FAQ Topic - How can I prevent access to a web page by using javascript?(2010-05-09)
in [JavaScript]
|
Prev: FAQ Topic - How can I prevent access to a web page by using javascript? (2010-05-09)
Next: _google_spam_shame_ Discount Wholesale ...
From: Garrett Smith on 9 May 2010 01:22 FAQ server wrote: > ----------------------------------------------------------------------- > FAQ Topic - How can I prevent access to a web page by > using javascript? > ----------------------------------------------------------------------- > > In practice you can't. While you could create a suitable > encryption system with a password in the page, the level of > support you need to do this means it's always simpler to do it > server-side. Anything that "protects" a page > other than the current one is definitely flawed. > > I actually don't know what "level of support" means here. Can the answer be shortened to: | You can't. Access to a page can be restricted by requiring user | authentication on the server. ? -- Garrett comp.lang.javascript FAQ: http://jibbering.com/faq/
From: Garrett Smith on 13 May 2010 02:12 Thomas 'PointedEars' Lahn wrote: > Garrett Smith wrote: > >> FAQ server wrote: >>> ----------------------------------------------------------------------- >>> FAQ Topic - How can I prevent access to a web page by >>> using javascript? >>> ----------------------------------------------------------------------- >>> >>> In practice you can't. While you could create a suitable >>> encryption system with a password in the page, the level of >>> support you need to do this means it's always simpler to do it >>> server-side. Anything that "protects" a page >>> other than the current one is definitely flawed. >> I actually don't know what "level of support" means here. >> >> Can the answer be shortened to: >> >> | You can't. Access to a page can be restricted by requiring user >> | authentication on the server. >> >> ? > > No. That would imply "javascript" would be client-side only, especially > that it could not be used server-side for user authentication. > The answer presumes that the question is about javascript running on the client because it says that you can't and it is simpler to do it server side. I am wide open for suggestions on this entry. Neither the question nor the answer are clear. Perhaps: | FAQ Topic - How can I prevent access to resources in the browser? | | You can't. Scripts that attempt to password protect resources do not | provide any real security. | | Access to resources can be restricted by requiring authentication on | the server. -- Garrett comp.lang.javascript FAQ: http://jibbering.com/faq/
From: Bwig Zomberi on 13 May 2010 06:00
Johannes Baagoe wrote: > Garrett Smith : > >> I am wide open for suggestions on this entry. Neither the question >> nor the answer are clear. Perhaps: > >> | FAQ Topic - How can I prevent access to resources in the browser? >> | >> | You can't. Scripts that attempt to password protect resources do not >> | provide any real security. >> | >> | Access to resources can be restricted by requiring authentication on >> | the server. > > I have to disagree. It is quite possible to encrypt the body element > of a web page using, e.g., AES, store the encrypted value either in an > Array of Numbers or as a base64-encoded String, present a provisional > body element that requests a password, decrypt the encrypted body > with the provided password, check that the result makes sense (that > it starts with '<body', perhaps), and if so, replace the previous > body with the decrypted value. > The level of protection is essentially dependent on the strength of > the password, and can be made as strong as one may wish. > > I'm not sure that it would have any significant advantage over > classic, server-side solutions, but it is definitely possible. > Sending the password (encrypted or otherwise) to the client is simply a wrong approach to security. -- Bwig Zomberi |