"Sensitive information" risk in DevTools workspace

[Justin Woolley]

When adding a folder to the devtools workspace, the dialog banner for granting access warns you to "make sure you do not expose any sensitive information".

What is the specific risk when adding files to the workspace? Exposure to extensions with access to devtools? Script injection?

[Ismael Venegas Castelló]

Hi I just saw your SO question:

• https://stackoverflow.com/questions/48310176/risk-of-adding-sensitive-files-to-chrome-devtools-workspace
  

Is there really no information about this at all? :O

[Kayce Basques]

Response from DevTools engineer:

We use the same api as a regular website/chrome app, so it’s not something specific to devtools. I guess in theory if you map you workspace maps to a malicious site and then you live edit your site with devtools open the site might be able to detect your edits? That’s pretty convoluted though. 
We assume that information in the workspace is data for your project. I wouldn’t add /etc/passwd to a devtools workspace.

[Eric Lawrence]

I think the bigger issue here is that the Developer Tools normally run in a sandboxed process (similar to a Chrome renderer) that doesn't have access to your local system. If a malicious site achieved arbitrary code execution in the Developer Tools, it could (if there were no prompt) map local folders and steal files from them. By requiring a prompt in the browser process (higher privilege) this threat is blunted.