All posts by Dimitris

Goat Herder, Adromeda Constellation, NZ1X1
Javascript

Netflix disables use of the Chrome developer console

Leave a comment
  1. // It appears Netflix is following (Facebook’s lead)[https://news.ycombinator.com/item?id=7222129].
  3. (function() {
  4.     try {
  5.         var $_console$$ = console;
  6.         Object.defineProperty(window, “console”, {
  7.             get: function() {
  8.                 if ($_console$$._commandLineAPI)
  9.                     throw “Sorry, for security reasons, the script console is deactivated on netflix.com”;
  10.                 return $_console$$
  11.             },
  12.             set: function($val$$) {
  13.                 $_console$$ = $val$$
  14.             }
  15.         })
  16.     } catch ($ignore$$) {
  17.     }
  18. })();
  20. // I feel like we’re seeing the next generation of engineers pursue ideas that were demonstrated
  21. // bad by the previous. First, we’ll disable right-click, you know, “for security reasons.” And by
  22. // that we mean “so you can’t steal our source code or save our images to your disk (even though you
  23. // can still “View Source” in the browser and download the images in a similar way). Now we’ll
  24. // disable the console, you know, “for security reasons.”
  26. // Note: the NSA stores your phone conversations (and much more), you know, “for security reasons.”
  27. // It’s an amazing justification that validates any nefarious behavior. Oh, you’d like to destroy
  28. // my freedoms? Why? “For security reasons.” Oh, go right ahead then! Thanks so much for looking
  29. // out for me!
  31. // Google should really patch this. The command line API should be privileged so that third
  32. // parties can’t modify how the browser behaves without explicit authorization (i.e. an extension).
  33. // But if you’re feeling up to it, you can run the following line via an extension to prevent
  34. // this abuse:
  36. // Object.defineProperty(window, ‘console’, {configurable: false, value: window.console});
  38. // Crockford has the correct idea when it comes to
  39. // (security in web applications)[https://www.youtube.com/watch?v=zKuFu19LgZA&t=27m15s].
  40. // Cookies with session identifiers should be HTTPS only. Local storage and globals should not store
  41. // sensitive data. API requests can be made inaccessible from XSS (and that includes self-XSS) by
  42. // means of a CSRF token that is properly secured (as explained in a roundabout way in the video).
  43. // You should also be using a CSP to prevent the script injection Facebook demonstrated (but I
  44. // don’t see a CSP on Netflix.com).
  46. // And interestingly, Chrome (even Canary) still allows the user to run javascript from the omnibar.
  48. // Disabling the console is just stupid.