Disable client-side logging in production mode

[fluorumlabs]

When server methods are called from the client side, the arguments XHRs are being also logged in the JS console. This opens up possibilities to intercept transmitted data by third party malicious code.

For the simplicity, let's suppose, we have the following client side code for logging the user in.

_onLogin(event) {
    if (this.$.lusername.validate() && this.$.lpassword.validate()) {
        this.$server.onLogin(this.$.lusername.value, this.$.lpassword.value);
    }
}

Since all XHR requests are also logged in JS console, it is possible to get username and password from the client side:

console.log_ = console.log; 
console.log = function(z) { if ((""+z).includes("onLogin")) alert(z); console.log_(z); }

The code could be injected via malicious browser add-ons, advertisement networks or via MitM attacks. Of cause, this is pretty synthetic example, as passwords should not be sent in a plain text, but this can be easily used to collect any personal data.

When production mode is used, the console logging should be stripped from JS code, so that it won't be possible to turn it on from the client.

[Legioth]

I don't see how removal of logging code would help against any scenario where an attacker can run code with the same privileges that Flow itself is run with. Various approaches for working around that "limitation" include:

• Serve an alternative implementation of Flow's client engine where the limitation isn't effective.
• Rewrite window.XMLHttpRequest to intercept the data in the same way that it was proposed to rewrite window.console.log.
• Read values from any <input type="password"> in the DOM.
• Rewrite the implementation of _onLogin or $server.onLogin, either dynamically in the same way as with window.console.log or by modifying the files in transit.

With that being said, I see other reasons for disabling logging in production mode:

• A minimal performance improvement.
• Avoiding confusion with evaluators that assume that info shown in the log isn't available through other sources.
• Limited protection against social engineering. ("Your computer might have a virus, please send me the contents of the browser console so I can verify it.")

[fluorumlabs]

Yes, I totally agree that we should disable logging in the production mode. Login security is a completely different ting and is out of scope of this issue. Should I rename the issue?