问题描述

我有问题.我已经定义了一些全局变量并将其命名为一个名为"app"的对象.示例:

I have a problem. I have defined some global variables and namespaced it into an object called "app".Example:

window.app : {
    foo : null,
    bar : null,
}

好吧，我的想法是我希望能够通过调用app.foo ="baz"或app.bar ="baz"来从任何模块中修改那些变量，但是我不希望用户能够从浏览器控制台(元素检查器)修改这些变量.

Well, the idea is that I want to be able to modify those variables from any module by calling app.foo = "baz" or app.bar = "baz", but I don't want the user to be able to modify those variables from the browser console (element inspector).

有可能吗?

PD:嗯，我有一个Backbone.js集合，该集合与服务器同步.我不希望用户能够使用控制台修改该集合

PD: Well, I have a Backbone.js collection which is sinchronized with the server. I don't want the user to be able to modify that collection with the console

推荐答案

否.浏览器是用户的域.他们可以通过各种方式(通过控制台或浏览器插件)修改脚本并注入自己的功能.这就是为什么您不应该盲目地信任服务器端用户输入的原因之一.

No. The browser is the user's domain. They have the possibility to modify your scripts and inject their own functionality in various ways (through the console or browser plug-ins). That's one of the reasons why you should never blindly trust user input on the server side.

他们甚至可以手动伪造一个完整的请求，诱使您的服务器认为您的JavaScript代码发出了该请求.

They could even manually forge a complete request, tricking your server into thinking that your JavaScript code made that request.

如果希望这些值是安全的，则需要将它们保留在服务器上.当然，只要您可以根据服务器上的值来验证值，就可以将它们发送给客户端.

If you want these values to be secure, you need to keep them on the server. You can send them to the client, of course, as long as you keep a possibility to validate the values against those on the server.

这篇关于避免从浏览器控制台修改Javascript变量的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！