View Full Version : Is internal JS secure? (is external?)

Tony Davis
12-19-2005, 09:00 PM
I like having scripts external, but I wonder about the security of internal anyway. Someone could save and change the HTML, right? But is that possible with an external script? I always thought not (unless there was an error), until a person on this forum was able to grab the script I was working with at the time. No problem with that, but it brings up the question in my mind about security in general surrounding java-script.

any suggestion are appreciated!

12-19-2005, 09:20 PM
When it comes to secure javascript, there isn't any. The user can always download the script and modify it though Javascript can't go across domains due to security reasons.

Tony Davis
12-19-2005, 09:30 PM
Even an external script can be downloaded?

12-19-2005, 09:32 PM
Yep, it gets cached but the user could view the source navigate to the js, file save as, its saved. js is parsed as text in Firefox. If you have Firefox type the location of your js file into your browser, it will show as text, if you do it in IE it will try to download it.

Tony Davis
12-19-2005, 09:40 PM
Thanks. I did not know that. So I guess it makes no difference, as far as security goes anyway, whether your script is internal or external.

12-20-2005, 10:13 AM
Javascript was not created as a secure language or in order to secure any other language (HTML, for instance). For secure stuff, use a server-side application, not a client-side as javascript.

12-20-2005, 08:52 PM
Javascript is basically Open Source. Anyone can read your Javascript no matter where you have it. You can obfuscate it to make it harder to read which may stop people from being able to make changes to it but there is nothing you can do to stop people copying it in its entirety.

Philip M
12-21-2005, 07:29 AM
Might I ask whether it is possible for a user (customer) to modify a script which is in use, for example, an order form calculates shipping costs based on quantity/destination (say result is $20), could a user alter the calculation to result in (say) $2, and then submit the form? Or otherwise change the prices?

12-21-2005, 08:19 AM
A user can change anything on their own system.