Oh, I don't mean for the purposes of security, but sites thinking that they're protecting their content in some way by dropping in a future jquery plugin or whatever that disables the console, and suddenly the hackability and usability of the web becomes much less.

Another place where you see this sort of thing: banks that try to prevent password managers from filling in your credentials (also I've seen a few recently that try to prevent you from pasting in your password).

There is a tradeoff there too: like this Facebook trick helping save some users, bank tricks probably help some users from accidentally saving their bank credentials on some public or shared computer, but it makes it really annoying (or not possible short of opening devtools and setting the input box's value manually) for those of us that want a unique and more-or-less random password for each site we visit.

If you are using FF or Chrome you can just make your browser run a js script after loading a certain page.

It's neat for small changes as you don't have to write a whole extension just a simple script.

Web browsers had had the capability to execute javascript through the URL bar since as long as I can remember. Social engineers should be able to just bypass this by telling users to copy paste the following code, Control+L, type "javascript:" (chrome strips it when copy-pasting), Control+V, Enter.

    javascript:alert('hi ' + document.body.innerHTML);

If people can be tricked into executing code in the dev console, then why not this too?

Browsers have already started to remove/limit code execution capability from the address bar.

https://bugzilla.mozilla.org/show_bug.cgi?id=656433

https://code.google.com/p/chromium/issues/detail?id=82181

Wait does this mean bookmarklets will fail in those browsers from now on?

My bookmarklets run just fine, JS in the URL-bar doesn't.

But bookmarklets execute via the URL bar, that's all they are...

Do the bookmarklets execute in the context of the page?

Yes, they work just as they've always done.

That no longer works in newer Firefox (and I think Chrome?). You can turn that back on in about::settings though.

edit: Ooops, someone had already made a post to this effect. Sorry.

I tested it in Chrome before posting. Notably it removes the javascript: from the clipboard, but that's why I said to have the user type that part.

I think (Chrome & Firefox) you can use a content security policy to prevent JavaScript running from the address bar:

http://en.wikipedia.org/wiki/Content_Security_Policy

Something something security by obscurity something something.

This isn't anything to do with security by obscurity. This is like putting a cover over the launch missiles button.