How to prevent websites from client side console logging

Question

Having caused some Track&Report-Messages in console recently I just became aware of those client-side logging capabilities of accordingly armed websites. I always thought the console would be my very own real estate, but that was naiive, quite obviously.

I am working on a browser extension to keep an eye on my own browsing behaviour etc., logging into storage.local for the time being, switching to indexedDB not far from here. But of course I utilise the console for debugging and convenience while developing the thing. So the website owner could fetch my logged objects, my stats, all of debugging in general? Even the whole storage or would obfuscating the object names help here?

Having looked into it I already read some "workarounds", like

• no console logging at all (meh),
• changing the console.log to only work with a global DEBUG-flag I set (same here if for many other reasons),
• constantly clearing console (does it even help)

and lots of more ideas, none of which sounds elegant or even very helpful in the first place.

So my question is, if you have suggestions on how I can keep at least a minimal console-like feedback from javascript but hiding my own stuff from all the web servers and third parties? Sadly I found no ressources that explain the topic further, also regarding privacy and all. Any hint/link would be much appreciated.

Thank you.

Answer 1

The scenario you appear to be concerned about is when a server-side application deploys a client-side agent, to allow them to monitor their own app's behaviour from the client side, and it also sucks up your extension's debug info.

This is potentially possible, and there's not a general solution at present but while it's unlikely, you could do something like reviewing if any of the data potentially being exposed is actually sensitive. If so, secure that specifically by encrypting with public key encryption, but more likely, you'll be able to continue without needing to log that specific data.