SitePoint Sponsor

User Tag List

Results 1 to 6 of 6
  1. #1
    SitePoint Enthusiast Cory R's Avatar
    Join Date
    Mar 2009
    Posts
    94
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Browser Extensions

    How do you protect your scripts that parse on a page from browser extensions, such as Firebug, where users can edit variables and other queries?

  2. #2
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,862
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    You can't because the browser owner has the final say. That's why any input you receive from the page needs to be validated on the server.

    Anyway Firefox is the only browser to require an extension to fo that. Internet Explorer, Opera, Safari, and Chrome all have the functionality to fo that built in.

    Also browser owners can override anything in the stylesheet with their own replacement and can run their own JavaScript immediately after the page loads and before any event triggered JavaScript runs (either via a bookmarklet or userscript - although only Opera supports user scripts without needing an extension).
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  3. #3
    SitePoint Evangelist
    Join Date
    Aug 2009
    Posts
    406
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    It's impossible to protect scripts from browser extensions. However, you can always secure your sites by using multiple checks for each form to make sure these "smart" guys won't be able to bypass site limits and restrictions.
    Daniel, Helpdesk Leader
    Hosting24.com Web Hosting - First class web hosting services.
    Reseller Hosting - Provide unlimited disk space and bandwidth

  4. #4
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,862
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by Hosting24 View Post
    It's impossible to protect scripts from browser extensions.
    It's impossible to protect scripts from browsers.

    No extensions required.

    Anyone can just turn off JavaScript to bypass any JavaScript validation. With Opera you can install a userscript to selectively turn off JavaScript automatically on selected web pages (You can do it in IE or Firefox as well if you install an appropriate extension to add support for userscripts).

    That's why ALL validation for your purposes needs to be done on the server. Anything you do using JavaScript is just to make things easier for your visitors. If it doesn't make things easier they'll turn it off.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  5. #5
    Follow: @AlexDawsonUK silver trophybronze trophy AlexDawson's Avatar
    Join Date
    Feb 2009
    Location
    England, UK
    Posts
    8,111
    Mentioned
    0 Post(s)
    Tagged
    1 Thread(s)
    More to the point, why would you want to protect your scripts? All it does is increase the workload on your server (verifying everything), increase the chances of theft (surprisingly if you try and protect your code, the "bad people" often see this as a challenge to rip your work apart and redistribute it) and it's pointless bulk being added to your scripts (as there's always a very simple way to override your code - the great thing about the web being open). Sorry to say it but it's pointless to try and control your users, at best the most you will achieve is punishing your legitimate users and leaving them the ones all the worse off.

  6. #6
    SitePoint Enthusiast Cory R's Avatar
    Join Date
    Mar 2009
    Posts
    94
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks everyone for the support.

    We decided that blocking browser extensions wasn't the best way to protect our cross-forum chat system, so we'll likely be resorting to a login system.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •