Netflix disables use of the Chrome developer console

a guest Mar 5th, 2014 75,835 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. // It appears Netflix is following (Facebook's lead)[].
  3. (function() {
  4.     try {
  5.         var $_console$$ = console;
  6.         Object.defineProperty(window, "console", {
  7.             get: function() {
  8.                 if ($_console$$._commandLineAPI)
  9.                     throw "Sorry, for security reasons, the script console is deactivated on";
  10.                 return $_console$$
  11.             },
  12.             set: function($val$$) {
  13.                 $_console$$ = $val$$
  14.             }
  15.         })
  16.     } catch ($ignore$$) {
  17.     }
  18. })();
  20. // I feel like we're seeing the next generation of engineers pursue ideas that were demonstrated
  21. // bad by the previous. First, we'll disable right-click, you know, "for security reasons." And by
  22. // that we mean "so you can't steal our source code or save our images to your disk (even though you
  23. // can still "View Source" in the browser and download the images in a similar way). Now we'll
  24. // disable the console, you know, "for security reasons."
  26. // Note: the NSA stores your phone conversations (and much more), you know, "for security reasons."
  27. // It's an amazing justification that validates any nefarious behavior. Oh, you'd like to destroy
  28. // my freedoms? Why? "For security reasons." Oh, go right ahead then! Thanks so much for looking
  29. // out for me!
  31. // Google should really patch this. The command line API should be privileged so that third
  32. // parties can't modify how the browser behaves without explicit authorization (i.e. an extension).
  33. // But if you're feeling up to it, you can run the following line via an extension to prevent
  34. // this abuse:
  36. // Object.defineProperty(window, 'console', {configurable: false, value: window.console});
  38. // Crockford has the correct idea when it comes to
  39. // (security in web applications)[].
  40. // Cookies with session identifiers should be HTTPS only. Local storage and globals should not store
  41. // sensitive data. API requests can be made inaccessible from XSS (and that includes self-XSS) by
  42. // means of a CSRF token that is properly secured (as explained in a roundabout way in the video).
  43. // You should also be using a CSP to prevent the script injection Facebook demonstrated (but I
  44. // don't see a CSP on
  46. // And interestingly, Chrome (even Canary) still allows the user to run javascript from the omnibar.
  48. // Disabling the console is just stupid.
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand