Bug 971597 (dev-self-xss)

[meta] Prevent "Self-XSS" attacks that involve developer tools

NEW
Unassigned

Status

defect
5 years ago
4 months ago

People

(Reporter: jruderman, Unassigned)

Tracking

(Depends on 3 bugs, Blocks 1 bug, {meta})

Trunk
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

Reporter

Description

5 years ago
No description provided.
Reporter

Updated

5 years ago
Blocks: self-xss
Reporter

Updated

5 years ago
Alias: dev-self-xss
Reporter

Comment 1

5 years ago
I was too optimistic in the last paragraph of bug 527530 comment 57. Scammers on Facebook are now asking users to paste malicious JavaScript into the developer console. This leads to hilarity like:

* https://www.facebook.com/selfxss
  * Allow my account to be hijacked if I paste malicious JavaScript

* Facebook taking advantage of a bug (?) in Google Chrome to disable the console
  * http://stackoverflow.com/questions/21692646/how-does-facebook-disable-developer-tools
Reporter

Updated

5 years ago
Depends on: 971613
I'm not sure that fixing bug 934497 would do anything do anything significant to solve this problem. The majority of users wouldn't disable developer tools, and we're not going to disable developer tools by default. Feel free to re-add if I'm missing something.
No longer depends on: 971613
Bug 953166 could help prevent this sort of thing.
Depends on: 971613
Reporter

Updated

5 years ago
Depends on: 922161
Remove the wrong bug earlier. Bug 934497 isn't important to this problem.
No longer depends on: 934497
Reporter

Updated

5 years ago
Depends on: devtools-first-run
Depends on: 973531
Reporter

Updated

5 years ago
No longer depends on: 973531

Comment 6

5 years ago
For reference for anyone reading this thread, here's the parallel Chrome bug: https://code.google.com/p/chromium/issues/detail?id=345205
Reporter

Updated

5 years ago
Depends on: 1028903
Reporter

Updated

5 years ago
Depends on: 1117744
Depends on: 1139245

Updated

Last year
Product: Firefox → DevTools

Unassigning because it is unlikely Jesse will work on this. Leaving it open because it is a meta-bug with open bugs blocking it.

Assignee: jruderman → nobody
You need to log in before you can comment on or make changes to this bug.