14

Is there a way to declare a static of final value in javascript so that it cannot be altered by a 3rd party?

What I have is a article sharing application, with free users being ad supported. What I wish to do is prevent the free users from altering the innerHTML content by altering the storage variable for the content.

What I have at this moment is a timer that reloads the innerHTML of the article on user website every 5 seconds and I'm storing the value for the reload in a variable.

However, if a genius using jsbeatify explores which variable holds the key to removing the ad and alters that, we lose revenue and exposure of our products.

How to prevent the altering of the internal variable?

UPDATE

This is the end result of what I came up with:

http://jsfiddle.net/PgdYP/1/

<div id="specialdiv"></div>
<input type="button" value="try to change the function i to do something different" onclick="t.i = function(){alert(data.secret);}"><BR>
<input type="button" value="set function to null out of spite" onclick="t=null;">


 <script type="text/javascript">
    e = function(){var data = { };
    Object.defineProperty(data, 'secret', {
       value: "Hello world!",
       writable : false,
       enumerable : true,
       configurable : false
       });this.z=function(){window.setTimeout("try{document.getElementById('specialdiv').innerHTML =   '"+data.secret+"';t.i.z();}catch(err) {document.body.innerHTML=err;}",5000);}}
        g = function(){};
        g.prototype = new e();e=null;window.t = {}
        Object.defineProperty(window.t, 'i', {
        value: new g(),
        writable : false,
        enumerable : false,
        configurable : false });g = null;
        window.t = Object.freeze(window.t); t = Object.seal(window.t);
        t.i.z();
    </script>

This will be presented in packed format, just to make it harder just to copy the code out of the source. This way the effort to simply copy and paste the code out will be maximized and will be very hard to automate.

Thank you all for your answers.

Improve this question
3
  • what was the name of the site you were working on again? Commented Oct 25, 2012 at 8:51
  • 1
    You should not care about the very few users that are capable of doing that, there is no way to control the page after it is loaded in users' browsers Commented Oct 25, 2012 at 8:53
  • the const keyword? developer.mozilla.org/en/Core_JavaScript_1.5_Guide/… Commented Oct 25, 2012 at 8:54

2 Answers 2

Reset to default
23

Yes, there is. At least for object properties, ES5 gave us the possiblity to alter the property descriptor flags by hand. So we can do that like

var data = { };

Object.defineProperty(data, 'secret', {
    value: 42,
    writable : false,
    enumerable : true,
    configurable : false
});

That way, we created a property secret with the value 42 within data, which cannot get modfied nor deleted.

The caveat here is, that the genius (like you called it) will also be able to spot this code and just modify that, to again be able to change the content if he wishes to. You just can't create a secured front-end javascript in that way. The code will always be available as plain-text for everybody.

To make this more complete, you can also create an object and freeze it at some point, using Object.freeze() and/or Object.seal() to shutdown the option for enumerating, deleting and modifying on properties of an object.

But again the word of caution: This is intended to affect your own code or foreign code, to prevent modifications by accident or on purpose at run time. There is no way to stop a developer since he can simply halt the execution of your script, before this even can take affect.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

@michael-dibbets Just to make things clear even further. You can't protect anything. Companies spend millions in security systems that get pwned some months after that. You won't just code the next big anti-vulnerable thing... in any way...
The reason is I want it unmodifyable on load and after that by javascript code. I know that it's impossible to nail everything shut, but I want it to make it as hard as possible to alter the script output when it's on their site. There is this treshhold for anyone who wishes to "cheat" between effort and result. This way I raise the bar another notch. Thank you.
+1 for the phrase "There is no way to stop a developer..." !
Note: If your defined property value is not a primitive datatype but an object, it can be modified (just not re-assigned).
1

try the const keyword. it should create an immutable variable.

Improve this answer

6 Comments

interesting..., but I don't think IE implements this
@Ramesh you mean Google Chrome? caniuse.com/#feat=const
@jartaud - Ah I did not realise chrome is implementing this partially. But when I wrote the comment in 2012 IE 10 was the last stable release and it was also not supporting const :)
@Ramesh ikr? the black sheep is winning this one. :D
const does not make a variable immutable. const a = []; a.push(1); works. It just prevents the variable from being re-declared or re-assigned.
|

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.