Netflix disables use of the Chrome developer console

  1. // It appears Netflix is following (Facebook’s lead)[].
  2. (function() {
  3.     try {
  4.         var $_console$$ = console;
  5.         Object.defineProperty(window, “console”, {
  6.             get: function() {
  7.                 if ($_console$$._commandLineAPI)
  8.                     throw “Sorry, for security reasons, the script console is deactivated on”;
  9.                 return $_console$$
  10.             },
  11.             set: function($val$$) {
  12.                 $_console$$ = $val$$
  13.             }
  14.         })
  15.     } catch ($ignore$$) {
  16.     }
  17. })();
  18. // I feel like we’re seeing the next generation of engineers pursue ideas that were demonstrated
  19. // bad by the previous. First, we’ll disable right-click, you know, “for security reasons.” And by
  20. // that we mean “so you can’t steal our source code or save our images to your disk (even though you
  21. // can still “View Source” in the browser and download the images in a similar way). Now we’ll
  22. // disable the console, you know, “for security reasons.”
  23. // Note: the NSA stores your phone conversations (and much more), you know, “for security reasons.”
  24. // It’s an amazing justification that validates any nefarious behavior. Oh, you’d like to destroy
  25. // my freedoms? Why? “For security reasons.” Oh, go right ahead then! Thanks so much for looking
  26. // out for me!
  27. // Google should really patch this. The command line API should be privileged so that third
  28. // parties can’t modify how the browser behaves without explicit authorization (i.e. an extension).
  29. // But if you’re feeling up to it, you can run the following line via an extension to prevent
  30. // this abuse:
  31. // Object.defineProperty(window, ‘console’, {configurable: false, value: window.console});
  32. // Crockford has the correct idea when it comes to
  33. // (security in web applications)[].
  34. // Cookies with session identifiers should be HTTPS only. Local storage and globals should not store
  35. // sensitive data. API requests can be made inaccessible from XSS (and that includes self-XSS) by
  36. // means of a CSRF token that is properly secured (as explained in a roundabout way in the video).
  37. // You should also be using a CSP to prevent the script injection Facebook demonstrated (but I
  38. // don’t see a CSP on
  39. // And interestingly, Chrome (even Canary) still allows the user to run javascript from the omnibar.
  40. // Disabling the console is just stupid.