What should be implemented/improved? In issue 4395 and discussions about that issue, we came to the conclusion, that exposing Firebug in any way to the client or the server constitutes a security issue. As a consequence of this "console.firebug" needs to be removed from the Console API as mentioned in comment 12 of issue 4395.

Steps to reproduce: 1. Open Firebug on this page 2. Enable and switch to the Console panel 3. Type "console.firebug" (without quotes) into the Command Line and hit Enter

=> Currently it returns the version of Firebug, which should not be exposed

Patch committed at R11598

Thanks for the report Sebastian! Honza

This is one of 21 issues fixed in Firebug 1.9a1 http://getfirebug.com/releases/firebug/1.9/firebug-1.9.0a1.xpi

Please verify the fix and let us know if it works for you.

Thanks for the help, we appreciate that!

Honza

Changed the label to be able to search for issues fixed in 1.9.

I think this change needs more prominent documentation. e.g. A search for "console.log" on http://blog.getfirebug.com/ returns no results.

Let me share how this change affects me:

My project uses a popular JS library called Slickgrid. I use a script called firebugx.js, bundled with Slickgrid which is designed to prevent error messages when used on systems without Firebug enabled:

if (!("console" in window) || !("firebug" in console)) { var names = ["log", "debug", "info", "warn", "error", "assert", "dir", "dirxml", "group", "groupEnd", "time", "timeEnd", "count", "trace", "profile", "profileEnd"];

window.console = {};
for (var i = 0; i < names.length; ++i)
    window.console[names[i]] = function() {}

}

So you can see why after upgrading to Firebug 1.9 I no longer get any console debugging messages.

As noted by Sebastian in comment 19 in Issue 4395, given the now widespread support for the console facility, even without Firebug, a test for the console object, rather than Firebug is more appropriate.

However the simple test, "if (console)", does not always work. e.g. in IE9. You get this error message: Error: 'console' is undefined and the rest of your Javscript driven web app stops working. :(

I am now using the test suggested by Tom Auger here: http://stackoverflow.com/questions/8095348/website-with-js-doesnt-work-in-ie9-until-the-developer-tools-is-activated

The test is: if (typeof console === "undefined" || typeof console.log === "undefined")

I am interested to know whether the Firebug developers feel this is the way to go.

It would be nice if there was a "Detecting Firebug" section on your FAQ page.

Rohan

I think this change needs more prominent documentation. Agree.

A search for "console.log" on http://blog.getfirebug.com/ returns no results. But searching for "console.firebug" at http://getfirebug.com/wiki gives the right hint.

However the simple test, "if (console)", does not always work. e.g. in IE9. You get this error message: Error: 'console' is undefined At least in IE8 that is working. See the attached file. Need to re-test it in IE9 though.

if (typeof console === "undefined" || typeof console.log === "undefined") I am interested to know whether the Firebug developers feel this is the way to go. "if (typeof console == "object")" should be the best way to check, if the 'console' object is defined. typeof always returns a string, so a check with === is not needed. The check for console.log() being defined is ok, but not necessary, because all browsers, that support the 'console' object, at least also expose a log() function.

It would be nice if there was a "Detecting Firebug" section on your FAQ page. The point of issue 4395 was to avoid detection of Firebug. So the answer to this would just cover how to detect the 'console' object.

Sebastian

Having had another look at it, the complication in IE9, is that "if (console)" test fails with an error message if the debug console (F12) is not open.

Thanks for your refinements to the console detection code, and all your other great work.

Firebug can still be detected using ducktyping like so:

firebugEnabled = !!(window.console && (window.console.firebug || window.console.exception));

You can replace "exception" by "memoryProfile". Or "memoryProfileEnd". This will always work as long as Firebug's console implements a method that other consoles don't have.

Please re-introduce window.console.firebug and forget about that hypothetical "security issue". I can't get the point of that anyway.

or (console.assert(1) === '_firebugIgnore'), or (!!document.getUserData('firebug-Token')), or ((console.log+'').indexOf('return Function.apply.call(x.log, x, arguments);') !== -1). Or timing attacks.

I think the only thing the removal means is to discourage websites from treating Firebug differently from other debuggers. (Like Slickgrid unnecessarily did, for example.)

I think the only thing the removal means is to discourage websites from treating Firebug differently from other debuggers. Exactly

Honza

Okay then. Do I have to file a separate bug for FirebugLite's broken disableWhenFirebugActive option?

Regarding comment 7 and 8 I created a new issue for that: Issue 5139

Do I have to file a separate bug for FirebugLite's broken disableWhenFirebugActive option? Yes please. Firebug Lite currently doesn't share that much code with Firebug, so it's better to track that separately.

Sebastian

Do I have to file a separate bug for FirebugLite's broken disableWhenFirebugActive option? Yes please. [...]

Done: Issue 5143

Just to point out one important difference: scripts that detect window.console do not detect Firebug, they detect window.console. If Firebug's Console is not enabled, then Firebug does not (at least did not) inject window.console. Firebug's other functionality can continue to operate.

The difference is important: Firebug should not provide a way for aggressive Web sites to detect if a user has Firebug installed.

Firebug should not provide a way for aggressive Web sites to detect if a user has Firebug installed. Definitely agree.

Honza

Added hint at http://getfirebug.com/wiki/index.php/Console_API#Note.

Sebastian

Firebug should not provide a way for aggressive Web sites to detect if a user has Firebug installed. Definitely agree.

Honza

I'm writing an app that helps you debug and need to know if firebug is installed (it renders console colors while others don't).

Firebug should not provide a way for aggressive Web sites to detect if a user has Firebug installed.

Disagree...

I'm writing an app that helps you debug There is already one called Firebug. :-)

it renders console colors while others don't What do you mean by that?

Sorry, but the decision on this was already made. Allowing to detect if Firebug is installed discloses some privacy. See the related issue 5139.

A website should not behave differently whether Firebug is installed or not. Instead it can check if the 'console' object is available and print it's debug output based on that info.

Sebastian

I care less if firebug is installed but rather if it is able to print colors...

see http://stackoverflow.com/questions/16485093/any-way-of-detecting-whether-a-browsers-console-is-able-to-render-colors

At the moment there is no concrete way of knowing colors are avaliable in any browsers, one tell-tell sign is the use of console.firebug

The app that helps you debug does a lot more than firebug is able to...

I don't understand why do you want to check whether the current installed console is able to print colors. Shouldn't you just use console.* API and let the current tool decide how to display the logs?

Honza

At the moment there is no concrete way of knowing colors are avaliable in any browsers, one tell-tell sign is the use of console.firebug Note that the Chrome DevTools also support the %c pattern. So the better way to go here is that the Firefox dev tools also implement this feature[1].

Sebastian

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=823097

Enabling Firebug makes CPU intensive javascript atleast 10x slow (ex. zipping text of a considerable size etc - without Firebug takes 100ms, with Firebug takes 15s - 150x slow in this case). Hence it becomes necessary to detect if Firebug is enabled to get around showing the "script has become unresponsive" box by Firefox.

That's a bug in Firefox. See issue 6458. In Firefox 22 that's already fixed.

Sebastian