security check within the browser engine to detect predictable, static, or heavily cached nonces. Specifically: DevTools Violation: Trigger a severe security warning in the console if a page containing a CSP nonce is served with aggressive caching headers (e.g., missing Cache-Control: no-cache or no-store ), as this inherently implies the nonce is being reused. Enforcement: Introduce a mechanism to track nonce entropy or reuse across hard reloads for the same origin. If a static nonce is detected, the browser should disregard it, thereby blocking the inline scripts and forcing development teams to fix the implementation. Impact: Implementing this strict validation at the browser level will force technical leads and engineering teams to adopt correct dynamic nonce generation strategies, eliminating "placebo" CSP implementations across the web. ... View more

I would like to request that Firefox implement CSS Scroll-Driven Animations (animation-timeline: scroll() and view()). This feature is already supported in Chromium-based browsers and is essential for developers to create lighter, smoother scroll animations without heavy JavaScript, while aligning with the W3C standard. Supporting it in Firefox would greatly improve cross-browser consistency ... View more

The font size of the code in Developer Tools seems to be static - and on my 4k monitor, it is therefore tiny. I only recently hit middle age, and had to start wearing reading glasses - so is a recent pain in my arse. Surely others have this issue too? Firefox   ... View more

The "URL Filter" field on the DevTools Network tab accepts certain keywords to allow filtering by values other than the URL:         A list of those keywords can be found here. Many of the keywords correspond exactly to the column headings displayed on the Network tab, and those that don't at least begin with the same letter as the column heading, so that, as you type, the input hint guides you to the correct keyword. The one exception is the keyword "mime-type", which can be used to filter by values displayed in the "Type" column (which originate from the "content-type" response headers). Since typing neither "type" nor "content-type" into the input field results in the necessary hint to reveal the actual keyword ("mime-type"), I find myself having to keep revisiting the documentation to find the keyword. Having a keyword alias "type" for the "mime-type" filter keyword would help alot. (i.e. being able to enter either "mime-type:text/html" -or- "type:text/html") ... View more

Can we please get the option to format JSON responses in the request view in the Network tab instead of them just being printed in 1 line:   ... View more

This is something that should have already been implemented. The idea of using a pc and connecting it to your phone is so archaic, I'd like to test extensions from my phone alone. ... View more

Hey team! I spend half my days with another monitor connected and the browser open full screen with devtools docked to the right of the page. This works great! However, I also spend a fair bit of time moving around with just my laptop. On those days, I'm usually having to expand/shrink the browser constantly to check out different things on a page or to have VSCode open next to it. I'm not a fan of the "Dock to bottom" on a full screen page so find myself constantly having to switch between "Dock to bottom" and "Dock to right" while I work. It's a very tiny but constant frustration. It would be awesome if you could add a "Responsive Dock" option which automatically switches between both as you change the width of the browser. A bit like a CSS breakpoint. Thanks! James. ... View more

I've been developing some apps that use jQuery SOAP and receive XML responses from the server, but Firefox insists on showing the XML AJAX responses as plain text in a single line, while only JSON is formatted. Every time I need to debug a response, I have to copy the entire output and paste it into an XML formatter tool, which is far from the most straightforward way to debug. Chrome, on the other hand, formats both JSON and XML (and possibly other response formats as well). Please consider adding a parser to pretty-print XML responses. Firefox Developer Tools have historically been better than Chrome’s, but the lack of XML formatting is extremely frustrating.   ... View more

I want a way to hide html elements from websites like how Safari has “Hide Distracting Items”. This would be great for both iOS and desktop versions, as everyone would use this. This wouldn’t only help as an ad blocker, but also to hide other items that you just don’t want to see every time you open the same site.  ... View more

In Network tab -> Response Some times the Raw Response is in one line  Option to Pretty Print it would be nice ... View more

In Network Tab -> Response Tab Add an option to expand fields recursively , currently available in chromium browsers   ... View more

Calc won't divide by values with units, so I've ended up doing a bit of unitless CSS with JS-overridden property values. Since they don't change with reflow, could the devtool's CSS variable tooltip show the reduced form as well please? It'd help me track down where the result is unexpected. As you can see in the screenshot, I've been setting the opacity to the variable to preview intermediate results in the computed tab. ... View more

The Sources tab is a feature in chrome based browsers similar to the debugger tab, but it displays everything in the entire page; not just js but images, html, css, sounds, ect. I would like to be able to use this in Firefox as well. It's incredibly handy for when you need to find a specific file in a site that can't just be found with the Inspector, and I hate having to switch over to Chrome to do this.   ... View more

Please add support for https://webaudio.github.io/web-speech-api/ Chrome based browsers all support it. Speech recognition in local browser. ... View more

You can use hashes to confirm the integrity of inline <script>s by adding them to the Content Security Policy (CSP) header of the page. If the CSP header is used but a script is not allowed, because the hash is missing (or wrong), an error message is shown in the dev tools' console. In Firefox it looks like this: Content-Security-Policy: The page’s settings blocked an inline script (script-src-elem) from being executed because it violates the following directive: "script-src 'self' 'sha256-N0WgDOqcdfL9w1uP613+B2yu6dpc5KPYLXeb9XHepPc=' https://*.googletagmanager.com " It's hard to find out the correct hash for an inline script. The easiest way at the moment is to use Google Chrome, as it has a better error message: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'sha256-N0WgDOqcdfL9w1uP613+B2yu6dpc5KPYLXeb9XHepPc=' https://*.googletagmanager.com ". Either the 'unsafe-inline' keyword, a hash ('sha256-ofImKSSljLzXLojBYDvShM2hWb1UdlR0IiXtVV6UO34='), or a nonce ('nonce-...') is required to enable inline execution. I suggest to improve Firefox's error message and display the hash that would be correct. ... View more

For testing it would be very helpful if you could force the use of the "prefers-contrast: more" media query via a switch in developer tools. Chrome provides settings for forcing several accessibility options (hidden under the optional "rendering" settings), I'd very much like Firefox to have this as well. Maybe it could even be a user setting, so users don't have to enable high contrast mode in their OS just to tell the browser to use "prefers-contrast: more" stylesheets. ... View more

I recommend adding Firefox Desktop's Local DevTools to Firefox for Android. This allows web debugging to be done directly on the device without having to connect to a computer to debug remotely, significantly improving the mobile web development experience. This feature will increase developer efficiency and make Firefox a more attractive option for mobile web developers. The built-in DevTools suite also differentiates Firefox from other browsers. Ultimately, better tools translate into faster development cycles and improved web application performance. ... View more

When an HTTP request is incomplete, devtools will not display the request information; it only shows after the request is finished. However, browsers based on Chromium display the request information first and then show the response information after the request ends. It is hoped that Firefox can also improve this functionality. ... View more