Here's some thoughts from the security team: " The edit-and-resend feature is really just an easier way to craft network requests. You could inspect the network request in the devtools and send it with any other application, or even through JS via the devtools console. I don't see any security benefit in disabling. Sufficiently skilled users can always send custom network requests and the application that handles them has to make sure that can't be abused. "
"Other network panes (also in other browsers) have copy as cURL. Which would then allow you to paste outside of the browser and re-send the request with cURL (but with the right cookies + UA string etc. ). So they make it almost as easy as us" Mike On Thu, Feb 18, 2021 at 12:58 PM Hoang (US), Victor T < [email protected]> wrote: > Hello everyone, > > > > I was wondering if anyone has experimented (or knows anything) regarding > disabling a feature that allows end users to edit and resend network > requests in the F12 developer tools under Network à JS XHR Headers. Some > app developers in my company were mentioning that Safari and Chrome don’t > have this enabled and could see this as a potential security risk? To me, > this sounds like something that would need to be encrypted on the > developers side and not necessarily something that can be bandaided from > the browser. > > > > Under about:config, I typed in: “devtools.*.enabled” and noticed I could > easily disable dev tools all together, but that’s not exactly what I want. > > > > Thanks all, > > > > Victor Hoang | Web browser technologies | (425) 234-8481 <+14252348481> | > [email protected] > > *Enterprise **Computing* *Solutions* > > > _______________________________________________ > Enterprise mailing list > [email protected] > https://mail.mozilla.org/listinfo/enterprise > > To unsubscribe from this list, please visit > https://mail.mozilla.org/listinfo/enterprise or send an email to > [email protected] with a subject of "unsubscribe" >
_______________________________________________ Enterprise mailing list [email protected] https://mail.mozilla.org/listinfo/enterprise To unsubscribe from this list, please visit https://mail.mozilla.org/listinfo/enterprise or send an email to [email protected] with a subject of "unsubscribe"
