Disable self-XSS warning in Browser Toolbox

RESOLVED WONTFIX

Status

()

Firefox
Developer Tools: Console
RESOLVED WONTFIX
4 years ago
4 years ago

People

(Reporter: jryans, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

I'd like to disable the self-XSS prompt ("Scam Warning") when you are in the Browser Toolbox.

I suppose someone would argue scammers will then target the Browser Toolbox, however...  Joe, what do you think?
(Reporter)

Updated

4 years ago
Flags: needinfo?(jwalker)
> I suppose someone would argue scammers will then target the Browser Toolbox

They certainly will - the browser toolbox does chrome JS and it's available from a keystroke, both of which make it a ripe target for self-xss.

However, we've disabled the JS prompt unless the chrome devtools pref is set AND if you've set the chrome devtools pref, then self-xss warnings *should* be automatically disabled. So I *think* there is nothing that needs doing here.

Is that not what you see?
Flags: needinfo?(jwalker)
(Reporter)

Comment 2

4 years ago
(In reply to Joe Walker [:jwalker] from comment #1)
> > I suppose someone would argue scammers will then target the Browser Toolbox
> 
> They certainly will - the browser toolbox does chrome JS and it's available
> from a keystroke, both of which make it a ripe target for self-xss.
> 
> However, we've disabled the JS prompt unless the chrome devtools pref is set
> AND if you've set the chrome devtools pref, then self-xss warnings *should*
> be automatically disabled. So I *think* there is nothing that needs doing
> here.
> 
> Is that not what you see?

Interesting, I did not realize the part about the chrome pref.  The issue is that the Browser Toolbox starts up from a different profile (typically named "default-chrome-debugger"), which has not been configured with any prefs you might have been setting in your normal one.  

So, you can indeed visit the toolbox options of the Browser Toolbox and flip chrome debugging on to disable the scam prompt...  I just wouldn't have guessed that would do it until our conversation here.  It's less obvious for the Browser Toolbox, than say the Browser Console, since the Browser Console's input disappears if you have not set the pref.

I could certainly set the pref by default for the profile of the Browser Toolbox, but then I would have disabled the scam warning by default.  I guess the best path is to just wait for the scam warning to be disabled in Nightly in bug 1015314, which is what I imagine many users of the Browser Toolbox work with anyway.
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.