禁止从 chrome 控制台编辑 javascript?
[英]Disable editing of javascript from chrome console?
问题描述
So, I just noticed today that you can apparently run javascript in the chrome console.
所以,我今天才注意到,您显然可以在 chrome 控制台中运行 javascript。 I had no idea you could do this.我不知道你能做到这一点。 It's actually really cool.这真的很酷。
In my rails app, I have an external javascript page.在我的 rails 应用程序中,我有一个外部 javascript 页面。 Some of the variables on that page I would like to be global so that all the functions in the JS file can access them.我希望该页面上的一些变量是全局变量,以便 JS 文件中的所有函数都可以访问它们。 for example I have a map, and I would like the map object to be global in the javascript file because that way all my functions access the one map variable instead of creating their own, and I can break complex operations down into smaller functions.例如,我有一张地图,我希望地图对象在 javascript 文件中是全局的,因为这样我的所有函数都访问一个地图变量而不是创建自己的地图变量,并且我可以将复杂的操作分解为更小的函数。
This is all well and good I know how to do that and it's working perfectly.这一切都很好,我知道如何做到这一点,而且效果很好。 My problem now, can I protect the variables from outside?我现在的问题是,我可以从外部保护变量吗? For example you can change the values of all the javascript class variables from the chrome console.. as well methods from for example the map are accessible and excecutable.. I have locked the map settings on one of the pages so it is not zoomable or movable, however from the console I can simply say map.setZoom(11) and the map will zoom to 11.. I can type map.dragable = true and bam u can drag the map.. I don't like this really..例如,您可以从 chrome 控制台更改所有 javascript 类变量的值.. 以及例如地图中的方法是可访问和可执行的.. 我已锁定其中一页上的地图设置,因此它不可缩放或可移动,但是从控制台我可以简单地说map.setZoom(11)并且地图将缩放到 11.. 我可以输入map.dragable = true并且 bam 你可以拖动地图.. 我真的不喜欢这个。 .
It's not too terribly bad yet like the user enabling map drag and zoom isnt the worst thing in the world.. but still I'd like to disable this.这还不算太糟糕,就像用户启用地图拖动和缩放并不是世界上最糟糕的事情一样......但我仍然想禁用它。 Any ideas?有任何想法吗?
EDIT编辑
Thanks all for the answers and comments.感谢大家的回答和评论。 I guess I will just resort to not putting anything that can be turned malicious into my javascript, and do thing like pass my map variable to functions where necessary to slow people down.我想我只会诉诸于不将任何可以变成恶意的东西放入我的 javascript 中,并做一些事情,例如将我的地图变量传递给需要减慢人们速度的函数。
6 个解决方案
解决方案1
6 2012-11-01 18:09:10
You can use an immediately-invoked function (IIFE) expression to prevent your variables and functions from being exposed in the global scope:您可以使用立即调用函数 (IIFE) 表达式来防止您的变量和函数在全局范围内公开:
var a = 10;
(function() {
var b = 20;
})();
window.a lets you view and modify a , but you cannot do that with b : window.a允许您查看和修改a ,但您不能使用b这样做:
I'm more than sure that there's a way to edit b with Inspector, but I haven't taken the time to figure it out.我非常确定有一种方法可以使用 Inspector 编辑b ,但我没有花时间弄清楚。 Don't waste your time trying to prevent your users from modifying code that they can view.不要浪费时间试图阻止用户修改他们可以查看的代码。
解决方案2
4 2012-11-01 18:12:15
You can't.你不能。 Even if you wrap them into anonymous functions, user can get to them through debugger.即使将它们包装成匿名函数,用户也可以通过调试器访问它们。 As last resort he can simply intercept your traffic to his own machine and replace your JavaScript with something else.作为最后的手段,他可以简单地拦截你到他自己机器的流量,并用其他东西替换你的 JavaScript。
Bottom line: JavaScript in browser is client-side .底线:浏览器中的 JavaScript 是客户端的。 Client can do whatever he pleases with it.客户可以为所欲为。
解决方案3
3 2012-11-01 18:10:00
Try doing something like this:尝试做这样的事情:
(function(){
//All of your current code
})();
One thing to still be aware of - Chrome developer tools also lets you edit the javascript (not the javascript file on the server, just currently running copy.) Go to Chrome Dev Tools->Sources and you can edit the javascript files.仍然需要注意的一件事 - Chrome 开发人员工具还允许您编辑 javascript(不是服务器上的 javascript 文件,只是当前正在运行的副本。)转到 Chrome Dev Tools->Sources,您可以编辑 javascript 文件。
解决方案4
2 2012-11-01 18:12:28
You can't.你不能。 Your saying you need to define your map globally, this means it's accessible for everyone.你说你需要全局定义你的地图,这意味着每个人都可以访问它。 You could define your map in a different scope and then only define the "public" things:您可以在不同的范围内定义您的地图,然后只定义“公共”的东西:
(function() {
var map = new Map();
window.myMap = {
goTo: function(lat, lng) {
map.goTo(lat, lng);
}
};
})();
解决方案5
1 2012-11-01 18:16:17
Depending on your architecture, there are a few ways to accomplish this.根据您的架构,有几种方法可以实现这一点。 Use this method to create a reusable component that has public and private properties:使用此方法创建具有公共和私有属性的可重用组件:
var protectedScope = function () {
var protected_var = 'protected';
this.showProtected = function () {
return protected_var;
}
this.public = 'public';
};
var myObject = new protectedScope();
console.log('Public var: '+myObject.public); // outputs "public"
console.log('Protected via accessor: '+myObject.showProtected ()); // outputs "private"
console.log('Protected var: '+myObject.protected); // outputs undefined
Any variable or function declared with a var keyword will be, in effect, private.任何用var关键字声明的变量或函数实际上都是私有的。 Any variable or function that uses the this.name mechanism will be "public".任何使用this.name机制的变量或函数都将是“公共的”。
Understand that this structure is not truly public or private, such concepts are not a part of the language.理解这种结构并不是真正的公共或私有的,这样的概念不是语言的一部分。 There are still ways to get at those variables, and one can always view source.仍然有一些方法可以获取这些变量,并且可以随时查看源代码。 Just be clear;清楚一点; this is a code organization concept rather than a security concept.这是一个代码组织概念而不是一个安全概念。 Chrome has had this developer console for a while, and other major user agents are moving to include similar tools (or already have done so). Chrome 已经拥有这个开发者控制台有一段时间了,其他主要的用户代理正在转向包含类似的工具(或已经这样做了)。 There are also tools like Firebug which allow a user full access to your javascript runtime environment.还有像 Firebug 这样的工具允许用户完全访问您的 javascript 运行时环境。 This isn't a realm that the developer can control at all.这根本不是开发人员可以控制的领域。
Try it here: http://jsfiddle.net/cf2kS/在这里试试: http : //jsfiddle.net/cf2kS/
More Reading更多阅读
- "Private Members in JavaScript" by Douglas Crockford* - http://www.crockford.com/javascript/private.html道格拉斯·克罗克福德的“JavaScript 中的私人成员”* - http://www.crockford.com/javascript/private.html
- "OOP in JS, Part 1 : Public/Private Variables and Methods" on http://phrogz.net - http://phrogz.net/JS/classes/OOPinJS.html http://phrogz.net - http://phrogz.net/JS/classes/OOPinJS.html上的“JS 中的 OOP,第 1 部分:公共/私有变量和方法”
- Javascript Object Management on MDN - https://developer.mozilla.org/en-US/docs/XUL_School/JavaScript_Object_Management MDN 上的 Javascript 对象管理 - https://developer.mozilla.org/en-US/docs/XUL_School/JavaScript_Object_Management
- Closures on MDN - https://developer.mozilla.org/en-US/docs/JavaScript/Guide/Closures MDN 上的闭包 - https://developer.mozilla.org/en-US/docs/JavaScript/Guide/Closures
解决方案6
0
Object.defineProperty(map, 'zoom', {value:1});
or要么
Object.defineProperty(map, 'zoom',{
set: function(){console.warn('Access denied!');},
get: function(){return 1;}
});
or要么
Object.defineProperty(Object.prototype, 'protect', {
value: function(ignore){
var childObjects = [], ignore = ignore || [];
ignore.push(this);
if(this instanceof MimeType)return; //Chrome Fix //window.clientInformation.mimeTypes[0].enabledPlugin[0] !== window.clientInformation.mimeTypes[0]
for(var prop in this){
if(typeof this[prop] === "unknown")continue; //IE fix
if(this[prop] instanceof Object){
var skip = false;
for(var i in ignore)
if(ignore[i]===this[prop]){
skip = true;
break;
}
if(!skip)childObjects.push(prop);
}
var d = Object.getOwnPropertyDescriptor(this, prop);
if(!d || !d.configurable || !d.writable)continue;
var that = this;
(function(){
var temp = that[prop];
delete that[prop];
Object.defineProperty(that, prop,{
set: function(){console.warn('Access denied!');},
get: function(){return temp;}
});
})();
}
for(var i = 0;i<childObjects.length;i++)
this[childObjects[i]].protect(ignore);
}
});
this.onload=function(){this.protect();} //example
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.