As a security precaution, we have turned on the setting "Require API key authentication for API requests" for everyone. If this has broken something, please contact bugzilla-admin@mozilla.org
Last Comment Bug 1296870 - console.clear makes the Browser Console unusable
: console.clear makes the Browser Console unusable
Status: VERIFIED FIXED
:
Product: Firefox
Classification: Client Software
Component: Developer Tools: Console (show other bugs)
: 48 Branch
: All All
: P1 normal with 1 vote (vote)
: Firefox 51
Assigned To: Julian Descottes [:jdescottes]
:
: (Unavailable until Apr 3) [:bgrins]
Mentors:
Depends on: 659625
Blocks:
  Show dependency treegraph
 
Reported: 2016-08-20 09:50 PDT by Andreas Jung
Modified: 2017-01-09 02:14 PST (History)
5 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
verified

MozReview Requests
Submitter Diff Changes Open Issues Last Updated
Loading...
Error loading review requests:
Show discarded requests

Attachments
Easy repro case in HTML (354 bytes, text/html)
2016-08-22 10:38 PDT, BoffinbraiN
no flags Details
Bug 1296870 - Rename browser_console clear test to browser_webconsole; (58 bytes, text/x-review-board-request)
2016-08-22 14:57 PDT, Julian Descottes [:jdescottes]
bgrinstead: review+
Details | Review
Bug 1296870 - Do not clear output of BrowserConsole when receiving console.clear(); (58 bytes, text/x-review-board-request)
2016-08-22 14:57 PDT, Julian Descottes [:jdescottes]
bgrinstead: review+
Details | Review

Description User image Andreas Jung 2016-08-20 09:50:17 PDT
If console.clear is called in a loop (and I've seen ad-iframes do this) the browser console becomes completely unusable as everything from logs to errors to security messages disappears immediately.

The worst part is there is no way to find out which tab / iframe even caused this.

I think console.clear should only clear the web console and leave the browser console untouched.
Comment 1 User image BoffinbraiN 2016-08-22 10:38:40 PDT
Created attachment 8783632 [details]
Easy repro case in HTML

As expected, ruining a developer's day is as easy as writing a single line of code:

>  window.setInterval(console.clear, 10);

Given that this technique can be used to suppress security warnings and security errors, I wonder if it could be classified as a security vulnerability?

I really wish the devs would consider the consequences of letting page authors tamper with the browser before adding more 'features' like this in future.

For possible solutions, please see my previous comment on the parent bug: https://bugzilla.mozilla.org/show_bug.cgi?id=659625#c68
Comment 2 User image (Unavailable until Apr 3) [:bgrins] 2016-08-22 11:02:02 PDT
(In reply to Andreas Jung from comment #0)
> If console.clear is called in a loop (and I've seen ad-iframes do this) the
> browser console becomes completely unusable as everything from logs to
> errors to security messages disappears immediately.
> 
> The worst part is there is no way to find out which tab / iframe even caused
> this.
> 
> I think console.clear should only clear the web console and leave the
> browser console untouched.

I agree that we should make console.clear have to effect on the Browser Console
Comment 3 User image (Unavailable until Apr 3) [:bgrins] 2016-08-22 11:05:04 PDT
Typo: 'have to' -> 'have no'
Comment 4 User image Julian Descottes [:jdescottes] 2016-08-22 14:57:21 PDT Comment hidden (mozreview-request)
Comment 5 User image Julian Descottes [:jdescottes] 2016-08-22 14:57:21 PDT Comment hidden (mozreview-request)
Comment 6 User image (Unavailable until Apr 3) [:bgrins] 2016-08-22 15:50:40 PDT
Comment on attachment 8783711 [details]
Bug 1296870 - Rename browser_console clear test to browser_webconsole;

https://reviewboard.mozilla.org/r/73408/#review71232
Comment 7 User image (Unavailable until Apr 3) [:bgrins] 2016-08-22 16:01:32 PDT
Comment on attachment 8783712 [details]
Bug 1296870 - Do not clear output of BrowserConsole when receiving console.clear();

https://reviewboard.mozilla.org/r/73410/#review71234

::: devtools/client/webconsole/webconsole.js:2170
(Diff revision 1)
>      let isRepeated = this._filterRepeatedMessage(node);
>  
>      // If a clear message is processed while the webconsole is opened, the UI
>      // should be cleared.
> -    if (message && message.level == "clear") {
> +    // Do not clear the output if the current frame is owned by a Browser Console.
> +    if (message && message.level == "clear" && !this.owner.isBrowserConsole()) {

`this.owner._browserConsole` is used throughout this file.  I think it'd be nicer if we set a value on the WebConsoleFrame in the constructor that reaches up to `this.owner._browserConsole`.

So inside WebConsoleFrame constructor:

`this.isBrowserConsole = this.owner._browserConsole`

Then replace anything that's referencing `*.owner._browserConsole` in this file and jsterm.js with `*.isBrowserConsole`.  I don't think the new function in hudservice is necessary since the only callers are here and jsterm.js (and would be reduced down to just one place in this plan).
Comment 8 User image Julian Descottes [:jdescottes] 2016-08-23 01:51:22 PDT Comment hidden (mozreview-request)
Comment 9 User image Julian Descottes [:jdescottes] 2016-08-23 01:51:58 PDT
Thanks for the reviews! Applied your comments and pushed to try: https://treeherder.mozilla.org/#/jobs?repo=try&revision=dc9e4067e011
Comment 10 User image (Unavailable until Apr 3) [:bgrins] 2016-08-23 08:04:12 PDT
Comment on attachment 8783712 [details]
Bug 1296870 - Do not clear output of BrowserConsole when receiving console.clear();

https://reviewboard.mozilla.org/r/73410/#review71424

Works for me, thanks!
Comment 11 User image Pulsebot 2016-08-23 08:09:45 PDT
Pushed by jdescottes@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/37020799f784
Rename browser_console clear test to browser_webconsole;r=bgrins
https://hg.mozilla.org/integration/autoland/rev/0c21a0e9bca2
Do not clear output of BrowserConsole when receiving console.clear();r=bgrins
Comment 13 User image Tanvir Rahman 2017-01-07 08:24:29 PST
I have reproduced this bug with Nightly 51.0a1 (2016-08-20) on Windows 10, 64 bit!

The Bug's fix is now verified on Latest Beta 51.0b12

Build ID 	20170105155013
User Agent 	Mozilla/5.0 (Windows NT 10.0; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0

[testday-20170106]
Comment 14 User image Bogdan Maris, QA [:bogdan_maris] 2017-01-09 02:14:56 PST
(In reply to Tanvir Rahman from comment #13)
> I have reproduced this bug with Nightly 51.0a1 (2016-08-20) on Windows 10,
> 64 bit!
> 
> The Bug's fix is now verified on Latest Beta 51.0b12
> 
> Build ID 	20170105155013
> User Agent 	Mozilla/5.0 (Windows NT 10.0; WOW64; rv:51.0) Gecko/20100101
> Firefox/51.0
> 
> [testday-20170106]

Thanks for verifying!

Note You need to log in before you can comment on or make changes to this bug.