Web Console on chrome: URLs allows input even if devtools.chrome.enabled is false

NEW
Unassigned

Status

DevTools
Console
3 years ago
12 days ago

People

(Reporter: emk, Unassigned)

Tracking

(Blocks: 1 bug)

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

3 years ago
Steps to reproduce:
1. Make sure devtools.chrome.enabled is false.
2. Open about:newtab (or about:config or any other chrome-privileged pages).
3. Press Ctrl+Shift+K to open Web Console on the page.

Actual result:
Web Console have an input field.

Expected result:
Web Console on chrome-privileged pages should have no input field unless devtools.chrome.enabled is true, just like Browser Console (bug 922161).

Attackers can instruct users to type the secret command "Ctrl+T Ctrl+Shift+K blah-blah-blah" to pwn the browser using the self-XSS.
Looks like this attack scenario is already pointed out in bug 922161 comment #23, but it was ignored somehow.

If this is by design, feel free to WONTFIX this. It is very good for me :)

Updated

12 days ago
Product: Firefox → DevTools
You need to log in before you can comment on or make changes to this bug.