Follow

Seriously, the Chrome team just landed a patch that lets sites block "View Source" _right in the middle_ of the Chrome Dev Summit.

chromium-review.googlesource.c

developer.chrome.com/devsummit

(To everyone saying "this is just an enterprise policy": Look at the conversations in the bugs.

Somebody said, to the Chromium team, schools are using Google Forms for testing, and the kids can see the right answers in the forms, so to address that, we want to prevent students from reading source code.

And without an ounce of pushback, without so much as a nod in the direction that this might not be the right solution to this problem, the Chromium team said yes.)

That's what sticks in my craw here. Not the policy part, not the (naive, flawed) implementation. Somebody asked the Chromium team to restrict students access to devtools and source code, and there wasn't even a discussion.

@mhoye I guess this is how they solve "hacking" webpages by viewing the source :flan_laugh:

:flan_despair:

@mhoye still kinda unchill, but this is for a chrome enterprise feature (i.e. business network admins can block users on their network from using view source to get around network blocks), i don't think this lets any website remove view source

@objelisks @mhoye Yeah..as I understand it, this just allows the user, or user's site administrator to block this from the user side, like in a policy file, etc.

@paradroyd @objelisks @mhoye

Consider platforms like Windows 11 requiring remote login by the user (does ChromeOS do this? IDK). Seems like the remote party would then have some kind of management interface access on the PC.

How eager are these monopolists for enforcing in-browser IP protection schemes?

@objelisks @mhoye wow what kind of "network block" is so incredibly crappy that it can be defeated by web browser right-clickers?

The onus is on web creators to make sure the source they push to clients is not sensitive. This "solution" is a joke.

@msh @objelisks @mhoye It cannot be defeated if the content was delivered under DRM.

@mhoye This is playing right into the hands of folks like the Missouri Govenor.

@mhoye
We should really boycott that browser ... It makes me sick when I see colleagues using it 🤢🤢🤢🤮

@hyde @mhoye Unfortunately, the target here is students on Chromebooks, who don't have the option. 😠

@mhoye sites? The patch ( https://chromium.googlesource.com/chromium/src/+/e72fc9b64116bf259e516096fcc60b58ae8ae1b3^!/ ) looks like it’s for admin settings.

And tbh you don’t really need to block view-source: in websites, obfuscation of web content is going strong these days and I wouldn’t be surprised to see broken encryption (à la DRM where you give the decryption keys anyway).

@mhoye this is tied to an enterprise policy value to disable devtools that's been around for a few years now

Still stupid but wouldn't really relate that well to the current situation
@mhoye actually amendment: this seems to be set with a separate policy for unlocking URLs but still tied to enterprise policies, the original bug from 2018 was arguing that this should be blocked when devtools are but I guess they went a different route for...some reason

@mhoye @neauoire Just to be clear, this setting appears to be a group policy setting, like for work/school admins to disallow View Source on Chrome on their machine. It's not for any ol' website to block visitors from using View Source. Reading the source it does indeed look like policy setting and not a web API. Of course, I won't be surprised at all if it later ends up being a setting websites can use :P

Tweet from the submitter of the code review: twitter.com/ericlaw/status/145

@neauoire @mhoye Ehh, it doesn't worry me; most browsers allow really granular control over various functionality via Group Policy. I actually use it to turn off a bunch of "what's new" update bullshit in Firefox. Fortunately, making an API available to websites themselves is quite different. I'm not really worried by this, but I don't trust Chrome whatsoever anyways and don't use it. I use Firefox kinda reluctantly, for that matter. 😂

@mhoye@mastodon.social This smells like the beginnings of NFTs that can't be yoinked, how long until they take away the context menu entirely? x3

@mhoye HAHAHAHAHAHAHAHAHASHAHAHASDFASDFASDFASDF

how the fuck do people not think that google has too much control over their lives?

@mhoye how the fuck does anyone who knows better actually use chrome these days?

like yeah sure mozilla isn't great but firefox is still fully-featured and it still *kinda* respects you

@mhoye Now we are all going to write little proxy blobs for every OS that filter the view-source-block header from the requests.

This is so futile.

I can't believe that the Chrome team would go for such a blatant corporate-partners-told-us-to-do-it bullshit.

@mhoye misleading title, but honestly the fact that it was so believable that this was a feature for private users probably says something.

@mhoye, this marks the end of an era.

What next? Have a judge declare CURL and WGET "illegal" hacking tools? And have an option to disable dev tools and a list of "allowed browser extensions". Then "make" everyone a hacker?

This is some coinbro NFT-level stupidity right here.

@walter @mhoye Some guy who was browsing a government website using Lynx got a visit from the UK police years and years ago because..

well, he was using a little-known browser called Lynx

so he was "hacking"

or something. He didn't get convicted of any crime, just a raid

@mhoye whhhhhaaaaaat‽
Wow, just wait until they hear about the "curl" command, right‽

@mhoye why? There's a million other ways to view source... It doesn't make any sense...

@mhoye I think its not webpages but for example your school admin which can set that up (unless I misunderstood what URLBlocklist is). Seems to be mostly to swipe shitty quiz pages and web blockers under the rug, see bugs.chromium.org/p/chromium/i

@x44203 @mhoye That's such a bad example case though. It's 100% the wrong way to implement secure tests. Reminds me of the old JavaScript password protected sites which simply ran an IF statement on the client side to check the validity of the password. High security for sure.

@jaywilliams @mhoye Yes, I wonder how that even happens??? Like do the devs have no idea how a website works?

@jaywilliams @mhoye

*The kids access blocked webpages by pasting their source into an online HTML viewer*

*Some noob admin blocks right click*

*The kids access blocked webpages by pasting the URL into an online HTML viewer with an import URL function*

@mhoye Obviously its an important security feature to fight hackers!!!! 🙈

@mhoye@mastodon.social Finally! Microsoft and Google can collaborate to ruin the internet instead of splitting their efforts, this is just what the web needed!

@jd@newskey.cc @mhoye@mastodon.social Does this patch do anything? Like you can still type view-source: in the address bar or press F12?

@jd@newskey.cc @mhoye@mastodon.social Well I'm sure the countless chromium forks would not implement this patch.

@mhoye who does this stop even? people that would click the button can change browser or use a fork, is it literally just to show how evil they are?

@mhoye

I wonder how long until someone develops an add-on that counters it? 🤔

Probably won't be allowed on the Chrome store, though.

First hyperlink inaccessible, even with change to 'view, page style, no'; says it all.
A quick attempt to view via 'lynx':

"
To use PolyGerrit, please enable JavaScript in your browser settings,
   and then refresh this page.
"

A subsequent search (ddg, naturally) query results included reference to 'polymer'. Similarly to the program (sorry, "app") 'element', don't like usage of chemistry terms by software people... ;)

@mhoye the utterly ridiculous thing is that they added this to the browser as a *workaround* for incorrectly implemented test sites exposing answers to users instead of doing correct server-side validation :/

This doesn't need to be in the browser. Just fix the damn test sites. (If the test vendor refuses to fix it, well, it's time for a new vendor?)

@kepstin @mhoye this sounds a lot like it could even be related to that court case somewhere in the southern US accusing someone who reported that SSNs were being sent in the HTML of a government webpage and is now getting sued for hacking them. It is dissapointing that web browser developers are so uncritical that they'd unquestioningly implement this when it goes against the core of what the web is.

@thufie
It was Missouri and that case is very important context for this I think
@kepstin @mhoye

Sign in to participate in the conversation
Mastodon

Server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!