Closed Bug 1043980 Opened 10 years ago Closed 10 years ago

Disable self-XSS warning in Browser Toolbox

Categories

(DevTools :: Console, defect)

Product:
DevTools
Component:
Console
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: jryans, Unassigned)

Details

I'd like to disable the self-XSS prompt ("Scam Warning") when you are in the Browser Toolbox.

I suppose someone would argue scammers will then target the Browser Toolbox, however...  Joe, what do you think?
Flags: needinfo?(jwalker)
> I suppose someone would argue scammers will then target the Browser Toolbox

They certainly will - the browser toolbox does chrome JS and it's available from a keystroke, both of which make it a ripe target for self-xss.

However, we've disabled the JS prompt unless the chrome devtools pref is set AND if you've set the chrome devtools pref, then self-xss warnings *should* be automatically disabled. So I *think* there is nothing that needs doing here.

Is that not what you see?
Flags: needinfo?(jwalker)
(In reply to Joe Walker [:jwalker] from comment #1)
> > I suppose someone would argue scammers will then target the Browser Toolbox
> 
> They certainly will - the browser toolbox does chrome JS and it's available
> from a keystroke, both of which make it a ripe target for self-xss.
> 
> However, we've disabled the JS prompt unless the chrome devtools pref is set
> AND if you've set the chrome devtools pref, then self-xss warnings *should*
> be automatically disabled. So I *think* there is nothing that needs doing
> here.
> 
> Is that not what you see?

Interesting, I did not realize the part about the chrome pref.  The issue is that the Browser Toolbox starts up from a different profile (typically named "default-chrome-debugger"), which has not been configured with any prefs you might have been setting in your normal one.  

So, you can indeed visit the toolbox options of the Browser Toolbox and flip chrome debugging on to disable the scam prompt...  I just wouldn't have guessed that would do it until our conversation here.  It's less obvious for the Browser Toolbox, than say the Browser Console, since the Browser Console's input disappears if you have not set the pref.

I could certainly set the pref by default for the profile of the Browser Toolbox, but then I would have disabled the scam warning by default.  I guess the best path is to just wait for the scam warning to be disabled in Nightly in bug 1015314, which is what I imagine many users of the Browser Toolbox work with anyway.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → WONTFIX
Product: Firefox → DevTools
You need to log in before you can comment on or make changes to this bug.