Is the console in Chrome Dev Tools secure? - google-chrome

I was investigating why my DirectTV Now service wasn't working in the Chrome Dev Tools to nerd around when I couldn't log in.
I saw that when I try to log in, it logs my password and username.
So I began wondering - is there any way an unsavory Chrome extension or other loaded Javascript files could access things that have been logged to the console?
I've often dumped sensitive items into the log in development, but never in production.
Hoped someone better informed than I am could help me understand if this is secure or not.

If its in the console, its originating from a console.log() call. Since console.log() is dumping out to the console log window the contents of some variable or state somewhere in the page, then a plugin can also read the same variables in the running page.

Related

Chrome request not making it to server

I have a Windows 2016 Server with IIS 10.0.14393.0 installed that is maintained within an isolated VM environment. (The entire VM environment is isolated from the real-world.)
The web server is configured with three websites through IIS, and each website is assigned a dedicated IP. The contents in each of these websites is a single "hello world" html page that can be accessed via a browser from from my development workstation using Microsoft Edge, but I cannot access these pages using Chrome. The simple hello world html page was created only to assist in troubleshooting this issue.
The error received in Chrome is ERR_TIMED_OUT and based on the IIS logs, the request is never reaching the web server. IIS logs do indicate the request/reponse when accessing using Edge.
From my workstation, I can successfully ping the web server, traceroute output does not indicate any unexpected hops, etc. From all indications, the problem appears to be isolated to Chrome and only when accessing the sites on that server. I have other servers (W2016 and W2019) in the real-world with a similar configurations and real applications deployed there that work as expected with any browser.
I am using the latest Chrome Version 105.0.5195.102 (Official Build) (64-bit) and can access other web based content within this VM environment using Chrome, just not on that one server.
I am almost to the point of deleting that VM instance and starting over so any ideas/suggestions are appreciated.
The error received in Chrome is ERR_TIMED_OUT
This is a communication problem indication that there is a problem with the user's local network connection. It can appear when your internet is too slow or your connection is taking too long, or the page or website you are visiting may be too busy, or when the website in question is not set up correctly, or even if the website is trying to perform more than your server can manage.
I'm not sure if you've seen the following methods, but you can try.
Method 1: Browse in Incognito Mode and Remove Extensions.
You should first browse the website in incognito mode to check if you
can open the website normally, if so then the culprit of the
ERR_TIMED_OUT error may be your plugin or extension. Therefore, you
need to enable extensions one by one to check for errors, and if there
is an error enabling an extension, you need to remove it from your
browser.
Method 2: Delete the Default Chrome Folder
Press Win + R keys at the same time to open the Run
Type %LOCALAPPDATA%\Google\Chrome\User Data\ in the box and click OK.
Close your Chrome if it is opened.
A new window pops out, find the folder named Default. Backup the folder anywhere else, then right-click the folder to choose Delete.
After you have deleted the folder successfully, open your Chrome and
then visit the webpage again that you searched before to check if the
error still appears.
Method 3: Update Network Drivers
If your network driver is out of date, you may encounter ERR_TIMED_OUT
errors. Here's how to update network drivers.
Right-click the Start button to select Device Manager.
Scroll down to find Network Adapters and click on it to expand it.
Right-click on your network device and select Update Driver.
Select Search automatically for updated driver software option to start to search and update your network driver to a new version.
After that, restart your computer and open the sites again with Chrome
to see if you can open them.
Method 4: Disable Firewall & Antivirus Software
Sometimes, your firewall or antivirus software may cause trouble.
Therefore, you should try to disable them and check if the problem can
be solved. If you find it helpful to disable these programs, you can
check the firewall settings. Allow Chrome to connect to public or
private networks. If it doesn't work. Permanently delete these
programs, and then use other antivirus software or firewalls.
Method 5: Check Hosts File
When you meet the ERR_TIMED_OUT error accessing a specific website,
you can check the Hosts file to see if the website has been blocked.
Here is the way to do that:
Press Win + E keys at the same time to open File Explorer and then go to the Local Disk C: > Windows > System32 > Drivers > etc.
Open the host file with notepad. If you see the web address that you cannot visit, delete that entire line from the host file and save.
After that, open the Chrome and see if you can open the specific
website.
Method 6: Reinstall Chrome Browser
If none of the methods above fix the ERR_TIMED_OUT error, then you
should try reinstalling Chrome. Here is the tutorial:
Press Win + R keys at the same time to open the Run box, then type appwiz.cpl and click OK to open a new window.
Find Google Chrome in the list, and then right-click it to choose Uninstall.
After uninstalling Google Chrome successfully, you also need to delete its leftover files. Open the Run box again, then type %appdata%
and click OK to open a new window.
Find the Google folder and then right-click it to choose Delete.
Go to Google Chrome’s site to download the latest version of the browser, and then install it.
The above methods are from the web article. To avoid link being unavailable, I have also presented the details. I am not sure if the above methods can help you, but I hope you can solve the problem soon.

Cookies are erased when opening dev tools on localhost

Anytime I have dev tools open on localhost my cookies are deleted and I am redirected to the login page on every page load which means I cannot use dev tools to debug or get insight into my site. I have localhost setup with a valid SSL cert (self-signed) and the site works normally until I open dev tools. How do I fix or disable this new "security" or setting in chrome?
After lots of issues and trying out many different things I came across this post/answer
When adding a Javascript library, Chrome complains about a missing source map, why?
Turns out that when I opened Dev Tools it would request a CSS map and the request was being sent to a different firewall causing my application to require me to re-authenticate every time this resource was requested. Turning off the CSS source map option fixed the issue

Headless Chrome fails under IIS but works on command line

I am wrapping headless chrome using the excellent ChromeHtmlToPDF library. This we are using to dynamically render PDFs from a website. This works locally under IIS express, and also works on the server when recompiled as a console app, so the technology works. However running under IIS, chrome always exits immediately and a error of "one or more parameters are invalid", is returned.
You can fix this by passing Chrome a custom user profile directory:
chrome.exe --user-data-dir="C:\NewChromeProfile" ...
This directory will be created by the account under which Chrome is running, and therefore the account will have the permissions it needs.
After many many hours looking into this I finally solved it by running it under my own user, the restricted IIS user, then comparing the activity logs generated by the excellent microsoft process monitor.
I tracked it down to file permissions on one directory: C:\Windows\System32\config\systemprofile\AppData\Local\Google\Chrome\User Data
The app pool user needs write + modify permissions to this directory. It's up to you if you feel this is an acceptable security risk; however for us it is, for now.
This is where headless chrome stores it's crashpad directory. No amount of parameter fiddling seems to be able to dissuade it of this. That seems to be a bug.
Hope this helps someone else, I couldn't find anything on this anywhere.

How do I force Azure Apps to use latest html file?

I have a web application hosted on azure apps that I publish using visual studio. It is a flask app. One of the templates is called searchresult.html. I am making changes to this file that are made when I run locally. When I run it on the server though the changes are absent.
Using the azure console I can see that the changes are present in the file that is stored on the server, but the application continues to deliver the old html.
How can I force azure to see my updated file?
Things I have tried:
Deleting the file directly on the server and re-publishing it
Committing changes to git, even though I knew that would do nothing
Testing it locally (it works)
Restarting the application
Since you said you already check the file has been changed on the Kudu, so it supposed not an issue of deployment. You could disable caching in your browser.
such as in chrome browser, navigate to F11 window and select the Disable cache blanket.
or please try to access your website via incognito model.
In addition, I crashed into similar issue with you in other web app. My previous solution is that enable always on option on the portal and restart my app, it worked.
Just for your reference.Hope it helps you.

Restart Chrome native messaging host

I've written a Chrome extension and companion native messaging host. I don't have any issues with it failing to start or crashing, but I would like to be able to restart it for updates of the extension. I can't find anything in the documentation or elsewhere regarding this. Is it even possible, or does the browser need to be restarted? Due to the nature of the extension, I'd like to avoid restarting the browser if possible.
Documentation can be found here, but it's not exactly robust.
https://developer.chrome.com/extensions/nativeMessaging
Upon further investigation I have found that restarting the native host application manually is not required. Chrome does this itself on update of the extension. However, that breaks the ability to send messages to the native host application from content scripts that have already been loaded, which was causing the issue I was seeing. Pages can be reloaded to fix messaging.