用Javascript对象替换窗口或文档对象 [英] Replace window or document objects with Javascript object

问题描述

是否可以替换窗口或文档对象？我主要希望提供某种JavaScript代理，以防止用户在页面上获取某些（仅此一点！这很重要）DOM元素。 用户是指任何第三个小馅饼脚本。

Is there a way to replace "window" or "document" objects? What I basically want is to provide some kind of JavaScript Proxy, I want to prevent user from getting "SOME" (only some! this is important) DOM element's on the page. By "user" I mean any third patty script.

我可以这样做：

document.getElementsByTagName("a")
//NodeList[129]
document.getElementsByTagName = function(){}
//function (){}
document.getElementsByTagName("a")
//undefined

但是我可以对 document.all 如何替换DOM对象字段以使其仅返回DOM元素的某些？

But what I can do about document.all how can I replace DOM object field to make it return only "SOME" of the DOM elements?

UPD ：如果有一种方法可以用一些JavaScript对象替换文档对象，那就更好了

UPD: If there is a way to replace 'document' object with some JavaScript object this would be much more better

UPD2 ：我不在乎如果您的方法在旧浏览器上不起作用。因此，我对适用于 A级学生的任何解决方案都很满意

UPD2: I don't care if your method won't work on 'older' browsers. So i'm good with any solution that works on "A" graders

UPD3 ：我知道其中不存在100％的安全性JavaScript，我不想阻止黑客进行黑客攻击，我知道这是不可能的，我想阻止为我的自制框架编写插件的开发人员去做愚蠢的事情。

UPD3: I know that 100% security doesn't exist in JavaScript, I don't want to prevent hackers from "HACKING", I know it's not possible, I want to prevent developers that write "plugin" for my "home made" framework, to do stupid things..

UPD4 ：好的，我不能替换Document或Window，但是我至少可以替换所有可表示返回 DOM的字段或函数元素？例如 document.getElementById或 document.all？

UPD4: ok, I can't replace Document nor Window, but can I at least replace all "fields" or "functions" that repsonsoble for returning "DOM" elements? like "document.getElementById" or "document.all" ?

UPD5 ：用户 @pebbl 提出了一些与我想要的东西接近的东西

UPD5: User @pebbl suggested something that 'close' to the thing I want

function a(window, document){
   /// in here window and document should be numerics
   alert(window);
   alert(document);
}

a(123,456);

但是他的解决方案有一个大问题 http://jsfiddle.net/kRLax/

but his solution have one big problem http://jsfiddle.net/kRLax/

UPD6-7 ：这是完美的人（至少对我而言）

UPD6-7: This is the 'perfect' one (at least for me)

http://jsfiddle.net/kRLax/12/

function Fx(){return function(){}}
function SafeThis(that){ 
    if (that == window) {
        return fakeWindow;
    } else if (that = document) {
        return fakeDocument;                    
    } else {
        return that;
    }
}
var fakeDocument = {
    write: function(a){ document.write(a) }
}
var fakeWindow = {
    document: fakeDocument
}

var moduleA = function(Function, window, document, eval){
    document.write(window + "<br>");
    var f = new Function("return this");
    document.write(f() + "<br>");
    var win = (function(){return this;})();
    document.write(win + "<br>");
    var e = eval("this"); 
    document.write(e + "<br>");
    document.write(this + "<br>");
    document.write(window + "<br>");
    document.write(document + "<br>");
    this.a = 1;
    document.write(JSON.stringify(this));
};

var moduleA_Fx = '!' + 
    moduleA.toString().replace(/\bthis\b/g,"SafeThis(this)") + 
    '(Fx,fakeWindow,fakeDocument,Fx)';

document.write(moduleA_Fx + "<br><br>");

eval(moduleA_Fx);
​

推荐答案

您可以执行以下操作，但是您必须在函数范围内评估外部脚本：

You can do the following, but you would have to eval the external script within your function's scope:

function a(window, document){
  /// in here window and document should be numerics
  alert(window);
  alert(document);
}

a(123,456);

或者，如果您有服务器端代理，则可以使用包装好的anon函数重写其代码，然后

Or if you had a server-side proxy you could rewrite their code with a wrappered anon function that then called in your proxy document and window object.

;(function(window, document){

  /// the unknown external code here.

})(windowProxy, documentProxy);

但是仍然有解决方法，因为他们可能会使用以下内容，具体取决于JS环境：

There would still be ways around this however, as they might be able to use the following depending on the JS environment:

var win = (function(){return this;})();

您可能还必须包括其他集合以确保它们不可访问：

You may also have to include the other collections to make sure they are not accessible:

;(function(window, document, all, images, ...){ ... }

但是，他们也可以通过任何dom元素访问原始的文档允许他们也可以访问...

But, they would also be able to access the original document through any dom elements you allowed them access to as well...

在可能有用的情况下，也想填补以下漏洞：

Just in case it's useful you may also want to plug the following holes:

• setTimeout


• setInterval

以上两者均可用于评估代码。

Both the above can be used to evaluate code.

setTimeout('(function(){alert('+'th'+'is'+');})()');

此外，在公开 document.write 时，这也是可行的：

Plus as you are exposing document.write this would also be feasible:

document.write(
  '<img src="data:image/gif;base64,ERROR" '+
     'onerror="alert(th'+'is.ownerDocument);" />'
);

您应该阻止对 SafeThis 的访问，在目标代码中重写任何提及，否则可以将其覆盖：

And you should block access to SafeThis and rewrite any mention of it in the target code, otherwise it can be overriden:

SafeThis = function(that){return that;}

除此之外，尽管看起来很安全。我敢肯定，如果您尝试得足够多的话，还会有其他解决方法，但这实际上取决于您是否认为自己可能的攻击者是多么坚定；）

Other than that though it seems quite secure. I'm sure there will be other ways round it—if you try hard enough—but it really depends on how determined you think your possible attackers might be ;)

这篇关于用Javascript对象替换窗口或文档对象的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！