[SUGGESTION] Disabling developer tools

[drodil]

HTML specification should introduce a new tag to tell browser that developer tools are not allowed in the page. The suggestion is based on the fact that for example DOM modification is used in many internet scams (blog post about the topic: https://drodil.medium.com/internet-scams-browsers-should-warn-user-about-modified-dom-c75bbfc2bf9e). Additionally developer tools allow other things that compromises the security. First idea could be the to add new attribute to the tag:

<html devtools="deny">  // Deny from everywhere
<html devtools="allow">  // Allow from everywhere
<html devtools="192.168.0.*, 127.0.0.1"> // Allow from client IP addresses

[ghost]

Just wanted to say that there are also other avenues to do DOM manipulation. Like design mode in some (Chromium?) browsers.

document.designMode="on"

These should be addressed as well. Maybe for starters just a general banner for any type of client side DOM, CSSOM, AOM manipulation?

[pshaughn]

This would splinter the Web ecosystem, as power users would flock to browser builds that don't lock them out in this way.

[domenic]

This is not something the HTML Standard covers, as developer tools are individual to browsers.

[jgraham]

(Domenic closed this while I was writing, but I think it's worth posting anyway for pedagogical reasons)

There are two seperate issues here, but I don't think the proposal addresses either of them effectively.

One issue is end users being phished with scams that require them to run some code in devtools. That's a real problem, but it's not clear why having a per-site opt-in is an efficient way to address it. If it becomes a large problem I'd expect browsers to respond by making devtools harder to access for users who don't understand them (e.g. requiring a pref to be set or an extension to be installed or something). That works across the whole web without requiring any changes on sites themselves (and to a certain extent is already happening).

The other issue is "developer tools allow other things that compromises the security". This is fundamentally a misunderstanding of the security model of the web. From the point of view of the server, the client is always untrusted. Even with such a tag, a malicious user can e.g. run the page through a proxy which removes the tag, or use a user agent which is configured to ignore the tag. Such user agents would be easy to come by because the need to inspect third party sites is common (e.g. browser "web compatibility" teams which investigate sites that are broken in specific browsers). So, as an author, your security model simply can't depend on "malicious users can't access devtools" (or indeed, on "all clients play by the rules" in general).

[drodil]

Thanks for the responses! I agree that after all this shouldn't be in the HTML spec just because all the possibilities to bypass it. Good points made there @jgraham ! And of course because it's something that is so browser specific. Instead the browsers should provide some safeguard for their users to get protection from internet scams. The intention of this suggestion hopefully was good.