Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 9 of 9
  1. #1
    New Coder
    Join Date
    Aug 2003
    Location
    Atlanta, Georgia
    Posts
    75
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Is internal JS secure? (is external?)

    I like having scripts external, but I wonder about the security of internal anyway. Someone could save and change the HTML, right? But is that possible with an external script? I always thought not (unless there was an error), until a person on this forum was able to grab the script I was working with at the time. No problem with that, but it brings up the question in my mind about security in general surrounding java-script.

    any suggestion are appreciated!
    -tdavis

  • #2
    Supreme Master coder! _Aerospace_Eng_'s Avatar
    Join Date
    Dec 2004
    Location
    In a place far, far away...
    Posts
    19,291
    Thanks
    2
    Thanked 1,043 Times in 1,019 Posts
    When it comes to secure javascript, there isn't any. The user can always download the script and modify it though Javascript can't go across domains due to security reasons.

  • #3
    New Coder
    Join Date
    Aug 2003
    Location
    Atlanta, Georgia
    Posts
    75
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Even an external script can be downloaded?

  • #4
    Supreme Master coder! _Aerospace_Eng_'s Avatar
    Join Date
    Dec 2004
    Location
    In a place far, far away...
    Posts
    19,291
    Thanks
    2
    Thanked 1,043 Times in 1,019 Posts
    Yep, it gets cached but the user could view the source navigate to the js, file save as, its saved. js is parsed as text in Firefox. If you have Firefox type the location of your js file into your browser, it will show as text, if you do it in IE it will try to download it.

  • #5
    New Coder
    Join Date
    Aug 2003
    Location
    Atlanta, Georgia
    Posts
    75
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Thanks. I did not know that. So I guess it makes no difference, as far as security goes anyway, whether your script is internal or external.
    Thanks!
    -tdavis

  • #6
    Kor
    Kor is offline
    Red Devil Mod Kor's Avatar
    Join Date
    Apr 2003
    Location
    Bucharest, ROMANIA
    Posts
    8,478
    Thanks
    58
    Thanked 379 Times in 375 Posts
    Javascript was not created as a secure language or in order to secure any other language (HTML, for instance). For secure stuff, use a server-side application, not a client-side as javascript.
    KOR
    Offshore programming
    -*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

  • #7
    Master Coder felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, Australia
    Posts
    6,642
    Thanks
    0
    Thanked 649 Times in 639 Posts
    Javascript is basically Open Source. Anyone can read your Javascript no matter where you have it. You can obfuscate it to make it harder to read which may stop people from being able to make changes to it but there is nothing you can do to stop people copying it in its entirety.
    Stephen
    Learn Modern JavaScript - http://javascriptexample.net/
    Helping others to solve their computer problem at http://www.felgall.com/

    Don't forget to start your JavaScript code with "use strict"; which makes it easier to find errors in your code.

  • #8
    Supreme Master coder! Philip M's Avatar
    Join Date
    Jun 2002
    Location
    London, England
    Posts
    18,313
    Thanks
    203
    Thanked 2,564 Times in 2,542 Posts
    Might I ask whether it is possible for a user (customer) to modify a script which is in use, for example, an order form calculates shipping costs based on quantity/destination (say result is $20), could a user alter the calculation to result in (say) $2, and then submit the form? Or otherwise change the prices?

  • #9
    Master Coder
    Join Date
    Feb 2003
    Location
    Umeå, Sweden
    Posts
    5,575
    Thanks
    0
    Thanked 83 Times in 74 Posts
    A user can change anything on their own system.
    liorean <[lio@wg]>
    Articles: RegEx evolt wsabstract , Named Arguments
    Useful Threads: JavaScript Docs & Refs, FAQ - HTML & CSS Docs, FAQ - XML Doc & Refs
    Moz: JavaScript DOM Interfaces MSDN: JScript DHTML KDE: KJS KHTML Opera: Standards


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •