Closed Bug 1139245 Opened 10 years ago Closed 6 years ago

Web Console on chrome: URLs allows input even if devtools.chrome.enabled is false

Tracking

(Not tracked)

Status:

RESOLVED WONTFIX

People

(Reporter: emk, Unassigned)

References

(Blocks 1 open bug)

Details

Masatoshi Kimura [:emk]

Reporter

Description

•

10 years ago

Steps to reproduce: 1. Make sure devtools.chrome.enabled is false. 2. Open about:newtab (or about:config or any other chrome-privileged pages). 3. Press Ctrl+Shift+K to open Web Console on the page. Actual result: Web Console have an input field. Expected result: Web Console on chrome-privileged pages should have no input field unless devtools.chrome.enabled is true, just like Browser Console (bug 922161). Attackers can instruct users to type the secret command "Ctrl+T Ctrl+Shift+K blah-blah-blah" to pwn the browser using the self-XSS. Looks like this attack scenario is already pointed out in bug 922161 comment #23, but it was ignored somehow. If this is by design, feel free to WONTFIX this. It is very good for me :)

BMO Automation

Updated

•

6 years ago

Product: Firefox → DevTools

Nicolas Chevobbe [:nchevobbe]

Comment 1

•

6 years ago

We have self XSS protection mechanism, so I think it's okay to close this bug

Status: NEW → RESOLVED

Closed: 6 years ago

Resolution: --- → WONTFIX

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Web Console on chrome: URLs allows input even if devtools.chrome.enabled is false

Categories

(DevTools :: Console, defect)

Tracking

(Not tracked)

People

(Reporter: emk, Unassigned)

References

(Blocks 1 open bug)

Details

Crash Data

Security

(public)

User Story

Description

Updated

Comment 1