SitePoint Sponsor

User Tag List

Results 1 to 4 of 4
  1. #1
    SitePoint Wizard
    Join Date
    Mar 2002
    Location
    Bristol, UK
    Posts
    2,240
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Can window.location be faked?

    On my client's website there is a 'find address' button on a contact form where people can fill in their postcode and it will send an AJAX request to a PHP script to return street name, town and county.

    This PHP script queries a SOAP web service and my client is charged for each postcode lookup that is performed.

    It would be trivial for someone with a basic knowledge of development to hotlink my JavaScript file and start using my client's postcode search functionality free of charge, while costing my client money.

    With this in mind I've written my JavaScript like this:

    Code JavaScript:
    (function() {
     
        if('www.mydomain.com' == window.location.hostname) {
     
            myButton.onclick = function() {
                doAjaxyStuff('myPostcodeScript.php');
            };
     
        }
     
    })();

    I wanted to know if there was any chance somebody could somehow forge the window.location object on their own site and trick my code into running.

    Any input would be much appreciated

    P.S. I know that I can control access to the script using the HTTP_REFERER request header. I also know that this can be faked or not present at all so would rather not rely on it if possible.
    Sam Hastings

  2. #2
    SitePoint Addict sdleihssirhc's Avatar
    Join Date
    Feb 2009
    Posts
    387
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    My understanding is no, not really.

    • They can't create a new object called window.
    • They can't assign a new object to window.location
    • They can't assign a new string to window.location.hostname
    • They can't execute your function in a different context, so that "window" points to a different object.


    These are basically the drop-dead laziest ways to try to spoof it, but you're probably fine.
    I'm the web overlord for Graphic Business Systems

  3. #3
    SitePoint Wizard
    Join Date
    Mar 2002
    Location
    Bristol, UK
    Posts
    2,240
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks, that's made me feel much more comfortable

    I guess it was point number four that you made that was worrying me the most. I couldn't think of any way of doing that but there's a lot I don't know about JavaScript so thought I would let the community weigh in.

    Thanks again for responding!
    Sam Hastings

  4. #4
    Unobtrusively zen silver trophybronze trophy
    paul_wilkins's Avatar
    Join Date
    Jan 2007
    Location
    Christchurch, New Zealand
    Posts
    14,717
    Mentioned
    103 Post(s)
    Tagged
    4 Thread(s)
    Quote Originally Posted by SJH View Post
    I wanted to know if there was any chance somebody could somehow forge the window.location object on their own site and trick my code into running.
    Someone with a slightly more advanced knowledge of development will be able to modify your script so that they can continue to gain access.

    Perhaps the worst-case scenario is where they load up your web page, edit the script file contents live within their web browser (Google Chrome can do that) so that the page then runs that modified version of your script.
    Programming Group Advisor
    Reference: JavaScript, Quirksmode Validate: HTML Validation, JSLint
    Car is to Carpet as Java is to JavaScript


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •