Console log message to prevent self xss #18088
Conversation
kloon
added
[Status] Needs Review
|
What do you think about a "We're hiring" nudge in this? It could just confuse people since it gives mixed messages, so it might not be a great idea 🤷♂️ |
|
@spen I thought about adding the hiring message but figured it would not go well with the message about self XSS. There's also a x-hacker header with details about hiring on all wp.com pages |
|
Thanks @kloon, I think that make sense so as not to confuse folks :) Another consideration might be to suppress the message in non-production environments - I'm not sure the best path for doing so in our jade templates, and not sure if this would cause more problems than it solves. |
|
@hoverduck, does it solve #15 as you expected? |
|
@gziolo - Yes, this generally solves #15, although @allendav was the original author...I only ported the issue over from the pre-oss repo 😄 A couple issues, though - And just a nit-pick, but I'd update it to say "This browser feature is intended for developers" (singular) instead of "This browser features is intended for developers" (plural) |
server/pages/index.jade
Outdated
| if ( window.console ) { | ||
| console.log( "%cSTOP!", "color:#f00;font-size:xx-large" ); | ||
| console.log( | ||
| "%cThis browser features is intended for developers. " + |
There was a problem hiding this comment.
Grammar nit: features should probably be feature
Edit: lol - sorry - I see @hoverduck caught that already too
dmsnell
added
the
[Status] Needs Design Review
|
@folletto or @melchoyce or @adambbecker or someone could we get some design review of the text here as this will be public-facing communication from Automattic? a part of me feels like it's too dread-serious for most of our other communication. |
folletto
added
[Status] Needs Copy Review
|
Let's just tag Editorial ;) |
|
It's okay to be serious when there are potentially bad consequences! That said, I would tweak a bit to give people a little more context about why this is potentially bad: Wait! This browser feature runs code that can alter your website or its security, and is intended for developers. If you've been told to copy and paste something here to enable a feature, someone may be trying to compromise your account. Please make sure you understand the code and trust the source before adding anything here. |
Thanks @michelleweber! I like how your wording acknowledges that the console can still be useful (we're not trying to forbid people from using it) and that some people will have the right/skill/know-how to get in there and dig around (while still warning off people who may be mislead by something they read online). |
dmsnell
force-pushed
the
add/console-log-self-xss-warning
branch
from
36051c5
to
6e28fe7
Compare
There was a problem hiding this comment.
@kloon and @gziolo I updated this PR to match the text which @michelleweber suggested. If we are okay with it we should probably just merge it 
|
Yes, feel free to merge 👍 |
matticbot
removed
the
[Status] Needs Review
|
Could we disable this message in |
|
This does feel very distracting and unnecessary in the |
Add console log message notifying user about possible self xss This is to guard against people accidentally pasting in code which they might read online which was written with malicious intent. By pasting code into the developer console it's possible to do things with the user's authentication; we want to make people aware that they shouldn't be randomly pasting in stuff unless they know what they are doing.
sirreal
removed
the
[Status] Needs Copy Review
This adds a developer console message informing the user about the possibility of a self XSS attack if they were asked to enter a value in the console.
This closes #15, it could do with additions like translating the string based on locale and checking if the console support colors and styles, the latter only possible via user agent checking, unfortunately.
Could also be useful to setup a page on wordpress.com explaining self XSS and then linking to that page.