1. // It appears Netflix is following (Facebook's lead)[https://news.ycombinator.com/item?id=7222129].
2.  
3. (function() {
4.     try {
5.         var $_console$$ = console;
6.         Object.defineProperty(window, "console", {
7.             get: function() {
8.                 if ($_console$$._commandLineAPI)
9.                     throw "Sorry, for security reasons, the script console is deactivated on netflix.com";
10.                 return $_console$$
11.             },
12.             set: function($val$$) {
13.                 $_console$$ = $val$$
14.             }
15.         })
16.     } catch ($ignore$$) {
17.     }
18. })();
19.  
20. // I feel like we're seeing the next generation of engineers pursue ideas that were demonstrated
21. // bad by the previous. First, we'll disable right-click, you know, "for security reasons." And by
22. // that we mean "so you can't steal our source code or save our images to your disk (even though you
23. // can still "View Source" in the browser and download the images in a similar way). Now we'll
24. // disable the console, you know, "for security reasons."
25.  
26. // Note: the NSA stores your phone conversations (and much more), you know, "for security reasons."
27. // It's an amazing justification that validates any nefarious behavior. Oh, you'd like to destroy
28. // my freedoms? Why? "For security reasons." Oh, go right ahead then! Thanks so much for looking
29. // out for me!
30.  
31. // Google should really patch this. The command line API should be privileged so that third
32. // parties can't modify how the browser behaves without explicit authorization (i.e. an extension).
33. // But if you're feeling up to it, you can run the following line via an extension to prevent
34. // this abuse:
35.  
36. // Object.defineProperty(window, 'console', {configurable: false, value: window.console});
37.  
38. // Crockford has the correct idea when it comes to
39. // (security in web applications)[https://www.youtube.com/watch?v=zKuFu19LgZA&t=27m15s].
40. // Cookies with session identifiers should be HTTPS only. Local storage and globals should not store
41. // sensitive data. API requests can be made inaccessible from XSS (and that includes self-XSS) by
42. // means of a CSRF token that is properly secured (as explained in a roundabout way in the video).
43. // You should also be using a CSP to prevent the script injection Facebook demonstrated (but I
44. // don't see a CSP on Netflix.com).
45.  
46. // And interestingly, Chrome (even Canary) still allows the user to run javascript from the omnibar.
47.  
48. // Disabling the console is just stupid.