Steps to reproduce: 1. Make sure devtools.chrome.enabled is false. 2. Open about:newtab (or about:config or any other chrome-privileged pages). 3. Press Ctrl+Shift+K to open Web Console on the page. Actual result: Web Console have an input field. Expected result: Web Console on chrome-privileged pages should have no input field unless devtools.chrome.enabled is true, just like Browser Console (bug 922161). Attackers can instruct users to type the secret command "Ctrl+T Ctrl+Shift+K blah-blah-blah" to pwn the browser using the self-XSS. Looks like this attack scenario is already pointed out in bug 922161 comment #23, but it was ignored somehow. If this is by design, feel free to WONTFIX this. It is very good for me :)
You need to log in before you can comment on or make changes to this bug.