How Does Facebook Disable the Browser's Integrated Developer Tools

How does Facebook disable the browser's integrated Developer Tools?

I'm a security engineer at Facebook and this is my fault. We're testing this for some users to see if it can slow down some attacks where users are tricked into pasting (malicious) JavaScript code into the browser console.

Just to be clear: trying to block hackers client-side is a bad idea in general;
this is to protect against a specific social engineering attack.

If you ended up in the test group and are annoyed by this, sorry.
I tried to make the old opt-out page (now help page) as simple as possible while still being scary enough to stop at least some of the victims.

The actual code is pretty similar to @joeldixon66's link; ours is a little more complicated for no good reason.

Chrome wraps all console code in

with ((console && console._commandLineAPI) || {}) {
  <code goes here>
}

... so the site redefines console._commandLineAPI to throw:

Object.defineProperty(console, '_commandLineAPI',
   { get : function() { throw 'Nooo!' } })

This is not quite enough (try it!), but that's the
main trick.

Epilogue: The Chrome team decided that defeating the console from user-side JS was a bug and fixed the issue, rendering this technique invalid. Afterwards, additional protection was added to protect users from self-xss.

How to disable browser developer tools?

No you cannot do this.

The developer menu is on the client side and is provided by the user's browser.

Also the browser developer should have nothing to do with your server side database code, and if it does, you need some maaaaaajor restructuring.

Preventing users to enter into developers tools

There are keys you can't intercept, and ways into devtools that you can't intercept (e.g., via menus).

If you're tring to protect your code or some such, you just can't, full stop. Anything that goes to the client is accessible to the user.

If you're trying to prevent the user getting themselves into trouble in devtools, you might do what Facebook does, which is output a big bold message to the console warning users not to use it:

Sample Image


Related Topics

How to Make a Promise from Settimeout

Getting Around X-Frame-Options Deny in a Chrome Extension

How to Access Parent Iframe from JavaScript

How to Submit a Form Using JavaScript

JavaScript Setinterval and 'This' Solution

Escape Quotes in JavaScript

Create Object from Class Name in Javasscript Ecmascript 6

Promise.All Consumes All My Ram

How to Render Components with Different Layouts/Elements Using React-Router-Dom V6

Browsers, Time Zones, Chrome 67 Error (Historic Timezone Changes)

How to Pass Data from a Page to Another Page Using React Router

Long Processing Time Likely Due to Getvalue and Cell Inserts

Node.Js on Multi-Core MAChines

How to Set the Value Property in Angularjs' Ng-Options

How to Get File Extensions with JavaScript

Jquery Load More Data on Scroll

How to Check a Radio Button with Jquery

Understanding the Event Loop


Leave a reply



Submit