govin govin - 3 months ago 26
HTML Question

Is JS object within a script tag secure?

I have a html like this that I deliver to the client from my web server

<script type="text/javascript">
var myapp = myapp || {};
myapp.settings = {"abc", "xyz", "123"};

In the rest of my client app, I have checks that look at the myapp.settings object.

Is myapp.settings secure? Can a hacker add strings or remove strings from myapp.settings? If so, what are some example ways to do so?


No, it is not secure. In fact, nothing in a web page is completely secure.

In your particular example, here are some examples for how your myapp object can be manipulated:

  1. The end-user can open the browser console and type in a line of code to change that object.

  2. The end-user can open the browser debugger, set a breakpoint and when it hits that breakpoint, edit that object.

  3. The end-user can download or create a bookmarklet that when clicked on would modify the myapp object.

  4. The end-user can set up a proxy that intercepts the incoming page, modifies it and then sends it on to the browser.

  5. An attacker can intercept the page on its way to you and modify it (as it goes through your ISP for example). Note: this would be much less likely if you were using https.

Because nothing in the browser is completely secure, security issues have to be addressed with a specific need in mind and then options are explored to handle those specific concerns.