Closed Bug 1139245 Opened 9 years ago Closed 5 years ago

Web Console on chrome: URLs allows input even if devtools.chrome.enabled is false

Tracking

(Not tracked)

Status:

RESOLVED WONTFIX

People

(Reporter: emk, Unassigned)

References

(Blocks 1 open bug)

Details

Masatoshi Kimura [:emk]

Reporter

Description

•

9 years ago

Steps to reproduce:
1. Make sure devtools.chrome.enabled is false.
2. Open about:newtab (or about:config or any other chrome-privileged pages).
3. Press Ctrl+Shift+K to open Web Console on the page.

Actual result:
Web Console have an input field.

Expected result:
Web Console on chrome-privileged pages should have no input field unless devtools.chrome.enabled is true, just like Browser Console (bug 922161).

Attackers can instruct users to type the secret command "Ctrl+T Ctrl+Shift+K blah-blah-blah" to pwn the browser using the self-XSS.
Looks like this attack scenario is already pointed out in bug 922161 comment #23, but it was ignored somehow.

If this is by design, feel free to WONTFIX this. It is very good for me :)

BMO Automation

Updated

•

6 years ago

Product: Firefox → DevTools

Nicolas Chevobbe [:nchevobbe]

Comment 1

•

5 years ago

We have self XSS protection mechanism, so I think it's okay to close this bug

Status: NEW → RESOLVED

Closed: 5 years ago

Resolution: --- → WONTFIX

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

Web Console on chrome: URLs allows input even if devtools.chrome.enabled is false

Categories

(DevTools :: Console, defect)

Tracking

(Not tracked)

People

(Reporter: emk, Unassigned)

References

(Blocks 1 open bug)

Details

Crash Data

Security

(public)

User Story

Description

Updated

Comment 1