So: read it and keep npm dependencies in mind when considering your webapp's threat model, but don't drop everything to add CSP as a protection against this problem. It unfortunately won't help.
-
-
Show this threadThanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
Awesome, thanks for the feedback and links. I've updated the post to reflect that we're all screwed no matter what we do :)
- End of conversation
New conversation -
-
-
> My code won’t send anything when the DevTools are open ffffffff
-
Who came up with the (awful) idea of exposing to js the state of dev tools?!?
-
You don't need an explicit API for this; there are a bunch of clever browser-specific hacks (https://stackoverflow.com/questions/7798748/find-out-whether-chrome-console-is-open …) or you can infer it from window.outer{Height,Width} - window.inner{Height,Width}.
-
window.outer should always just be window.inner plus some constant matching a common historic window decoration style. Actually giving the real value is a fingerprinting leak bug.
-
The other things in the SO answer are also bugs/leaks that should be fixed/plugged.
-
Sounds reasonable in principle, but in practice removing all the side channels is a huge amount of work for a browser vendor for a fairly unclear benefit (hiding the "is console open" bit for a tiny fraction of users). Not a hill I'd want to die on ;-)
-
It's just a matter of undoing mistakes & stopping adding new ones. They're not just console state leaks but tracking vectors (big privacy issue).
-
Removing all of them for devtools might be infeasible. Here's another one: with devtools opened, by default, JS pauses on errors. Check if that happens in an iframe. There's probably 100s of ways like that.
- 2 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.