Console.clear should not clear the console if "Enable persistent logs" is ON
Categories
(DevTools :: Console, enhancement, P3)
Tracking
(firefox49 wontfix, firefox117 fixed)
People
(Reporter: jdescottes, Assigned: nchevobbe)
References
(Blocks 1 open bug)
Details
(Keywords: sec-want, Whiteboard: [adv-main117-])
Attachments
(3 files, 1 obsolete file)
Reporter | ||
Comment 1•9 years ago
|
||
Reporter | ||
Comment 3•9 years ago
|
||
Comment 4•9 years ago
|
||
Comment 5•9 years ago
|
||
Comment 6•9 years ago
|
||
Updated•9 years ago
|
Updated•6 years ago
|
Comment 7•3 years ago
|
||
I'm adding this to the devtools-webcompat-team metabug, because while diagnosing, I just ran into a site that calls console.clear()
repeatedly, making it almost impossible to see what's going on. That being said, this probably should have a very low probability. Sites like this only surface once per quarter or less, and if that happens, proxying the offending JavaScript file and commenting out the clear instruction only takes an additional 15mins or so. So it's somewhat infuriating, but working around doesn't take too much time at all.
I tested this simple HTML file containing just this code (below) using the current version of Firefox (103.0.2 (64-bit)) and discovered that it ignores the “persist logs” not only on the per-tab console log, but also the browser console.
<script>
console.clear()
</script>
According to this PDF file on page 5 on the PDF reader (2938 on the page), it is one of the malicious page developer's method to evade debugging, by calling code repeatedly/constantly. As stated on the MDN docs, that console.clear should only be able to clear the console log if the environment allows it. Google chrome's “Preserve Log” does prevent the log from being cleared, and it will say this:
console.clear() was prevented due to 'Preserve log'
I'm pretty sure browsers shouldn't acts in ways against the user will, as browsers are a user agent, not a site agent. Which is why sites using quote on quote “DRM” (disabling context menu, select, shortcut keys) cannot disable or affect the browser's toolbar, menu bar, or any of its widgets. Because if sites can do that, than so can malicious sites, such as tech support scams and any other sites attempting to browlock your browser.
I have issues logging into a site. Not compatible with Firefox? I open devtools to see if there are errors. There are, but it gets cleared in one second. The page is constantly calling console.clear()
to prevent me seeing those errors.
Updated•2 years ago
|
Comment 10•1 year ago
|
||
What are the non-abusive scenarios for using console.clear()
? If someone is debugging they can clear the console manually whenever it's convenient, and if they're iterating on some code and want an easy way to find when the interesting bits start there are all sorts of console ways to make that easy to find. I'd go so far as to say we should ignore console.clear()
by default and make it a feature people can turn on if they want.
I have no strong opinion if overloading "Persist logs" should be the mechanism to control this feature, but I feel very strongly that we need a way to check the widespread abuse of this feature. I'd prefer an independent toggle, but if devs used to working with Chrome expect them to be tied I can live with that.
proxying the offending JavaScript file and commenting out the clear instruction only takes an additional 15mins or so. So it's somewhat infuriating, but working around doesn't take too much time at all.
... assuming the code isn't obfuscated/packed, as malicious code often is
... switching to Chrome takes even less time than that, and easier to think of doing when you're "infuriated". Hope they come back
Assignee | ||
Comment 11•1 year ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #10)
What are the non-abusive scenarios for using
console.clear()
? If someone is debugging they can clear the console manually whenever it's convenient, and if they're iterating on some code and want an easy way to find when the interesting bits start there are all sorts of console ways to make that easy to find.
I used it in the past at the beginning of an action for which I was then adding lots of logs (so for example, on a button click), so I would get a clean state in the output, with only logs related to the last action I did, without reaching for the clear button first. Not a massive time saver, but it does feel a bit less cumbersome than clicking buttons in the console UI
I'd go so far as to say we should ignore
console.clear()
by default and make it a feature people can turn on if they want.
Here's the spec for console.clear
: https://console.spec.whatwg.org/#clear
It does say that the output should be cleared if the environment allows it (which we do), so I wouldn't make it the default to not clear it.
I have no strong opinion if overloading "Persist logs" should be the mechanism to control this feature, but I feel very strongly that we need a way to check the widespread abuse of this feature. I'd prefer an independent toggle, but if devs used to working with Chrome expect them to be tied I can live with that.
I'm okay with this behavior, and I think this can be done quite easily
Reporter | ||
Comment 12•1 year ago
•
|
||
I retested on Chrome, and I can still see the same behavior. It seems intentional since they display the following message afterwards:
console.clear() was prevented due to 'Preserve log'
(edit: it's also on their doc: https://developer.chrome.com/docs/devtools/console/api/#clear )
FWIW, Safari does not implement this, and logs are cleared regardless of the Preserve log setting.
And overall I agree binding the 2 features seems a bit random.
I think the main use case for console.clear()
is to use it from the DevTools console, not from a script in the page. It would be nice to keep this working by default. Developers are used to this feature, and even if there is a button we should try to maintain parity in terms of console commands.
Maybe we could disable console.clear() calls coming from the page by default? I'm not sure how easy it would be to differentiate the two, but I think legitimate use cases for a console.clear() from the page are quite rare.
Or even simpler, we just have a toggle to disable it, but whenever someone tries to use console.clear() from the console itself we give them an easy way to turn it on?
Assignee | ||
Comment 13•1 year ago
|
||
This is a very naive solution, simply ignoring console.clear
messages when the preference is true.
Updated•1 year ago
|
Comment 14•1 year ago
|
||
Comment 15•1 year ago
|
||
bugherder |
Updated•1 year ago
|
Updated•1 year ago
|
Description
•