Recently, Facebook tested out a system where they tweaked exposed Chrome browser API variables so that the console would be disabled[1], with an opt out. Netflix seems to be doing this too now, with no opt out (and no way of fixing it except at the code level) I filed a Chromium bug[2] to get this fixed, however I do see the need for websites to be able to prevent "self xss" from naive users. This comment on the Chromium bug makes sense to me: > Make a browser-level flag a site owner can turn on, but that the developer can always turn off (persistently) if they want to (with an appropriate warning). Why not work together and expose a method that locks up the browser console, however have a way for devs to turn it off (with suitable warnings, of course)? [1]: http://stackoverflow.com/questions/21692646/how-does-facebook-disable-browsers-integrated-developer-tools [2]: https://code.google.com/p/chromium/issues/detail?id=345205

Our plan is to do roughly this using CSP to declare self-xss protection and a pref to prevent it.