-1

Having caused some Track&Report-Messages in console recently I just became aware of those client-side logging capabilities of accordingly armed websites. I always thought the console would be my very own real estate, but that was naiive, quite obviously.

I am working on a browser extension to keep an eye on my own browsing behaviour etc., logging into storage.local for the time being, switching to indexedDB not far from here. But of course I utilise the console for debugging and convenience while developing the thing. So the website owner could fetch my logged objects, my stats, all of debugging in general? Even the whole storage or would obfuscating the object names help here?

Having looked into it I already read some "workarounds", like

  • no console logging at all (meh),
  • changing the console.log to only work with a global DEBUG-flag I set (same here if for many other reasons),
  • constantly clearing console (does it even help)

and lots of more ideas, none of which sounds elegant or even very helpful in the first place.

So my question is, if you have suggestions on how I can keep at least a minimal console-like feedback from javascript but hiding my own stuff from all the web servers and third parties? Sadly I found no ressources that explain the topic further, also regarding privacy and all.

The usual term is "client side logging" btw., if you want to google it. There is much info and apps for the website side, not so much for the local side to control it. It is not well known enough yet to not cause misunderstandings.

Amanahumpa
  • 55
  • 12
  • 2
    Do your logging on server side. You can't prevent client side logging. Client side is not secure because it can be manipulated by the user. – devlin carnate Sep 26 '22 at 18:06
  • Please take you time to read the question again. I meant it the other way around. – Amanahumpa Sep 26 '22 at 18:07
  • The question says "client side console logging" right in the title. If that's not accurate, please update your question. – Rocky Sims Sep 26 '22 at 18:08
  • Then your question is unclear because in it's current form, it is asking how to prevent client side logging. The answer to that question is: You can't. – devlin carnate Sep 26 '22 at 18:09
  • From what I read this is the usual term, although of course it may be wrong. I used it so the topic would be easy to recognise. Which is not working 'til here... yes. – Amanahumpa Sep 26 '22 at 18:10
  • Client side is the browser. JavaScript and console.log() are client side. If you wish to do something that can't be manipulated by the user, do it server side. – devlin carnate Sep 26 '22 at 18:12
  • 1
    Again, this is not what this is about. – Amanahumpa Sep 26 '22 at 18:12
  • Then clarify it. Because in it's current form, this question IS asking about how to stop client side logging. – devlin carnate Sep 26 '22 at 18:14
  • Would it be okay to wait just a sec until someone arrives who is familiar with the term? – Amanahumpa Sep 26 '22 at 18:17
  • 2
    They seem to be asking how to stop generic server apps from retrieving unrelated logs generated client-side by their client-side extension? - if so, I'm not aware that's a thing, so this may not be an actual issue... – Gwyn Evans Sep 26 '22 at 18:36
  • You could google "client side console logging" at any time to get a first contact with the topic. I'd rather suggest that befor downvoting the question. -3 so far. You sure, what you're doing? – Amanahumpa Sep 26 '22 at 18:44
  • I have googled that, and now i'm even more confused (I have 0 experience in such topic) – Mod3rnx Sep 26 '22 at 18:51
  • What kind of browser extension are you developing, what extension APIs do you have available? There should be some code that is not running within the page, and that won't be accessible from scripts in the page. Same for localstorge and indexeddb: if you use your extension host, it'll be inaccessible, if you put them in the domain of each loaded page then the page's scripts will be able to access them (though usually won't, given they don't know your names) – Bergi Sep 26 '22 at 19:32
  • Yes, the purpose of the extension is to overlook my online-behaviour so it has to get access to all sessions. The APIs are all of the AD-results for the search term "client side logging". It is a thing. Yes, the question is indirectly about code, but I would have felt stupid to wirite down "console.log('Some text');", just to have some causing code there. I think people interested in the question are familiar with this. Or do you think I should add it? – Amanahumpa Sep 26 '22 at 20:58
  • No, I mean how do you make your extension run `console.log('Some text');` inside the web page? Is it a userscript? A WebExtension? Something else? – Bergi Sep 26 '22 at 22:48
  • And yes, I know the term client-side logging, I don't think you need to clarify the question in that regard. (Though I have no idea what you mean by "*all of the AD-results*") – Bergi Sep 26 '22 at 22:51
  • By injecting a script into the web page. It's one of the possible and basic functions of a browser extension. It's quite funny, look it up one time! – Amanahumpa Sep 26 '22 at 22:52
  • Why do you need to inject a script into the web page to track your browsing behaviour? But either way, the solution is simple: don't log from the injected script, log from the extension code itself. That console is not accessible from the webpage, and won't get intercepted by clientside log reporting tools. – Bergi Sep 26 '22 at 22:55
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/248377/discussion-between-amanahumpa-and-bergi). – Amanahumpa Sep 27 '22 at 10:27
  • Please [edit] your question to provide these details, then I can write up an answer – Bergi Sep 27 '22 at 21:45

1 Answers1

0

The scenario you appear to be concerned about is when a server-side application deploys a client-side agent, to allow them to monitor their own app's behaviour from the client side, and it also sucks up your extension's debug info.

This is potentially possible, and there's not a general solution at present but while it's unlikely, you could do something like reviewing if any of the data potentially being exposed is actually sensitive. If so, secure that specifically by encrypting with public key encryption, but more likely, you'll be able to continue without needing to log that specific data.

Gwyn Evans
  • 1,361
  • 7
  • 17
  • Let's say I wanted to log into the console. Do you know something about the mentioned "potentials" to avoid it? What do you mean with unlikely? Is there something to back that up? I would appreciate this very much and since no one even seems to know about the term "client side logging" it could be helpful then in any way. – Amanahumpa Sep 26 '22 at 20:30