Bug 971597 (dev-self-xss)

[meta] Prevent "Self-XSS" attacks that involve developer tools

NEW
Assigned to

Status

()

Firefox
Developer Tools
3 years ago
2 years ago

People

(Reporter: Jesse Ruderman, Assigned: Jesse Ruderman)

Tracking

(Depends on: 4 bugs, Blocks: 1 bug, {meta})

Trunk
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

Comment hidden (empty)
(Assignee)

Updated

3 years ago
Blocks: 971598
(Assignee)

Updated

3 years ago
Alias: dev-self-xss
(Assignee)

Comment 1

3 years ago
I was too optimistic in the last paragraph of bug 527530 comment 57. Scammers on Facebook are now asking users to paste malicious JavaScript into the developer console. This leads to hilarity like:

* https://www.facebook.com/selfxss
  * Allow my account to be hijacked if I paste malicious JavaScript

* Facebook taking advantage of a bug (?) in Google Chrome to disable the console
  * http://stackoverflow.com/questions/21692646/how-does-facebook-disable-developer-tools
(Assignee)

Updated

3 years ago
Depends on: 971613
I'm not sure that fixing bug 934497 would do anything do anything significant to solve this problem. The majority of users wouldn't disable developer tools, and we're not going to disable developer tools by default. Feel free to re-add if I'm missing something.
No longer depends on: 971613
Bug 953166 could help prevent this sort of thing.
Depends on: 971613
(Assignee)

Updated

3 years ago
Depends on: 922161
Remove the wrong bug earlier. Bug 934497 isn't important to this problem.
No longer depends on: 934497
(Assignee)

Updated

3 years ago
Depends on: 953166
Depends on: 973531
(Assignee)

Updated

3 years ago
No longer depends on: 973531
Duplicate of this bug: 980467

Comment 6

3 years ago
For reference for anyone reading this thread, here's the parallel Chrome bug: https://code.google.com/p/chromium/issues/detail?id=345205
Depends on: 994134
(Assignee)

Updated

3 years ago
Depends on: 1028903
(Assignee)

Updated

3 years ago
Depends on: 1117744
Depends on: 1139245
You need to log in before you can comment on or make changes to this bug.