The US Government has a STIG (Security Technical Implementation Guide [1], a government-proprietary term for "IT policy") that requires that you disable Dev Tools in IE [2], Edge [3] and Chrome[4]. Their justification (from [1]):
> Information needed by an attacker to begin looking for possible vulnerabilities in a web browser includes any information about the web browser and plug-ins or modules being used. When debugging or trace information is enabled in a production web browser, information about the web browser, such as web browser type, version, patches installed, plug-ins and modules installed, type of code being used by the hosted application, and any back-ends being used for data storage may be displayed
I can think of at least one legitimate reason to block the dev console. There are these posts I've seen over the years that say to "press the hotkey to open the Javascript console, and paste this Javascript blob" (obviously in much more persuading terms) to get a discount on RayBands or something. Disabling it prevents a possible information leak vector.
There's a legitimate reason for doing _almost anything_ - it's a question of likelihood, impact, and knock-on effects.
I can only imagine how much taxpayer money has been set on fire by developers having to debug single-page applications running on these systems without the aid of Dev Tools... these types of material wastages are created in an imperfect attempt to prevent the mere possibility of something that could be more effectively mitigated through training and web content filtering.
I've never seen one in the wild, thought it would be interesting to see what they want you to paste into the console, probably something to transmit them your session token. I know Facebook has a huge warning about it when you open devtools on their site.
Yeah - they added that warning because of these precise things. I haven't kept one around but I've definitely seen them since I fell for it many, many years ago.
This seems really lazy. Duh, it's gov't, but I'm talking about the attacker. If they can use JS to gather all of that info to display in the console hoping to get a user to read it back to them or whatever, why not just save it all and submit back via ajax?