Closed Bug 894380 Opened 11 years ago Closed 11 years ago

Drop chrome privileges in Browser Console unless devtools.chrome.enabled is true (not default)

Categories

(DevTools :: Console, defect)

Product:
DevTools
Component:
Console
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 922161

People

(Reporter: freddy, Unassigned)

Details

Given the amount of work we did to avoid people shooting themselves in the foot by copy&pasting JavaScript and data URIs into the address bar, we might want to prevent people doing the same with the Error Console (soon to be named Browser Console?).

This could reduce the damage done from pasting evil code into the console from "command execution" down to site-agnostic XSS.

What do people think?

I know that some add-on developer prefer this to do minimal testing of chrome privileged scripts, but it would be much better if people used the devtools (i.e. scratchpad with chrome privileges).
It would probably make much more sense to use a separate profile for developing than for browsing too.
Error Console and Browser Console are two different items. Error Console is a toolkit component used by other applications like SeaMonkey, Firefox, etc. Please don't change this without input from stakeholders like SeaMonkey, Thunderbird communities.

Browser Console is from Firefox Developer Tools so I'll move this to the correct bugzilla component.
Component: Error Console → Developer Tools: Console
Product: Toolkit → Firefox
Version: unspecified → Trunk
(In reply to Frederik Braun [:freddyb] from comment #0)
> Given the amount of work we did to avoid people shooting themselves in the
> foot by copy&pasting JavaScript and data URIs into the address bar, we might
> want to prevent people doing the same with the Error Console (soon to be
> named Browser Console?).
> 
> This could reduce the damage done from pasting evil code into the console
> from "command execution" down to site-agnostic XSS.
> 
> What do people think?

It's a developer tool and provides the same capabilities as the Error Console wrt running Chrome Code. Disabling it behind a pref is annoying to people who want to use it. Especially if it's not obvious how to find what the pref to enable it is.

> I know that some add-on developer prefer this to do minimal testing of
> chrome privileged scripts, but it would be much better if people used the
> devtools (i.e. scratchpad with chrome privileges).

That's not really clear. Some people prefer a more-linear, console-like interface for entering code.

> It would probably make much more sense to use a separate profile for
> developing than for browsing too.

There are excellent cases for developing with a real profile with real data.

We are however considering implementing a Nightly / Developer version with a separate profile to run alongside a released version.

see bug 895030 for details to that.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
marking as duplicate of 922161 because we felt that this was a preferable solution to changing the scope of the browser console.
Product: Firefox → DevTools
You need to log in before you can comment on or make changes to this bug.