Console Security

Just as with no right click scripts in the past, some web sites are now attempting to block your ability to run extra JavaScript on the page from the browser console. They supposedly do this to "patch" what they consider to be security holes in how the console can be used such as:

Well as far as I am concerned, none of these are actually security holes. The console is only able to be accessed to perform any of these tasks by the person who is sitting in front of the browser opening the console in THEIR browser and entering commands themselves directly into THEIR console. No one else has any access whatsoever to their browser console to do this and so no such security holes exist.

What is happening is that the author of the web page is trying to dictate what you can do with their web page once you load it into your browser.

Now reading the message that Facebook display in the console when you first access their site, they have apparently had problems with people being told to paste code into the console to supposedly activate features of Facebook but which are in fact scams designed to give someone else access to your Facebook account. Of course this message in itself ought to prevent people from posting code into the console where they have been given the code and have no idea themselves as to what the code does. It shouldn't be necessary for them to then attempt to dictate what you are allowed to do with your browser to prevent you from entering commands into the console if that is what you want to do. The Facebook message tells people that the console is intended for developer use only and developers ought to be able to use the console if they want to. In fact Facebook do allow developers to regain access to their console but it isn't obvious when you first read their message. What you need to do is to click on the link in the original message that takes you to a web page that explains in more detail why they are doing this. At the bottom of that page they have a checkbox that reads "Allow my account to be hijacked if I paste malicious JavaScript" which translated into English means "Prevent Facebook from Hijacking my access to my console". Once you check that checkbox Facebook will no longer hijack your console access.

So how do sites like Facebook achieve this hijacking of your console access. Well the following is one example of such a script that I have found:

(function() {
try {
var $_console$$ = console;
Object.defineProperty(window, "console", {
get: function() {
if ($_console$$._commandLineAPI)
throw "Sorry, for security reasons, the script console is deactivated";
return $_console$$
set: function($val$$) {
$_console$$ = $val$$
} catch ($ignore$$) {

To be able to undo this code and so automatically regain access to the console in all web sites that try to hijack your console you just need to ensure that the command delete console; gets run after all their code. The easiest way to do this in a set and forget way would be to set up a userscript that contains that command and which is instructed to only run on those sites where the console hijacking code is present. As all the popular browsers allow you to attach userscripts to your browser that will run for the specified web pages after all the scripts the page runs when it first loads, you can easily disable this blockage by the use of this one line userscript.

The following userscript just needs all the stupid sites to be added as include statements in order to reinstate your console for those sites:


This article written by Stephen Chapman, Felgall Pty Ltd.

go to top

FaceBook Follow
Twitter Follow