Understanding Self‑XSS Warnings in Chrome DevTools

Hello everyone, I am ConardLi .

Have you noticed that sometimes when you copy code into Chrome Devtools and run it, a new Warning appears, while others do not see this warning? What is happening?

The gist is that the code you execute might be unsafe, so you should not copy and run arbitrary snippets.

It’s interesting – why would the code I copy be unsafe, and why does the browser warn me?

This brings us to a special kind of XSS attack called Self‑XSS , i.e., a self‑directed cross‑site scripting attack.

How do attackers target themselves? They rely on “social engineering”.

Attackers typically use social‑engineering techniques to trick developers into executing malicious scripts in their own browsers. Unlike conventional XSS attacks that exploit vulnerabilities in a website, Self‑XSS does not depend on any site‑side flaw; it leverages the user’s own actions.

Self‑XSS attacks usually involve persuading a developer to copy and paste malicious code into the DevTools Console . The attacker often promises a reward, such as:

Claiming the code unlocks hidden features or virtual rewards.

Pretending the code is a safe test or bug‑fix.

Suggesting the code can help you hack a site for personal gain.

Once the code is executed, the attacker can take control of your account, enabling them to:

Steal personal information such as name, address, and credit‑card numbers.

Post unauthorized messages or comments on your behalf.

Take over your social‑media accounts.

Spread malware to other users.

We often try out code we see on a website without considering its safety.

In fact, many social‑media platforms have seen a flood of such fake attack scripts. For example, Facebook once warned users repeatedly about this type of attack.

Allowing users to paste code into DevTools and run it is inherently risky, but it is also a core feature of Chrome DevTools . Therefore browsers must balance mitigating potential Self‑XSS attacks with not hindering developers who simply want to debug.

For website developers, they usually preview the purpose of a snippet before pasting it into DevTools . Consequently, non‑technical users who paste code are at a much higher risk of becoming Self‑XSS victims.

In recent updates, when Chrome DevTools detects an inexperienced user trying to paste code, it stops execution and shows a warning.

How does it determine experience? DevTools uses a simple heuristic based on the console‑history entries in the user’s profile.

If your profile contains at least 5 entries in the console history, DevTools will not display any warning. The console history is the list of commands you have typed and executed in the console.

Therefore, if you clear your browser cache or use a new machine, the warning will appear when you try to run code.

You must manually type "allow pasting" to continue; after entering it, the warning no longer appears.

If you paste code into other DevTools editors (e.g., the Sources panel), the user experience is similar: a dialog box appears, and you still need to type "allow pasting" to proceed.

You still need to enter "allow pasting" in that dialog to execute the code.