[gitgud]

This looks very useful, but it does concern me that this is even possible. Simply starting chrome with a `--remote-debug` flag allows you to run JavaScript in any tab? seems like it could easily be exploited somehow; read passwords, copy userinfo etc.

[snorrah]

Yeah this is a non issue. It’s like any dev environment letting you overrule things by supplying an environment variable or similar.

[vortico]

Remember that if you have access to run a shell command, you have access to rm -rf /*.

[gitgud]

Yes true, the chrome flags are the least of your problems then!

[parhamn]

> Simply starting chrome with a `--remote-debug`

I wouldn't call that "simple". Sounds like fine behavior given non-devs generally don't even know how to run Chrome with custom flags and developers know that remote debugging generally means remote execution with data/memory access. Would you prefer a better flag name or lock remote debugging to a subset of tabs?

[gitgud]

That's true, I suppose as long as there's indication that the mode is enabled, a warning or something (haven't tested it myself yet).

If the desktop launcher was modified to include that flag, then you would never know while browsing right? Maybe I'm just paranoid...

[nerdponx]

I'm not a security expert, but if you are at that point that I suspect you have bigger problems than start up flags being modified