Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The two big ones are:

1. Watching window.innerHeight/innerWidth for sudden, large decreases, indicating that the user just opened the inspector.

2. Logging objects to the console with toString methods and checking if that method gets called.



1. That could also be triggered by browser sidebar windows opening though. All of my browsers open dev-tools in a separate window so this is far from foolproof.

2. Ahhh, clever!


1. should be trivial to avoid, by opening dev tools in a new window

but 2. I have no idea, except the browser vendors would add a "stealth dev mode"


2. JSON.stringify(object)


But isn't the point that you want to detect what the foreign code does?

So your solution would require inject your code into the code that wants to hide from you ... ?


I think the idea is you patch the console to display the objects without calling their toString methods.


I don't think that works

I might be off here, but I imagine console.log early exits if there's no console open, so it doesn't call toString

If that's the case you can just write to the console in a loop and immediately know if one is open


> I might be off here, but I imagine console.log early exits if there's no console open, so it doesn't call toString

The point is to avoid calling toString when the console is open, by using some other way of displaying logged values.


I'm saying you can't avoid calling toString.

Their code will call console.log(object) every X ticks.

As soon as you open the console, console.log fires instead of early exiting => object.toString is called => they know the console is open


Well… you can on a lot of things. We never did .toString() on a whole lot. However, I was big on .displayName (as an override on .name which is found on functions)

My memory is fuzzy, but I also had a different function I would call if frameworks added it so instead of “Object {}” it was “Backbone.Model {id=1}”.

I put these in and used them in firebug extensions I wrote for frameworks.

Later I asked chrome to add something, which is why there is a “enable custom formatters” option for the console. Really needs to work in the debugger though.


Do you not understand that it's not your code and that their code wants toString to be called?

Someone else is writing code that they want to have react to the console opening.

So they will intentionally force the call as soon as the console is open, as a result toString is called regardless of if you yourself have made a call to it.


> console.log fires instead of early exiting => object.toString

The point is that you patch the console to not do that.


How does "JSON.stringify(object)" patch the console not to do that without first opening the console?


For 2 my first thought is the opposite. Fire the detected method even if devtools isn't opened.




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: