
Netflix disables use of the Chrome developer console - just2n
http://pastebin.com/Lx5gjXsA
======
gergles
"self-XSS" (the thing this malfeature is purportedly protecting people from)
is a made-up concept. It's basically "don't run your own scripts to interfere
with our site, and we'll use scary-sounding security words in an attempt to
discourage you from doing it." I don't believe for a second this is about
helping the user - more likely is that FB and Netflix want to prevent users
running scripts that add features or do functions they find inconvenient, like
exporting your address book or movie rating info.

I get to run code just as much as you do - it's MY computer, MY browser, and
MY bandwidth. Making up a scare word (that just means "users running code I
don't like") in an attempt to legitimize disabling access to development and
exploration tools is beyond the pale. There is absolutely no reason to permit
this kind of behavior, and I'm frankly a little appalled a community of
startup founders and hackers would ever defend this kind of behavior, as some
of the comments here have done. If you want to protect users from themselves
and limit and restrict what they can do, write a mobile app. Don't try and put
your shit on the web if you want it to be a walled garden.

~~~
FiloSottile
I don't see exactly how it is a concern for Netflix, but sadly "self-XSS" is
real on Facebook. Not among us tech-savvy people obviously, so consider how
much you look from inside a bubble.

If people read of a "h4x0r trick to read their bf/gf private messages", they
will execute it. And hey, "it has this l33t keyboard shortcut that will make a
strange window pop up, it must be what the hackers in the movies use!!". And
then "Oh well, thanks to this friend of mine for sharing this cool trick that
gives me the stuff to paste there, I would not know how to use it!". And
finally "Booooo, Facebook sucks, my account got hacked".

I remember of the internet making fun of a girl that believed to be enrolled
in some secret police because she popped up the Dev console. Well, that is
just normal people, not uncommon.

I trust that actual developer can find their way around blocks and warnings,
that however raise the bar for social engineering.

~~~
gcb0
right, because patching one of 1000 is the right solution? please give back
your engineer card.

\- just download this file to see your gf private messages. ok, lets remove
download from the browser (actually, ios did this)

\- just run this long string in the address bar to see whatever. ok, let
prevent javascript: schema in url bar (actually, android stock browser did
this)

anyway you go at it, is ineffective. the only solution is to educate. trying
to prevent idiots from harming themselves will just lead to annoyance to the
non-idiots and more sophisticated attacks until you cant prevent them.

people who implement those dumb thing disgusts me. your comment disgusted me.

~~~
userbinator
> the only solution is to educate.

Exactly. The more things you do to restrict users so "it's safer for them",
the more reckless and stupid they'll become - "because $security_feature will
protect me" \- and they won't ever learn anything. On the other hand, if we
give them the freedom to make mistakes, those that do will learn from them.
Instead of trying to block "self-XSS" or telling everyone "don't listen to
anyone telling you to paste something into the URL bar", we should be
encouraging them with "if you don't know what it does or don't trust the one
who told you to do that, then don't do it - _or find out what it really
does_." That last part is particularly important, since it encourages
curiosity and that motivates learning.

I understand that many people would just want to use something and not want to
learn all that much, but I feel we should also not be encouraging this "lack
of thought" mentality either.

~~~
brokenparser
See
[http://boardofwisdom.com/togo/Quotes/ShowQuote/?msgid=35154](http://boardofwisdom.com/togo/Quotes/ShowQuote/?msgid=35154)

------
matt_heimer
You can defeat this without any extensions, here is how:

Since this only applies to Chrome, so do the instructions:

1) Open netflix.com

2) Open developer tools.

3) Go to Sources tab.

4) Click on the tiny icon for "Show Navigator" on the left.

5) Find the JavaScript file that has: (function(){try{var
$_console$$=console;Object.defineProperty(window,"console",{get:function(){if($_console$$._commandLineAPI)throw"Sorry,
for security reasons, the script console is deactivated on netflix.com";return
$_console$$},set:function($val$$){$_console$$=$val$$}})}catch($ignore$$){}})();

For me this is cdn1.nflxext.com/FilePackageGetter/sharedSystem/pkg-nflxsrc- __
__ __ __ __ __ __ __ __ __ __*

6) For me the offending line is line 3. Click on the line number, this will
set a breakpoint.

7) Reload the page, now the Script will pause before running line 3.

8) Switch to the Console tab.

9) Run: Object.defineProperty(window, "console", {configurable: false});

10) Switch back to the Sources tab and press the resume script button or F8.

11) Enjoy console access again.

~~~
rcruzeiro
You don't need the breakpoint. Just run Object.defineProperty(window,
"console", {configurable: false}); before loading netflix and you are good to
go ;)

~~~
matt_heimer
That doesn't work for me. When the page load happens aren't a new set of
client-side browser object created? Do you have any more detailed information?

------
cge
There are legitimate security reasons why various major sites want to do this,
and the changes do appear to be in response to actual, self-XSS attacks that
have been seen. While I am no fan of the NSA, I don't see how this has
anything to do with them. I also think this is very distinct from the right-
click-disabling that used to be so popular: that was _not_ in response to
actual attacks, and also, to my knowledge, never happened on reputable sites.
Additionally, I don't recall it being justified as being for "security"
reasons: websites were usually rather honest about having it to prevent saving
or copying and pasting.

This _is_ , in my view, a poor solution to the problem, but as a temporary
measure, it makes some sense. A change to Chrome to make a warning message
appear the first time the developer console is opened, or javascript is used
in the location bar, could be a good idea. And, as the pastebin notes, there
are likely better, if more complex, technical solutions from the website side.
All of these, however, will take considerably more time and effort, and the
attacks are already happening.

~~~
dgrant
It doesn't have anything to do with the NSA. He was just saying that "for
security reasons" is a stupid excuse that, he says, seems to be frequently
used to excuse any nefarious behaviour.

------
staunch
Its just a bug in Chrome that you _can_ disable it. A cat and mouse game that
Chrome should easily win, given that it holds all the cards.

~~~
georgemcbay
Chrome can easily fix this, but it wouldn't actually be a bad idea for them to
show a message to the user warning them of social-engineering based self-XSS
attacks when devtools are first brought up.

Either that or "hide" the developer tools a bit like they do in modern Android
so that it is really obvious to the user if they are directed to mess with
things that they shouldn't be messing with without understanding them.

~~~
rosswilson
"so that it is really obvious to the user if they are directed to mess with
things that they shouldn't be messing with"

I think that as soon as an attacker tempts the user with: "follow these steps
to access American/UK (substitute a locale that has content your account
shouldn't have access to) only films that Netflix don't want you to know!"
that the apparent gain for the user will lead them to ignore any warnings. In
fact, warning might actually encourage these kinds of attacks since the user
could think "that's just Netflix trying to hide something, I'm gonna following
[the attackers] guide"

~~~
syntern
You can't protect the users this way: the attacker will create a custom
Chromium build and lure the user to download and execute it. At that point the
user will be pawned either way.

~~~
awj
That's a ridiculous argument. If the attacker could do that why would they
even bother with XSS attacks based on developer tools?

~~~
aboodman
The argument would be that the custom build of Chrome (or other malicious
software) is harder to create, but not so much harder so as to be not worth
doing for the attacker.

------
Artemis2
I really like the comparison with right click deactivation.

Anyway, people who use social engineering will still win; you can put JS code
in the browser bar with the good old javascript: "protocol" if you want
somebody to execute something.

~~~
adamnemecek
I think that executing JS in the URL bar is disabled in all browsers now.

~~~
lukifer
Disabled in Safari and Firefox, still works in Chrome Canary.

~~~
veesahni
However, you can't paste a string starting with "javascript:" in the address
bar

------
sergiotapia
Google please fix this bug in Chrome. Websites SHOULD NOT be able to override
the console.

~~~
cbsmith
Let the websites do whatever they want. You can always work around it. The
point of such measures is inconvenience.

------
syncerr
Just enter this in the address bar (may have to manually re-type
"javascript:")

> javascript:void(delete window.console);

~~~
userbinator
Intuitively, I would expect that to FUBAR the console completely but it's
actually deleting the overridden version so it restores the _real_ console's
properties (which thankfully cannot be deleted.) Cute way of fixing it.

------
arg01
Things like this always annoy me. It's a marginal annoyance to people who know
what they're doing. For those less knowledgeable, who were using something
they learnt by rote to improve their experience, they'll either google and
find another way to do it (thanks to a blog post/youtube video by someone with
a bit of nouse) / download some virus / wait until they see the person who
originally showed them what to do.

It just seems like a bit of grief for a temporary gain.

------
josteink
First Netflix attempts to subvert web-standards with WebDRM. And now they
attempt to lock down the regular HTML as well by disabling legit inspection
tools. I can't wait to see what's up next!

It should be clear by now that if you care about the open web, Netflix is not
a company you can trust, much less fund with your money.

Cancel Netflix if you already haven't.

------
BadassFractal
Guess it's time to recompile the browser (Chromium in this case?) with some
extra switches to remove that chunk of JS code before it's executed?

~~~
arg01
From the article:

// But if you're feeling up to it, you can run the following line via an
extension to prevent // this abuse:

// Object.defineProperty(window, 'console', {configurable: false, value:
window.console});

~~~
aboodman
Actually that alone won't work in a Chrome extension because of isolated
worlds. You have to do a bit more gymnastics.

------
higherpurpose
Interesting that this happens soon after Google restricted extensions to
developer mode, isn't it? Back then I said the "security reason" is definitely
BS, because they already took a "strong enough" measure to only allow
extensions to be installed with drag and drop into the Extensions page.

Plus, when you have the company that lives by data, not show you the _data_
that made them make this move, you know something is up. I asked then, and I
actually asked when they moved to drag and drop, too: show me the data that
proves this is so necessary!

Even before any of this, Chrome was far better than IE and even Firefox at
staving off bad extensions. So to me both of those moves seemed unnecessary,
and most likely with another "agenda" behind. Now we begin to see that that
agenda could be.

I've also connected stuff like this with MPAA taking board membership at W3C.
Expect stuff that's much worse than this, and the MPAA-influenced W3C to start
keeping features away from browsers that MPAA freaks out about, while Google
will increasingly start to ban various extensions from the store for various
"ToS reasons".

And people still think W3C's DRM extension won't be used to close down the
Internet? It took Netflix _weeks_ to take advantage of Google's recent move.
Watch what happens when DRM can be enabled in the browser by anyone, just as
easily, Then we'll see if the "convenience" of not playing Netflix through a
plugin was worth it.

------
pippy
Instead of developers throwing their toys out the cot, try to imagine a
conversion along the lines of:

MPAA executive: we need to lobby W3C more to get DRM!

Netflix: why?

MPAA executive: because they'll steal our content!

Netflix: no need! we've disabled the developer console so they can't steal
your content!

MPAA executive: That sounds good!

It's nice having a "yeah but you can do X" retort to the people making these
decisions.

The ideologically driven 'but the web should be oooopen' argument won't go
far.

~~~
nilved
> The ideologically driven 'but the web should be oooopen' argument won't go
> far.

lmao, which site am i on again?

------
seba_dos1
Facebook at least allows an easy opt-out.

~~~
dan15
That and Facebook's one shows a huge message saying why they do it.

------
jebblue
Doesn't affect me on Ubuntu, they can't even play a movie in the browser which
is something Crackle does a great job at.

~~~
rcfox
There is a way to get Silverlight as a plugin in your standard Linux browsers.
It's called Pipelight[0]. Yes, it uses Wine, but not for the rendering, so
it's not a horrible experience.

[0] [http://www.webupd8.org/2013/08/pipelight-use-silverlight-
in-...](http://www.webupd8.org/2013/08/pipelight-use-silverlight-in-your-
linux.html)

~~~
ToastyMallows
Pipelight is awesome, I recommend using it to anyone reading this. It just
works.

------
subleq
> API requests can be made inaccessible from XSS (and that includes self-XSS)
> by means of a CSRF token that is properly secured

How can self-XSS be prevented with a CSRF token? Can't the script included via
self-XSS get the token out of the page and use it to make requests that appear
as if they originate from the app itself? Can't a script injected through
self-XSS do absolutely anything the page can do in the first place?

~~~
just2n
No, but it's not easy (in fact it's quite hard to do well) because of how
insecure the browser is.

You can take advantage of the fact that you can store private information in
closures. To prevent malicious code from overwriting a native function to
which you pass sensitive information (like the CSRF token in this case) you
need to Object.freeze the prototype of things like XMLHttpRequest or take your
own references of the native functions.

Naturally all of this assumes the user doesn't do something like set a
breakpoint and then inject a script with access to scope variables. But if
social engineering gets you that far, you could probably just have the user
run any arbitrary code on their machine.

------
dieulot
“And interestingly, Chrome (even Canary) still allows the user to run
javascript from the omnibar.”

Worth noting that they remove the "javascript:" part when you paste from
clipboard.

My guess is that it protects against people telling others to "copy this in
the address bar to steal your friends' Facebook accounts", much like why
Facebook disabled the console previously.

------
userbinator
I've noticed a rather disturbing trend of thought in technology that's been
showing up more and more recently with things like this: "Make it harder for
users to know how things really work. Make it harder for users to explore,
make mistakes, and learn. Make it harder for users to become developers. The
less the users know, the easier it'll seem to them, and the easier it'll be
for us to stay in control. Keep them ignorant and consuming. Lock them in a
walled garden and tell them it's all 'for your security/safety'. Because
knowledge is power, and we don't want that in the hands of the users."

Netflix doing this is one of the more obvious manifestations, but they are not
alone - many other companies and even open-source, free-software projects are
taking this approach, Google included.

~~~
albiabia
Yes, the bottom line is that Netflix is sending you code executed on your own
machine. You, as the user, should have full access to inspect the executed
code. Obfuscated or minified code should only be used as a bandwidth saving
device, and not to hide the true functionality from the user. If the browser
is seeing it, why can't the user?

Disabling a feature of the user's browser is absolutely absurd. If you want to
hide from the user whats going on then that code needs to run on the server.

Can you imagine opening an image in Photoshop and because of some flag half
the tools disappear? Yeah, me either, and images don't even run code.

~~~
GilbertErik
Have you ever tried scanning in a picture of a US Dollar? ;-)

~~~
rcruzeiro
HOLY SHIT. I never knew about this. Makes me wonder though if someone decided
to prevent the scanning of every single currency out there and the developers
had to code in a shitload of recognition patterns into the scanners firmware.

~~~
yuubi
[http://en.wikipedia.org/wiki/Eurion](http://en.wikipedia.org/wiki/Eurion)
suggests currency has some common features.

------
banterability
Anyone filed this on [http://crbug.com/](http://crbug.com/) yet?

~~~
comex
I was going to, but the developer console works on the landing page and I
don't have an account, so I can't verify Netflix is actually doing that.

If someone can verify, I highly recommend filing it.

ed: Looks like there is a bug already:
[https://code.google.com/p/chromium/issues/detail?id=345205](https://code.google.com/p/chromium/issues/detail?id=345205)

------
bambax
> _Google should really patch this. The command line API should be privileged
> so that third parties can 't modify how the browser behaves without explicit
> authorization (i.e. an extension)_

Absolutely agree. Why don't they do that, or at least make it an option?

------
decad
I threw together an extension during my lunch that should work against these
types console disables [0], using the method the poster suggested.

[0]
[https://github.com/Decad/ConsoleDefender](https://github.com/Decad/ConsoleDefender)

------
meowface
This mentions that there are ways to secure CSRF tokens so that they can't be
stolen via self-XSS (or any kind of XSS) attacks.

How exactly could this be implemented, not including adding a captcha or
requiring the user to retype their password for every action?

------
madrox
I don't think the goal of this is to hide legitimate uses of the dev tools. As
many have mentioned, it's really easy to circumvent. It's to shut down an
attack vector.

------
artellectual
never trust the client. no matter what kind of hacks you come up with to
protect yourself. you have to assume the client side is always compromised.
always protect yourself in the parts you have full control.

------
brownbat
What are some things everyone's using the dev console on Netflix for?

------
blueskin_
It's a major WTF that Chrome even allows this.

Still, I suppose it is google...

------
zobzu
i would have called that "for security reasons" :)

------
yeukhon
I didn't read the whole thing, but I think the actual motivation is to prevent
self-XSS which is in the first line.

[http://stackoverflow.com/questions/21692646/how-does-
faceboo...](http://stackoverflow.com/questions/21692646/how-does-facebook-
disable-the-browsers-integrated-developer-tools)

Anyhow, I will just quickly dismiss this has anything to do with NSA. If I
may, be an ignorant once, called this pastebin a bullshit.

~~~
yeukhon
Wow, I can't even modify my post. Which unfair HN mod locked my post? How on
earth could anyone connect this to NSA?

~~~
icambron
> I didn't read the whole thing

May I suggest you read the whole thing next time? You can certainly disagree
with the author's assertion that companies and governments abuse "for your
security" to do awful things (or that it's what happened here), but it's far
from ridiculous. I think you just misunderstood the point about the NSA--not
reading will do that to you--and it makes you look silly.

~~~
yeukhon
I did understand the point he was trying to make, but to me that's a poor
analogy. This self-XSS prevention is a temporary solution. Facebook probably
thought they had enough of people reporting dev console self-XSS so they took
the initiative.

Netflix is not abusing "for your security" to do awful things. How? I just
don't see it. I see that as an accusation, putting Netflix and Facebook's
temporary solution in the same category as NSA's excuse is bad. I might be
unfair to the author for not reading the entire post (well technically I read
most of it, except Crockford and afterward I gave a quick glance), I will
admit that's my failure, but that argument doesn't appeal to me at all.

------
shultays
Thank you facebook

------
nilved
Why can websites disable use of the developer console? That seems like a
critical security bug,.

------
lern_too_spel
The NSA ranting around here is out of control. Not only did the poster somehow
tie this bit of javascript to the NSA, but he claimed that the NSA records our
phone conversations too. There is no evidence that it does unless you're a
head of state or somebody the FBI has a warrant to tap.

~~~
ephemeralgomi
The poster did not "tie this bit of javascript to the NSA". She/he argues that
blindly acquiescing to removal of rights in the name of security is a bad
idea, using the NSA phone tapping deal as a point of comparison.

~~~
lern_too_spel
Removal of rights? Saying that either this JavaScript or the NSA's actions
amount to a removal of rights is a huge stretch. You might as well compare the
the sealed battery on the iPhone to the NSA's data gathering.

~~~
ephemeralgomi
I half-disagree with you: the NSA's actions, IMHO, certainly do amount to a
violation of the right to privacy. However, calling the ability to run the
javascript development console on a page a 'right' is a stretch, I agree.

Please feel free to read the actual article and quote it and find fault with
its conclusions. As it is now you're seizing on individual words, not ideas.
If this were a Turing test you wouldn't be doing so well.

~~~
lern_too_spel
Reread what you just posted. You just said that the poster's comparison to the
NSA is invalid, which is exactly my point. Why does everything around here
have to be tied to the NSA (see Gruber's ridiculous conspiracy theory about
the Apple bug for a recent example), and why does half of the stuff posted
about the NSA have to be hysterical nonsense like that they're recording all
our phone calls? It removes legitimacy from the rest of us who are complaining
about things the NSA actually does.

