I want to hide a download link from a common user that knows how to use a developer console and look at their network tab. I know they would have other means to detect the traffic but as long as they cannot see evidence of a web request within the dev console I'm satisfied. Is this possible or will every request made within a web page show up? I'm agnostic to any tool that can provide this service.
There's really no way to do this that would be reliable. You can obfuscate all you like, but the DevTools can see everything, and if they couldn't it would be a bug that the browser developers will go fix.
(The idea of using a WebSocket is a fun one, but even websocket frames are visible in DevTools these days).
Stepping back a bit, you should elaborate on what exactly you're trying to do and why you think preventing the use of Developer Tools would be useful. There is likely to be another solution that works better for what you want to achieve.
Related
I’m building a simple browser, and I’d like to code most of it using HTML/JS/CSS. I cannot use iframes to display pages, due to frame-busting. What are my options?
The browser is not meant to be production-quality, but as a proof-of-concept for my thesis, similar to this interactive mockup. The main features it will need to support are:
Loading any page without frame-busting (even google.com),
Detecting when a link is clicked and opening it in a new frame, with the original one remaining intact.
I intend to write this using Web technologies, but it’s OK if it needs to be wrapped up in a small amount of something else, e.g., to turn it into an Android app. However, if it’s possible, it would be best if I could load the app as a web page. Finally, it is also preferable to be able to run the app on an Android device, but it’s OK if it only works on a desktop.
In researching this question, I came across a few options:
<iframe>. Google.com doesn't load at all in an iframe. I tried using the sandbox attribute, but it still didn’t load. Is there a way around this (for any page)?
Mozilla’s Browser API. This API was supposed to allow you to use the mozbrowser attribute in an iframe when building FirefoxOS apps. I suspect there’s no longer any way to access it. I couldn’t get the sample browser app loaded, and it seems that mozbrowser is not supported in WebExtensions. Did I miss something? Is there a way to make this work?
<webview> in a Chrome app. This is the only option that worked so far. I was able to download and install the sample browser app in Chrome. The one downside is that it seems to be Chrome-only (and I would prefer cross-platform or Firefox, all else being equal). Are there any issues with this option? Any way to make it run without Chrome?
Electron app with <webview>. While the setup here is more complicated than the previous option, it seems like the code would be very similar (there’s even a similar sample browser app). Are there any advantages/disadvantages to this option over the previous?
So, are there ways to make options 1 or 2 work? Are there perhaps other options?
HTML/CSS is a "language" translated by the browser into pages. You cannot code a browser in HTML. The easiest solution is to code it in C#.
I'm not sure if this is a good solution, but you can try Electron (nodeJS). You will only need to use JS/CSS/HTML.
I am on a Chromebook controlled by an administration that has disabled the usual Chrome inspection. I am also not allowed to take it out of this administrative lock.
Is there a website available that would allow me to inspect element as a part of that website?
Is there some other way for me to be able to access the console log of a page?
I just need to do some debugging of a program, but I can't find out how to tell if there's an error or not since I can't access the console of the page.
No, there is no site or other method available. Usually business and school administration offices disable this on a Chromebook because they give the device to you to use for work, therefore disabling access to certain websites and features. They don't want you to mess around with their devices.
There are 3 solutions to this;
Buy a personal Chromebook.
Confront the administrator about enabling this feature.
Use any Windows or Mac computer, because they allow Inspect Element on desktops for certain reasons.
I hoped this answered your question.
A lot of schools that provide chromebooks or iPads like to put restrictions on them which include:
blocking websites
not allowing certain device features (like playing the dinosaur game when you don't have wifi, inspecting, viewing the source of a webpage, bookmarklets, google assistant, etc.)
and more
I know this from experience, as I am literally answering your question on a school chromebook, since Stack Overflow is luckily not blocked.
There are some ways to fix this.
Reach out to the help desk or IT person at your school/district. Ask them to allow inspecting web pages on your chromebook. However, you must have a legitmate reason for wanting the Inspect feature, like not because its fun how you can edit a website or whatever, but a reason similar to your reason.
I just need to do some debugging of a program, but I can't find out how to tell if there's an error or not since I can't access the console of the page.
I'm pretty sure that the help desk/IT at your school will allow you to have the inspect feature because you have a pretty good reason.
Other ways to inspect the website that you wanna inspect are:
Inspecting the website on a personal chromebook,Mac, Windows, or other type of computer. Restrictions cannot be put on Macs or Windows computers for inspect, so if a school gave out windows computers, the students could use inspect.
I have a bad habit when I'm waiting for code to compile or a database query to run, I may pop over to a news site for a minute.
I have a Chrome extension that blocks certain time-wasters, but now I'll just go to incognito mode and that's a 2-second way to get around it.
Is there another option to make it more difficult for myself to go to certain websites?
I know nothing is fool proof, obviously, I just need a slightly more annoying barrier. My apologies if this question is off-topic; I consider it a technical question.
You can enable the extensions which block these websites in incognito mode.
Simply go to Settings > More tools > Extensions and check the Allow in incognito boxes.
I'm working on browser automation tools (working at the JS level). It's pretty clear that loading external script can be considered an XSS attack. A few months ago I was able to run my scripts on Github.com so long as I served my js resources over HTTPS.
But this is no longer the case, i.e. Github has implemented an elegant standards-compliant barrier to this:
This is a great step forward I think: we can specify to the clients that we want them to put a more secure perimeter around our site's sandbox.
On the other hand it is making the options more limited on mobile platforms, though that's not entirely true because it's entirely possible to produce a standalone browser app which has these extension features built-in. Not exactly gonna be easy to accomplish compared to a browser extension, though.
Is it still possible to work around this with a (codesigned and reviewed) browser extension? What sort of user experience impact might this have? My hope is that it will be possible to set this up so that end-users only have to go through a short one-time setup. It's apparent to me that at least Google is making it so that Extensions published through their portal is distributed at least "reasonably" securely, and I imagine Apple (and eventually Microsoft) would be following suit for Safari and IE. I am only interested in Chrome and Safari for now (primarily Chrome for now).
If it turns out that somehow even extensions are subject to the content security policy, how might I write an extension that can reliably manipulate a page for me? I'm fairly sure this can't be the case as it would be the death of something like Tampermonkey.
Oh I just needed to read a little further (oh Github, you're awesome):
https://github.com/blog/1477-content-security-policy
The answer is yes! User configured scripts should always be granted clearance! (but we are off to a rocky start it seems)
I actually think there's significant opportunity for social engineering happening here; "Install this bookmark in your browser to use our cute emoticons in forums!" "oh bookmarks can't be viruses, right?"
As a workaround, you can tell your bookmarklet to load an external CSS stylesheet with your JS code injected. This bypasses CSP. Have a look at my answer to a similar question.
I would like to know if it is possible to modify Chrome or Firefox display settings, so that it would only show rectangles of HTML DOM objects? What I want to do is to decrease rendering engine job amount as much as possible, so it would only build layout of the page.
People usually refer to this mode of operation as "headless" (i.e. without UI).
Usually there's an additional requirement - to be able to run it server-side without the usual for client software installed. If you're running it client-side, I wouldn't bother about optimization, it shouldn't give you a big win anyway.
Otherwise, try searching using that term. I've seen it asked for several times, but haven't seen a working out-of-box solution.
[edit] just saw http://hg.mozilla.org/incubator/offscreen, which seems to be a headless version of Mozilla.
I wouldn't go as low-level as modifying the renderer. Instead, I suggest you use Firefox's Greasemonkey to replace the elements from the page with whatever it is you need. You'll need to know a bit of JavaScript, but it's not that hard.
However, this will only work on client side. If you want to do this on server-side ( so that it will work on any page a user requests through your own ), my guess is you'll need to grab the page's content in a string, and then modify it using a HTML parser.