-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Console log message to prevent self xss #18088
Conversation
What do you think about a "We're hiring" nudge in this? It could just confuse people since it gives mixed messages, so it might not be a great idea 🤷♂️ |
@spen I thought about adding the hiring message but figured it would not go well with the message about self XSS. There's also a x-hacker header with details about hiring on all wp.com pages |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, might be good to wait for another review tho
Thanks @kloon, I think that make sense so as not to confuse folks :) Another consideration might be to suppress the message in non-production environments - I'm not sure the best path for doing so in our jade templates, and not sure if this would cause more problems than it solves. |
@hoverduck, does it solve #15 as you expected? |
@gziolo - Yes, this generally solves #15, although @allendav was the original author...I only ported the issue over from the pre-oss repo 😄 A couple issues, though - And just a nit-pick, but I'd update it to say "This browser feature is intended for developers" (singular) instead of "This browser features is intended for developers" (plural) |
server/pages/index.jade
Outdated
if ( window.console ) { | ||
console.log( "%cSTOP!", "color:#f00;font-size:xx-large" ); | ||
console.log( | ||
"%cThis browser features is intended for developers. " + |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Grammar nit: features
should probably be feature
Edit: lol - sorry - I see @hoverduck caught that already too
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One small change requested. Works well. Pre-approving.
@folletto or @melchoyce or @adambbecker or someone could we get some design review of the text here as this will be public-facing communication from Automattic? a part of me feels like it's too dread-serious for most of our other communication. |
Let's just tag Editorial ;) |
It's okay to be serious when there are potentially bad consequences! That said, I would tweak a bit to give people a little more context about why this is potentially bad: Wait! This browser feature runs code that can alter your website or its security, and is intended for developers. If you've been told to copy and paste something here to enable a feature, someone may be trying to compromise your account. Please make sure you understand the code and trust the source before adding anything here. |
Thanks @michelleweber! I like how your wording acknowledges that the console can still be useful (we're not trying to forbid people from using it) and that some people will have the right/skill/know-how to get in there and dig around (while still warning off people who may be mislead by something they read online). |
36051c5
to
6e28fe7
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@kloon and @gziolo I updated this PR to match the text which @michelleweber suggested. If we are okay with it we should probably just merge it
Yes, feel free to merge 👍 |
Could we disable this message in |
This does feel very distracting and unnecessary in the |
Add console log message notifying user about possible self xss This is to guard against people accidentally pasting in code which they might read online which was written with malicious intent. By pasting code into the developer console it's possible to do things with the user's authentication; we want to make people aware that they shouldn't be randomly pasting in stuff unless they know what they are doing.
This adds a developer console message informing the user about the possibility of a self XSS attack if they were asked to enter a value in the console.
This closes #15, it could do with additions like translating the string based on locale and checking if the console support colors and styles, the latter only possible via user agent checking, unfortunately.
Could also be useful to setup a page on wordpress.com explaining self XSS and then linking to that page.