Open Bug 971597 (dev-self-xss) Opened 10 years ago Updated 2 years ago

[meta] Prevent "Self-XSS" attacks that involve developer tools

Categories

(DevTools :: General, defect)

Product:
DevTools
Component:
General
Type:
defect

Tracking

(Not tracked)

People

(Reporter: jruderman, Unassigned)

References

(Depends on 1 open bug, Blocks 1 open bug)

Details

(Keywords: meta) 

      No description provided.
Blocks: self-xss
Alias: dev-self-xss
I was too optimistic in the last paragraph of bug 527530 comment 57. Scammers on Facebook are now asking users to paste malicious JavaScript into the developer console. This leads to hilarity like:

* https://www.facebook.com/selfxss
  * Allow my account to be hijacked if I paste malicious JavaScript

* Facebook taking advantage of a bug (?) in Google Chrome to disable the console
  * http://stackoverflow.com/questions/21692646/how-does-facebook-disable-developer-tools
Depends on: 971613
I'm not sure that fixing bug 934497 would do anything do anything significant to solve this problem. The majority of users wouldn't disable developer tools, and we're not going to disable developer tools by default. Feel free to re-add if I'm missing something.
No longer depends on: 971613
Bug 953166 could help prevent this sort of thing.
Depends on: 922161
Remove the wrong bug earlier. Bug 934497 isn't important to this problem.
No longer depends on: 934497
Depends on: devtools-first-run
Depends on: 973531
No longer depends on: 973531
For reference for anyone reading this thread, here's the parallel Chrome bug: https://code.google.com/p/chromium/issues/detail?id=345205
Depends on: 994134
Depends on: 1028903
Depends on: 1139245
Product: Firefox → DevTools

Unassigning because it is unlikely Jesse will work on this. Leaving it open because it is a meta-bug with open bugs blocking it.

Assignee: jruderman → nobody
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.