Risk of adding "sensitive" files to Chrome Devtools workspace

Question

When adding a folder from your local filesystem to the Chrome DevTools workspace, you'll receive a dialog banner which warns you to "not expose any sensitive information" before you grant access.

What are the specific risks associated with doing this? Is the workspace vulnerable to access by extensions? Script injection?

Answer 1

Official response -

"We use the same api as a regular website/chrome app, so it’s not something specific to devtools. I guess in theory if you map you workspace maps to a malicious site and then you live edit your site with devtools open the site might be able to detect your edits? That’s pretty convoluted though.

We assume that information in the workspace is data for your project. I wouldn’t add /etc/passwd to a devtools workspace."

From the review -

"How does one revoke access? If I make a mistake, I can remove the .allow-devtools-edit file. I don't see a way to do this with the new approach.

I'm not sure an infobar is strong enough. There's a class of users that will click this but would never be willing or savvy enough to put the .allow file onto their machines."

As well as -

"The message ought to be scarier, talking about ensuring that there isn't sensitive information in that directory."

Not much, but the original issue for the previous method (adding a file to the folder for allowing it to be mapped also says -

"DevTools needs file system access to allow developers edit/add sources (even those that are not loaded from server, e.g. deployment descriptors, server scripts).

We plan to use File System API (isolated file system). To add a folder to DevTools users will need to 1. Add an empty .allow-devtools-edit file to the folder (for security purposes)"

I guess because Developer Tools extensions might then be able to read the files you mapped, it can expose highly sensitive information, like unencrypted user names and passwords that might be found in configuration files.