Hi, my name’s Aaron Powell and I’m a Cloud Advocate at Microsoft. My area of specialty is front-end web dev and .NET (especially F#), but I enjoy doing silly things with technology.
I'm not sure it's possible to block the use of the console in dev tools (like, opening up and doing console.log), but what you can restrict is what commands issued there can do. Since the code is executed in context of the page if it tried to inject a resource from a domain that's not whitelisted, it'll still fail.
Interesting. Thanks for your answer. Do you think this could be something useful in terms of security to have (completely lock the console) in a hypothetical future or is it really not that useful? Sorry for my question I gotta take the chance while I get you haha!
Hi, my name’s Aaron Powell and I’m a Cloud Advocate at Microsoft. My area of specialty is front-end web dev and .NET (especially F#), but I enjoy doing silly things with technology.
Completely disabling the browser dev tools isn't really viable; a web page doesn't have that level of control over the browser.
CSP is a way to limit the "damage" someone can do to themselves using the dev tools but there's only so much you can do to protect people from themselves.
There's other things you can do to encourage people to not do stuff at the console, check out this post I wrote.
I'm not sure it's possible to block the use of the console in dev tools (like, opening up and doing
console.log
), but what you can restrict is what commands issued there can do. Since the code is executed in context of the page if it tried to inject a resource from a domain that's not whitelisted, it'll still fail.Interesting. Thanks for your answer. Do you think this could be something useful in terms of security to have (completely lock the console) in a hypothetical future or is it really not that useful? Sorry for my question I gotta take the chance while I get you haha!
Completely disabling the browser dev tools isn't really viable; a web page doesn't have that level of control over the browser.
CSP is a way to limit the "damage" someone can do to themselves using the dev tools but there's only so much you can do to protect people from themselves.
There's other things you can do to encourage people to not do stuff at the console, check out this post I wrote.
Pretty JavaScript Console Messages
Aaron Powell ・ Mar 14 ・ 2 min read