Open Bug 1442333 Opened 6 years ago Updated 6 months ago

console.clear() should only clear messages from the same context

Categories

(DevTools :: Console, defect, P3)

defect

Tracking

(Not tracked)

People

(Reporter: miker, Unassigned)

References

Details

STR:

1. Open the Web Console.
2. Open the Browser Console.
3. Ensure there is something displayed in each console.
4. In the web console enter `console.clear()` and press [enter].

Both consoles are cleared but only the web console is cleared.
What should be done here is only clear the browser console if the console.clear message don't come from a content page.
I guess this could be easy to do after Bug 1260877 is done, since it will give us a property on the packet for us to know if a message is chrome or not.
Depends on: 1260877
Product: Firefox → DevTools
Whiteboard: dt-fission-m2-reserve
Summary: console.clear() from the web console clears the browser console → console.clear() should only clear messages from the same context
Priority: P2 → P3

Tracking dt-fission-m2-mvp bugs for Fission Nightly (M6)

Fission Milestone: --- → M6

dt-fission-m2-reserve bugs do not need to block Fission Nightly (M6). For now, let's track them for Fission riding the trains to Beta (M7) so we revisit these bugs before we ship Fission.

Fission Milestone: M6 → M7

Bulk move of all dt-fission-m2-reserve bugs to Fission MVP milestone.

Fission Milestone: M7 → MVP

That's an issue we have regardless of Fission status, but the work we did for Fission might help us fix it.
Moving out of Fission scope.

Fission Milestone: MVP → ---
Whiteboard: dt-fission-m2-reserve
Severity: normal → S3

With Fission, console.clear() only clears that one page's context plus the Browser Console when in "Multiprocess" mode. Other web consoles—even for the same origin and in the same process—don't get cleared. The Browser Console in "Parent process only" mode also doesn't get cleared.

It would be nice if it didn't do that because console.clear() is abused for obfuscation, and it can be a PITA to figure out what open tab is doing it if your browser console keeps getting cleared.

From Matrix (https://chat.mozilla.org/#/room/#security:mozilla.org):

sphertext
as advised, reposted from Mozilla General) hey guys. the other day I came across a hyper-hostile website, using some complicated javascript obfuscation techniques. among those techniques (fascinating overall, but tangential), two in particular stood out as actual browser vulnerabilities. the first is related to the bug report here [1]. I won't insist on it, because the bug report is already 4 years old. the second consists of executing rapidly and repeatedly console.clear() statements. even tho both techniques are just the tip of the iceberg in this situation, they still are, on their own, very effective are preventing debugging attempts. but I wanted to bring attention to the second one for an additional reason. in the context of Firefox, this has the added effect of clearing out the separate "Multiprocess Browser Console". that gives one particular page the power to clear out the shared console for all other processes. so if one Firefox extension is activated in a separate process/page and tries to print some important information to it (for example, Tridactyl can do that), it will be impossible to view it, unless the hostile page is halted/closed first. I'm really surprised that this is happening. would you agree that console statements in a served script should not be executed by default, especially since the Browser Console is being shared between processes?
'''

You need to log in before you can comment on or make changes to this bug.