That article about disabling the console was interesting, but it's fairly easy to get around.
All you have to do is to use the location bar to delete the custom console, which then returns control back to the standard one.
I tried this, but it didn't work for me in Chrome.
The console was still disabled.
Am I missing anything?
I checked FB using FireBug. That still works as expected
I agree that how a language is taught makes a great difference.
I think the author's point is that it's not very good for "software engineering" and/or "end-to-end systems programming", as its focus is too web-centric.
For example, I recently wrote a small desktop GUI that should do some basic file manipulation, then upload the altered files to an FTP server.
I ended up using Ruby, but briefly entertained having a go at writing it in JS. The file manipulation part and the FTP part put me off.
My search-fu is poor today. It was fairly recently tweeted.
That's interesting - I tested using a local test page and things went well. I'll try again tonight and see if I can get my results to differ.
Social engineering sucks, that's for sure, but disabling the JS console in this way is like disabling the terminal on a Linux machine in case you enter
rm -rf / or
Aha, someone else who saw the post vaguely remembered the logo looked like a fire hydrant. Adding "hydrant" to my search suddenly brings it up :/
The vulnerabilities outlined in the post allow the following:
Detect the opening and executing of commands in the console. (Unpatched)
Prevent the execution of commands in the console (Unpatched)
Log the commands that are executed in the console (Unpatched)
Censor variables from being accessed/read from the console (Unpatched)
Other unexplored potential vulnerabilities that are children of these (Unpatched)
Use these vulnerabilities to execute arbitrary scripts on webpages that can be framed (Patched)
I don't actually buy the "Facebook is doing it to protect you" line.
That's interesting reading, poes.
Wouldn't it be easier to just create a userscript to attach to your browser that runs that command just on those sites that try to disable the console? That way it would be a set once and forget (until you find another site that you need to add to the list) rather than having to enter it every time.
The following userscript will work in Google Chrome (tampermonkey) to reinstate the console. It should work in Firefox (GreaseMonkey) as well, may need slight alteration to work in Internet Explorer (depending on which userscript plugin you use).
// @author Stephen Chapman
// @name Fix console
// @description Reinstates the console when one of the following sites disables it
// @include http://facebook.com
This is set and forget - the only time you'd need to change it is if you need to add an include statement for another stupid site.
It didn't work for me either in Chrome.
Typing in the address bar in Chrome didn't work for me either but setting it up as a userscript did.
This topic is now closed. New replies are no longer allowed.