避免从浏览器控制台修改Javascript变量 [英] avoid Javascript variable modification from browser console
问题描述
我有问题.我已经定义了一些全局变量并将其命名为一个名为"app"的对象.示例:
I have a problem. I have defined some global variables and namespaced it into an object called "app". Example:
window.app : {
foo : null,
bar : null,
}
好吧,我的想法是我希望能够通过调用app.foo ="baz"或app.bar ="baz"来从任何模块中修改那些变量,但是我不希望用户能够从浏览器控制台(元素检查器)修改这些变量.
Well, the idea is that I want to be able to modify those variables from any module by calling app.foo = "baz" or app.bar = "baz", but I don't want the user to be able to modify those variables from the browser console (element inspector).
有可能吗?
PD:嗯,我有一个Backbone.js集合,该集合与服务器同步.我不希望用户能够使用控制台修改该集合
PD: Well, I have a Backbone.js collection which is sinchronized with the server. I don't want the user to be able to modify that collection with the console
推荐答案
否.浏览器是用户的域.他们可以通过各种方式(通过控制台或浏览器插件)修改脚本并注入自己的功能.这就是为什么您不应该盲目地信任服务器端用户输入的原因之一.
No. The browser is the user's domain. They have the possibility to modify your scripts and inject their own functionality in various ways (through the console or browser plug-ins). That's one of the reasons why you should never blindly trust user input on the server side.
他们甚至可以手动伪造一个完整的请求,诱使您的服务器认为您的JavaScript代码发出了该请求.
They could even manually forge a complete request, tricking your server into thinking that your JavaScript code made that request.
如果希望这些值是安全的,则需要将它们保留在服务器上.当然,只要您可以根据服务器上的值来验证值,就可以将它们发送给客户端.
If you want these values to be secure, you need to keep them on the server. You can send them to the client, of course, as long as you keep a possibility to validate the values against those on the server.
这篇关于避免从浏览器控制台修改Javascript变量的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
