On 4/13/12 6:37 AM, Henri Sivonen wrote:
The proposed scheme would fail to protect the long retail of sites while it would be annoying for debugging sites that use the directive. If a developer can override the directive via a preference, social engineering attack could tell excessively gullible users to flip the preference. Thus, the scheme wouldn't protect excessively gullible users. Rather than sites asking search and developer features to be turned off, I think we should find a completely browser-side mechanism for discouraging a non-developers from using the developer tools in ways they don't understand. Considering that the developer tools have keyboard shortcuts for opening them, which makes it easier to make gullible users open to the developer tools, one a possible solution would be that the first time the developer tools are opened the user has to explicitly enable the tools after reading a warning.
One thought I had was requiring that the very first time a user uses a developer tool, the user needs to go to Tools->WebDeveloper->Selected Devtool. After that, keyboard shortcuts would work for all devtools. The developer wouldn't have to do anything else to enable the tools and there would be no additional warnings.
On the other hand, I can already see this is being very annoying for Page Source (command U), which is used by many users (developer or not). We could exclude that one from this requirement. Hence, we could require that in order to use the keyboard shortcuts for Web Console, Inspect, Scratch Pad, Style Editor and Error Console, you must first go to Tools->WebDeveloper and select any of the tools listed.
I also see this as an issue for people who uninstall/reinstall firefox, or for developers who get a new computer, install firefox, and wonder why their keyboard shortcuts aren't working. This is bad user experience since its not clear to the user what's going on.
_______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
