Yes you are right. There is nothing wrong with the network tab in those browsers but you may not reach all code paths in your quick (or lengthy) test.
Future behaviour may be different.
Also on the web code can change. Either the site owner or by a hacker. There is value in checking network requests if you need to but it isn't fool proof.
They're saying you won't know until after a request is already sent, and seem to be implying that this somehow stops someone from learning if data is sent to the server or not. I think they've forgotten the original point of this thread because their replies are missing the point
Let's say you trust absolutely that the network tab would reveal any communications with the server that could happen in the future. By "future" I mean the point where you are convinced that it is safe to use, and now you are using it with real data.
That was a technically sophisticated hack, but there are simpler ones, like social engineering someone to take over their site.
Put putting hacks aside...
Say you have a site and it doesn't mention whether the data is sent to a server and you want to find out. Now let's say that site does a backup to server but only when localstorage has run out of space, but you don't know that.
When you test the site in the network tab, and you haven't run out of localstorage space then you will see no XHR and assume it's all good, it never sends to the server.
You then use the app for a few days, hit the localstorage limit and it sends stuff to the server without you knowing. And yeah you can keep the network tab open all the time if you have the discipline, but you only know once your data has been sent. It is too late.
If you care enough about whether it sends stuff to the server to look at a network tab, then you probably care enough to want to know for sure.
With the web as it is now there is only one way - trust the site and hope they do the right thing, and are secure. Or only put stuff on there you are happy to leak.
So, made up situation: if you are using this tool to edit and release a whistleblowing related video as a journalist. Maybe you shouldn't!
You probably instead want a local app, running on linux, on a machine that is disconnected from the network.
I'm not sure. The impression I get is they're not aware that the tab isn't just a log of stuff before the page "finishes" loading, or not aware that the notion of a static page that can't make network requests at any time without a full reload went out with AJAX in the 2000s.
Yes. Exactly. It omits future network calls (things that have not yet happened by the moment you look), which is what the person you were replying to was talking about.
You won't be able to see that activity until after it has happened. An empty network monitor list isn't a guarantee of future behavior. Or current behavior.
> You can, in fact, use the network tab to monitor a page's ongoing network activity as originally suggested.
Did you forget that this comment chain was about leaking data to the server? Observing that you have leaked (note: past tense!) your data is not a recommended way to prevent leaking data.
I am sitting here looking at a new entry added from a button click that creates a network call. Either you are wrong or confused about what the discussion is about.
Yes you are right. There is nothing wrong with the network tab in those browsers but you may not reach all code paths in your quick (or lengthy) test.
Future behaviour may be different.
Also on the web code can change. Either the site owner or by a hacker. There is value in checking network requests if you need to but it isn't fool proof.
"Live view" means a log of the past, not potential futures.
I don't know what you're on about, but it does show the past and any new network activity.
They're saying you won't know until after a request is already sent, and seem to be implying that this somehow stops someone from learning if data is sent to the server or not. I think they've forgotten the original point of this thread because their replies are missing the point
Let's say you trust absolutely that the network tab would reveal any communications with the server that could happen in the future. By "future" I mean the point where you are convinced that it is safe to use, and now you are using it with real data.
If you had done this, even spending 10 hours looking at network traffic, you wouldn't have been protected from this hack: https://www.theverge.com/2018/4/24/17275982/myetherwallet-ha...
That was a technically sophisticated hack, but there are simpler ones, like social engineering someone to take over their site.
Put putting hacks aside...
Say you have a site and it doesn't mention whether the data is sent to a server and you want to find out. Now let's say that site does a backup to server but only when localstorage has run out of space, but you don't know that.
When you test the site in the network tab, and you haven't run out of localstorage space then you will see no XHR and assume it's all good, it never sends to the server.
You then use the app for a few days, hit the localstorage limit and it sends stuff to the server without you knowing. And yeah you can keep the network tab open all the time if you have the discipline, but you only know once your data has been sent. It is too late.
If you care enough about whether it sends stuff to the server to look at a network tab, then you probably care enough to want to know for sure.
With the web as it is now there is only one way - trust the site and hope they do the right thing, and are secure. Or only put stuff on there you are happy to leak.
So, made up situation: if you are using this tool to edit and release a whistleblowing related video as a journalist. Maybe you shouldn't!
You probably instead want a local app, running on linux, on a machine that is disconnected from the network.
I'm not sure. The impression I get is they're not aware that the tab isn't just a log of stuff before the page "finishes" loading, or not aware that the notion of a static page that can't make network requests at any time without a full reload went out with AJAX in the 2000s.
Serious question: do you think wireguard is an antivirus software? Do you think antivirus software does not exist?
Reading a historic log that shows you have been pwned does not prevent you from being pwned. It's the wrong tool for the job.
Yes. Exactly. It omits future network calls (things that have not yet happened by the moment you look), which is what the person you were replying to was talking about.
It does not omit future network calls. You can, in fact, use the network tab to monitor a page's ongoing network activity as originally suggested.
You won't be able to see that activity until after it has happened. An empty network monitor list isn't a guarantee of future behavior. Or current behavior.
Okay. Then solve p=np. Until then, we monitor and reverse engineer to verify as best we can.
It doesn't need to be that hard. A reasonable solution is to quarantine the tab/app. Proactively revoke its network access after its loaded.
> It does not omit future network calls.
It does.
> You can, in fact, use the network tab to monitor a page's ongoing network activity as originally suggested.
Did you forget that this comment chain was about leaking data to the server? Observing that you have leaked (note: past tense!) your data is not a recommended way to prevent leaking data.
>> "It does."
I am sitting here looking at a new entry added from a button click that creates a network call. Either you are wrong or confused about what the discussion is about.
Was the entry added before or after you clicked the button?