Reputation: 1
Can a Website owner see if I run custom Javascript in DevTools
I'm often using Javascript in the Chrome DevTools to extract Links from a Website or to bulk click accordions.
There are trackers like TrackJS out there that can track Javascript errors and report them to the website owner. But what about working code?
Can a website owner see when I do something like this in the DevTools?
document.querySelector('.button1').click() ?
And if so, what exactly can he see? Just the return values or the whole code? Are there ways to prevent that?
On this thread Can website owner see what client run in console? @purple said:
But technically speaking, a website could be coded in a way, that every change to the DOM is going to be reported back to the backend (for example via fetch), so it is possible that, for example, a website could track how many times in a second you press a button or something like that.
Does that mean that pressing a button like in my example above can theoretically be tracked by the website owner if the button changes the DOM but that the owner cannot find out if I clicked the button with my mouse or via Javscript? And he could also not see that if the button doesn't change the DOM?
Also nobody talks about Trackers like TrackJS. The general statement is that a website owner cannot see what happens in the console but with TrackJS I know, that you can definitely see the exact error messages there. Are Errors treated differently to the rest of the console code?
Upvotes: 0
Views: 334
Answers (1)
Reputation: 234
A website can track your mouse positions to analyze if you click that button with an actual mouse. (I believe some websites even can tell if it is a human action by analyzing the pattern of the mouse movement). But they may also have to detect keyboard clicks, users could use "TAB" key to navigate and focus the button, and ENTER or SPACE key to trigger a click, which shouldn't be specifically interesting to the website owners or operators.
I don't think they could get the code you run in the console. But a global error event handler may detect errors reported by your code and get a stack trace, which may expose some of your code. But if you code doesn't trigger any error, and doesn't change any DOM element or property (i.e. just read the content of the website without modification), that should be fine.... but...
They may trap some properties of DOM elements with Object.defineProperty and getter functions, when your code read those specific properties, the getter function would be called, and may detect and report the misuse of itself to the server.
I don't think a merely document.querySelector('.button1').click() would cause any DOM changes that could be detected. But it can be tell by the event.which property (). And there is a event.isTrusted property, but some browsers may not support it, I'm not sure.
Upvotes: 1
Related Questions
- Record user actions in Chrome Devtools: Possible?
- Javascript execution tracking in Chrome - how?
- Can website owner see what client run in console?
- Detecting when a user executes JavaScript in the browser
- Can a Browser Plugin or Extension see the value of javascript variables running in a page
- Detect the code acting on an element in DevTools
- Can a website know if I am running a userscript?
- Is it possible in JS to detect whether any JS was run from the browser's console?
- Can I log somehow currently running javascript functions into Chrome developer console?
- Tracking the use of my Javascript