I came across an interesting situation recently where a website successfully blocked access when Chrome's DevTools were open. I was curious about how they achieved this, as I'd previously read on Reddit that it might not be possible. The site in question showed a forbidden 403 error page before loading any content, almost as if they were using a server-side method. It seems like there might be a captcha involved as well. I find it impressive but also a bit unethical on their part. I'm wondering what techniques they could be using, especially since it works even when DevTools are opened in a separate window. Any insights would be appreciated! You can check it out here: link.
4 Answers
From what I understand, the site might be using a service like Datadome to manage these checks. Basically, the page is initially blocked server-side, and a piece of Datadome JavaScript runs checks before loading content. If it indicates any issue, they show a 'forbidden' message instead.
They seem to have some sophisticated system behind that! I'm curious how they handle the HTTP status codes.
The craziest part is that their enforcement is easily bypassed by clearing cookies or refreshing the page. If you're messing around with DevTools, you probably know how to get around their little tricks.
True! They're not really banning anyone, just preventing access on that single page.
They might use a combination of techniques. One common method is to attach event listeners to detect key presses like F12 or Ctrl+Shift+I. There's also a debugger check where the script measures how long a `debugger` statement takes to execute. If the time exceeds a certain threshold, it assumes DevTools is open. So, code like this could trigger an alert to close DevTools.
uBlock Origin really helps bypass these checks, which is nice!
Yeah, but why would a site even care that much? Seems excessive!
Another possibility is that the site detects JavaScript sourcemap requests. Some browsers automatically request these when DevTools are opened, and even though you won't see these in the Network panel, the server can. If they see these requests, they might ban you by IP, even if the files don’t exist.
Clever idea, but I tried that on this site and it still blocked me.
Interesting, but isn't there a chance to bypass that by disabling sourcemaps?
Yeah, I noticed Datadome in the cookies too. Looks like the real content is loaded only when the script gives the green light.