New issue
Advanced search Search tips

Issue 799791 link

Starred by 3 users

Issue metadata

Status: Fixed
Owner:
Closed: Jan 2018
Components:
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 2
Type: Bug



Sign in to add a comment

DevTools can be detected using redefined nodeType getter

Reported by kdzwinel@gmail.com, Jan 7 2018

Issue description

UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3314.0 Safari/537.36

Steps to reproduce the problem:
1. Go to http://jsbin.com/fedemuv/edit?html,js,output
2. Open DevTools
3. "status" will change to "on"

What is the expected behavior?
Ideally, DevTools shouldn't be detectable.

What went wrong?
Script reliably detects if DevTools are open even in undocked state.

Did this work before? No 

Chrome version: 65.0.3314.0  Channel: canary
OS Version: OS X 10.13.2
Flash Version: 

I know that this is a cat-and-mouse game, but this particular hack was supposedly fixed in  https://crbug.com/795547 , unfortunately it looks like `obj.nodeType` had been overlooked.

FYI some other ideas on how DevTools can be detected are discussed here: https://github.com/sindresorhus/devtools-detect/issues/15
 
Screen Shot 2018-01-07 at 23.07.26.png
328 KB View Download
Owner: kozy@chromium.org
Status: Assigned (was: Unconfirmed)

Comment 2 by kozy@chromium.org, Jan 8 2018

https://chromium-review.googlesource.com/c/v8/v8/+/854623

We are not going to fix all possible hacks right now, in ideal world it is possible to fix most ways of DevTools detecting but it is not of our top priority and mostly blocked on injected-script-source migration to native code:
 crbug.com/595206 
Project Member

Comment 3 by bugdroid1@chromium.org, Jan 8 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/784e2f5e00c53f5abd57dc95865637f42bc7c77b

commit 784e2f5e00c53f5abd57dc95865637f42bc7c77b
Author: Alexey Kozyatinskiy <kozyatinskiy@chromium.org>
Date: Mon Jan 08 23:53:15 2018

[inspector] little better injected-script-source

We can call less getters on node objects.

R=dgozman@chromium.org

Bug:  chromium:799791 
Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel
Change-Id: Iecfe76c2be6b6bed675013ac4aaa117b714d4ba5
Reviewed-on: https://chromium-review.googlesource.com/854623
Reviewed-by: Dmitry Gozman <dgozman@chromium.org>
Commit-Queue: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50420}
[modify] https://crrev.com/784e2f5e00c53f5abd57dc95865637f42bc7c77b/src/inspector/injected-script-source.js

Comment 4 by kozy@chromium.org, Jan 9 2018

Status: Fixed (was: Assigned)
Fix will be available in one of the next Canary build.

Comment 5 by kdzwinel@gmail.com, Jan 9 2018

@kozy thank you for a quick response. I absolutely understand that it's not 100% fixable.

Sign in to add a comment