Securing JavaScript Applications
One big problem with using JavaScript as the basis for your application is that if a hacker gets clever they can insert their own JavaScript into your trusted page and execute it as though it were yours (XSS).
You could curtail a hacker by modifying the DOM so that the objects they would typically use to perform the hack have been replaced, or modified, so that they are lame. This wouldn’t hurt your code since, if well written, it would save references to the the unchanged objects.
For example you could:
- define an empty function called XmlHttpRequest
- crawl the DOM and remove, or replace, appendChild and other DOM methods making Dynamic script tags impossible to insert.
- _document = document; document = {}; // Making it more difficult to get your hands on the document object
I haven’t heard anyone talk about this before so I’d love to hear what people think.
Thanks,
Allain