Geek Answers Handbook

Is javascript "fake privacy" a security risk?

Javascript does not allow you to pass personal data or methods to objects, for example, in C ++. Oh, well, actually, yes, this happens through some workarounds related to closing. But, based on the Python background, I am inclined to believe that “pretending to be confidential” (through naming conventions and documentation) is good enough or even preferable to “enforced confidentiality” (according to Javascript itself). Of course, I can think of situations when this is not the case - for example. people interact with my code without RTFM, but they blame me - but I'm not in that situation.

But something gives me a pause. Javascript guru Douglas Crockford, in Javascript: The Good Parts and elsewhere, repeatedly refers to fake privacy as a security issue. For example, "an attacker can easily access fields directly and replace methods with his own."

I am confused by this. It seems to me that if I follow the minimum security rules (check, do not blindly trust, the data sent from the browser to my server, do not include third-party scripts on my site without checking them), then there is no situation where to pretend - privacy is less "safe" "than forced confidentiality. It is right? If not, then what is the situation where pretense - privacy and respect for privacy rights have security implications?

+6
source share
2 answers

The answer seems to be "No, fake privacy is OK." Here are some developments:

  • In javascript that exists today, you cannot include an unknown and unreliable third-party script in your web page. This can lead to chaos: it can rewrite all the HTML on the page, it can ask the user for a password, and then send it to an evil server, etc. Etc. The Javascript coding style has no meaning for this basic fact. Please see the answer for a discussion of methods to solve this problem.

  • An incompetent but not evil script can unintentionally ruin things through name conflicts. This is a good argument against creating multiple global variables with common names, but has nothing to do with whether or not fake private variables should be avoided. For example, my banana website might use the fake window.BANANA_STORE_MODULE.cart.__cart_item_array . It is possible that this variable would be accidentally overwritten by a third-party script, but this is incredibly unlikely.

  • ideas floating around for a future modification of javascript that provides a controlled environment where untrusted code can act in the prescribed ways. I could allow untrusted third-party javascript to interact with my javascript through certain public methods and block third-party script access to HTML, etc. If it ever exists, it could be a scenario in which private variables are needed for security. But he does not exist yet.

  • Writing clear and error-free code is always obviously useful for security. Because truly private variables and methods make it easier or harder to write clear, error-free code, security is implied. Whether they are useful or not will always be the subject of debate and taste, and whether your background will be, say, C ++ (where the private variables are central) compared to Python (where the private variables do not exist). There are arguments in both directions, including the famous Javascript Private Variables Evil blog post.

For my part, I will continue to use fake privacy: a leading underscore (or something else) tells me and my staff that some property or method is not part of the module’s public interface. My fake privacy code is more readable (IMO) and I have more freedom to structure it (for example, closing cannot span two files) and I can access these fake variables when I am debugging and experimenting. I will not worry that these programs are somehow more unsafe than any other javascript program.

0
source

Not in myself. However, this means that you cannot safely load untrusted JavaScript code into your HTML documents, as Crockford points out. If you really need to run such unreliable JavaScript code in a browser (for example, for custom widgets on social networking sites), consider an isolated iframe sandbox.

As a web developer, your security problem is often due to the fact that large brokers in online advertising do not support (or even prohibit ) by creating their advertising code. Unfortunately, you have to trust Google to not deliver malicious JavaScript, intentionally or inadvertently (for example, they hacked).

Here is a brief description of the isolated iframe sandbox I posted as an answer to another question :

Set up a completely separate domain name (for example, exampleUSercontent.com) exclusively for user-provided HTML, CSS, and JavaScript. Do not allow this content to be downloaded through your primary domain name. Then paste the user content into your pages using iframes.

If you need closer integration than just framing, window.postMessage() can help by allowing scripts in different frames to interact with each other in a controlled way.

+1
source

More articles:


All Articles