有没有办法防止在单例实例中覆盖/覆盖函数/变量? [英] Is there any way to prevent override/overwrite of functions/variables in singleton instance?
问题描述
考虑这个伪代码:
(function(window){
var options = { /*where everything goes */ };
var instance = (function(options){
for (var i in options){
if (options.hasOwnProperty(i)){
this[i] = options[i];
}
}
})(options);
instance.callbacks = function(cb){
//...
}
instance.is_allowed = function()
//... checks, return boolean
}
window.instance = instance;
})(this);
如果有人想操纵这段代码(例如恶意用户),他会重写 is_allowed 与他自己的功能,例如,使用地址栏(他没有萤火虫,谁知道)。
If anyone ever wanted to manipulate this code (a malicious user for example), he would rewrite the is_allowed function with his own, for example, using the address bar (he doesn't have firebug, who knows).
javascript:(function(){ window.instance.is_allowed = function(){ return true; } })();
这是一个天真的例子,但重点是,Javascript中的任何内容都可以被覆盖。
This is a naive example, but that's the point, anything in Javascript can be overwritten.
我知道在es5中我们有Object.defineProperty所以你可以设置:
I know in es5 we have the Object.defineProperty so you can set:
// being explicit
Object.defineProperty(instance, "is_allowed", {
enumerable: false,
configurable: false,
writable: false,
value: function(){
// do checks
}
});
实际上,在这个意义上最好的是使用 Object.freeze(实例)或 Object.seal(instance)而不是 Object.defineProperty ,因为以后可以用再次调用:false (傻哼?)
Actually, what is BEST in this sense is to use Object.freeze(instance) or Object.seal(instance) instead of Object.defineProperty, since the later can be called again with writable: false (silly huh?)
有没有办法在没有太多麻烦的旧浏览器(即IE6-8)?如果这是不可能的,那么我只会耸耸肩继续前进。
Is there ANY way that it work in old browsers (namely IE6-8) without too much hassle? If it's impossible, then I'll just shrug and move on.
推荐答案
如果有人想要的话要操纵这段代码(恶意用户为
的例子),他会用自己的
If anyone ever wanted to manipulate this code (a malicious user for example), he would rewrite the is_allowed function with his own
他可以重写你的整个javascript代码或甚至不使用浏览器,但模拟对你的服务器的无浏览器请求。
He could rewrite your whole javascript code or not even use a browser but simulate a "browser-less" request to your server.
有没有办法它在旧浏览器(即IE6-8)中工作而没有
太麻烦了?
Is there ANY way that it work in old browsers (namely IE6-8) without too much hassle?
没有。您全局公开的任何内容都可以由用户更改,由浏览器限制 javascript:行为以避免用户被愚弄以访问预先制作的链接。 Firefox最近对javascript URL协议进行了一些更改。
No. Anything you globally expose can be altered by the user, it is up to the browsers restrict the javascript: behavior to avoid users from being fooled to access pre-crafted links. Firefox recently have made some kind of change to the javascript URL protocol.
正如本文所述: http://survey-remover.com/blog/javascript-protocol-dangers/
从Chrome v13,Firefox v6和IE 9开始,浏览器开发人员已经注意到javascript:协议的危险,并随后禁止使用代码......对于Chrome和IE,粘贴代码时会删除javascript:子字符串,而Firefox不再在活动页面范围内执行脚本。
As of Chrome v13, Firefox v6 and IE 9, the browser developers have taken notice to the dangers of the "javascript:" protocol and have subsequently disallowed code ... In the case of Chrome and IE, the "javascript:" substring is stripped when the code is pasted, whereas Firefox no longer executes the script within the scope of the active page.
所以...
如果不可能,那么我只会耸耸肩继续前进。
If it's impossible, then I'll just shrug and move on.
你应该。
这篇关于有没有办法防止在单例实例中覆盖/覆盖函数/变量?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
