Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
JavaScript
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
=== Misplaced trust in the client === Developers of client-server applications must recognize that untrusted clients may be under the control of attackers. The author of an application should not assume that their JavaScript code will run as intended (or at all) because any secret embedded in the code could be extracted by a determined adversary. Some implications are: * Website authors cannot perfectly conceal how their JavaScript operates because the raw source code must be sent to the client. The code can be [[obfuscated code|obfuscated]], but obfuscation can be reverse-engineered. * JavaScript form validation only provides convenience for users, not security. If a site verifies that the user agreed to its terms of service, or filters invalid characters out of fields that should only contain numbers, it must do so on the server, not only the client. * Scripts can be selectively disabled, so JavaScript cannot be relied on to prevent operations such as right-clicking on an image to save it.<ref>{{cite web |last1=Kottelin |first1=Thor |title=Right-click "protection"? Forget about it |url=https://blog.anta.net/2008/06/17/right-click-%E2%80%9Cprotection%E2%80%9D-forget-about-it/ |website=blog.anta.net |access-date=28 July 2022 |archive-url=https://web.archive.org/web/20110809195359/https://blog.anta.net/2008/06/17/right-click-%E2%80%9Cprotection%E2%80%9D-forget-about-it/ |archive-date=9 August 2011 |date=17 June 2008}}</ref> * It is considered very bad practice to embed sensitive information such as passwords in JavaScript because it can be extracted by an attacker.<ref>{{cite web |last1=Rehorik |first1=Jan |title=Why You Should Never Put Sensitive Data in Your JavaScript |url=https://www.serviceobjects.com/blog/why-you-should-never-put-sensitive-data-in-your-javascript/ |website=ServiceObjects Blog |date=29 November 2016 |publisher=ServiceObjects |access-date=June 3, 2019 |archive-date=June 3, 2019 |archive-url=https://web.archive.org/web/20190603142957/https://www.serviceobjects.com/blog/why-you-should-never-put-sensitive-data-in-your-javascript/ |url-status=live }}</ref> * [[Prototype pollution]] is a runtime vulnerability in which attackers can overwrite arbitrary properties in an object's prototype.
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)