Official browser API?

[auchenberg]

I'm the PM on Edge DevTools, and I was wondering if we could help this extension, by setting a property on the global object when the DevTools are opened?

The current approach seems rather hacky, and I imagine it would be easy to get implemented in most engines

interface DevTools {
    attribute Boolean isOpen;
    attribute String dockState; 
}

window.devTools.isOpen
window.devTools.dockState // 'left, right, top, bottom, inline'

[sindresorhus]

👍 That would be very useful!

[mgol]

It seems to me it should go the other way round. Adding such an API makes it possible for web sites to block developer tools access to the site.

[fatso83]

@mgol how could they block it?

[mgol]

@fatso83 Once you open DevTools, remove everything on the site; simple.

[fatso83]

@mgol Thanks for explaining. But this is also presently doable, using this lib in all supported browsers, so presently only Edge and IE is not vulnerable to sites that don't want you to poke around. Or do I misunderstand?

I don't think the practice of blocking access like that would be widespread, as it is such a nuisance, and easily defeatable through numerous low-tech techniques (download & remove blocker script, modifying proxies, etc), and having native support such as above would in practice just make a few additional browser engines vulnerable to non-snooping-around-supporting sites.

BTW I am not sure what you mean by "the other way around": could you elaborate?

[mgol]

@fatso83 It's not 100% doable as indicated in README.

easily defeatable through numerous low-tech techniques (download & remove blocker script,

That won't work for Single Page Apps.

BTW I am not sure what you mean by "the other way around": could you elaborate?

I mean that browsers should work hard to make DevTools detection impossible. For me all the code in this repository is basically a list of bugs in various browsers which should be fixed, making this library report false even if DevTools are open.

[auchenberg]

@mgol @fatso83 Wrote a little demo page: https://github.com/auchenberg/devtools-self-destruct

[sindresorhus]

I mean that browsers should work hard to make DevTools detection impossible.

That's a losing battle.

[maxnordlund]

I suggest putting any sort of detection API behind a permission, one that cannot be requested by a page but only from inside the devtools themselves.

Which means that you can allow your site to display some nicer info/start logging to the console etc. But at the same time preventing any random website from denying access to their DOM/sources/etc. While the document.body.innerHTML = "" clears the current DOM, a location.href = "page reminding you of breach of ToS, or worse".

[fatso83]

@maxnordlund that's adding a lot of logic for a futile approach to doing something that's impossible: blocking access on an open web. Like I said to @mgol, it's easily defeatable by, for example, saving the web page locally, modifying the source to remove the logic that does the check and firing it up behind a local proxy that delegates the API calls to the original site. Or you could build some proxy that does all this in transit. This should work fine for SPAs, as well, as you need to download JavaScript in any case.

It's like those JavaScript techniques employed in the early 2000s that prevented you from right-clicking on images and saving the image. No-one is doing that anymore as the HTML would always be available for inspection, revealing the URLs.

What's the use of a permission that prevents access to a feature that's always available and can be circumvented? Sites could display the warning in any case.

[maxnordlund]

I mean the detection API suggest by @auchenberg. If, and only if, such an API should be made available it needs to be behind a permission that can only be manually enabled in the devtools.

As for counter measures, yes that will lead to an war of attrition. But I do oppose making it easier to detect the devtools rather then make it easier. This is because of behaviour you mentioned by highjacking right click.

Which coincidentally is done by Facebook to display clean links, but force you to copy the analytics redirect link. Same for normal opening of the link, rewrite before opening.)

[TristanWiley]

So the problem I see with adding an property in Chrome would make it possible for sites to self destruct. However, currently this is not always possible. For example, if you open the Devtools in a new window "Undock into a separate window" the current approach will not work.

If that makes sense, my two cents.

[resynth1943]

The proposal above would be nice, but how would that be used to actively track the opening of the Developer Tools? It's just a boolean, not an event.