12
I would like to know how to block the user from running scripts through the browser console.
12
I would like to know how to block the user from running scripts through the browser console.
13
It’s not possible. The page is browser submissive and the javascript console is not something you can really control, it’s an extra. It would be like preventing them from viewing your html or creating a . txt file that couldn’t be edited, it doesn’t make sense.
User is completely free to edit anything of your page. Any code can be changed and any validation done purely in JS can be circumvented. This is why the server should never trust anything coming from the client.
By way of comparison you can’t even protect variables, since the user - having tools for this and knowing how to use them - pauses completely the execution of the code and access them. // However, if you want to prevent extensions from accessing script data: it is possible.
+1 the best that can be done is not to use global variables, remove references that may be in the object of DOM elements, in short encapsulate the code well and keep the contexts hidden, apply minification to hinder when debugging the code. No solution prevents, but avoids less experienced code manipulation.
8
Edit: This code no longer works on Google Chrome.
In fact, it is possible to block the Google Chrome console just as Facebook is doing, with the following code:
var _z = console;
Object.defineProperty(window, 'console', {
get: function(){
if (_z._commandLineAPI) {
throw new Error('console bloqueado');
}
return _z;
},
set: function(val) {
_z = val;
}
});
Open the Chrome console on your Facebook page and see for yourself (it doesn’t appear for all users):
References:
I have the impression that that doesn’t work: first in my own experience, because I’ve done a lot with it (making bookmarklets for example); second that some console functions not released in the Window
, added when executing the command. Security against setInverval
Facebook can still be easily circumvented. In fact this is another warning against scamming and abuse of some functions.
Test it yourself. The console doesn’t work. But you can use a bookmarklet or inject script through the address bar.
Facebook is only blocking the console for some users at random. That message appears as soon as you open the console. See: https://www.facebook.com/selfxss
I take it back, this effect seems to be random, not just working in some cases. In fact it seems to be easily manageable by developers, as in the example of setInterval
, but not by common users.
It is easily manageable: click on <page context>
and change the context to some extension, then change the script as if it were an extension. This prevents almost no scammer.
You don’t normally have access to Window
to an extent, but there is an alternative: http://stackoverflow.com/a/1638855/1850091
1. change context to an extension; 2. localStorage.consoleEnabled='opt';location.reload();
The console will be activated.
I believe this is just a pebble in the way of some novice users with the console, but most who open the console is because they know what they are doing and would easily know how to circumvent this solution, so I agree with the @Guilhermebernal reply
Cool answer there in the OS: "I am a security engineer on Facebook and this is my fault..."
2
Sorry folks, but as for the reply about Facebook being disabling the console only displaying that message. It does not check.
What Facebook does is simply displaying a warning for the user not to use the console and for this purpose displays the mansage using the console object in Javascripr. I do this in my projects to create a signature that is displayed on the console. See what I do in the main site Javasript:
style = "color:blue;font-size:1.1em;";
style2 = "color:green; font-weight:bold;font-size:1.1em;";
console.groupCollapsed("Creditos do desenvolvedor:");
console.info("%c-------------------------------------------------------------",style);
console.info("%cEste é mais um site desenvolvido pela...", style2);
console.info("%chttp://www.site.com.br",style);
console.info("%cTodos os direitos reservados © 2017",style);
console.info("%c-------------------------------------------------------------",style);
console.info("");
console.groupEnd();
Browser other questions tagged javascript console
You are not signed in. Login or sign up in order to post.
What is the purpose of blocking console usage? (or devtools)
– Guilherme Bernal