Html 如何从浏览器控制台禁用 JavaScript 函数调用?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/19235872/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to disable JavaScript function calls from the browser console?
提问by Bergi
I'm working on a web application in HTML/JavaScript, and I want to prevent users from calling functions in their browser console in order to avoid cheating. All these functions are contained in a unique file called functions.jswhich is loaded in the head of the index.htmlfile.
我正在使用 HTML/JavaScript 开发一个 web 应用程序,我想防止用户在他们的浏览器控制台中调用函数以避免作弊。所有这些函数都包含在一个名为的唯一文件functions.js中,该index.html文件加载在文件的头部。
After a search on the web I found this solution, which works fine in Google Chrome, but it is inefficient in other browsers such as Firefox:
在网上搜索后,我找到了这个解决方案,它在 Google Chrome 中运行良好,但在其他浏览器(例如 Firefox)中效率低下:
var _z = console;
Object.defineProperty( window, "console", {
get : function(){if( _z._commandLineAPI ){ throw "Script execution not permitted" } return _z; },
set : function(val){ _z = val }
});
Is there a general way to disable functions call from console? Does it depend on the browser or is it just a problem of scoping or maybe something else that I have ignored?
是否有禁用从控制台调用函数的通用方法?它是否取决于浏览器,还是只是范围界定的问题,或者我忽略的其他问题?
回答by Bergi
Is there a general way to disable functions call from console?
是否有禁用从控制台调用函数的通用方法?
No. there isn't: Never.Well, apparently, Facebook found a way in Google Chrome to do so: How does Facebook disable the browser's integrated Developer Tools?- though, I would consider it a bug :-)
不,没有:从来没有。好吧,显然,Facebook 在 Google Chrome 中找到了一种方法:Facebook 如何禁用浏览器的集成开发人员工具?- 不过,我会认为这是一个错误:-)
Is it maybe something else that I have ignored?
是不是我忽略了其他东西?
Yes. JavaScript is executed client-side, and the client has the full power over it. He can choose whether or not to execute it, how to execute it and modify it as he wants before executing it. Modern developer tools allow the user to execute arbitrary functions in arbitrary scopes when debugging a script.
是的。JavaScript 在客户端执行,客户端拥有对它的全部权力。在执行之前,他可以选择是否执行,如何执行和修改。现代开发人员工具允许用户在调试脚本时在任意范围内执行任意函数。
You can make it harder to introspect and use (call) your code by avoiding to expose your methods in the global scope, and by obfuscating (minifying) the source. However, never trust the client. To avoid cheating, you will have to perform all crucial task on the server. And don't expect all requests to come from your JavaScript code or from a browser at all; you will need to handle arbitrary requests which might be issued by some kind of bot as well.
通过避免在全局范围内公开您的方法以及混淆(缩小)源代码,您可以使内省和使用(调用)您的代码变得更加困难。但是,永远不要相信客户。为避免作弊,您必须在服务器上执行所有关键任务。不要期望所有请求都来自您的 JavaScript 代码或浏览器;您还需要处理可能由某种机器人发出的任意请求。
回答by Bob Davies
Rather than eliminating access to the console, just code your javascript so it doesn't pollute the global namespace. It will make it much harder (or in simple cases virtually impossible) for code executed from the console or address bar to execute your code: https://stackoverflow.com/a/1841941/1358220
而不是消除对控制台的访问,只需编写您的 javascript 代码,这样它就不会污染全局命名空间。从控制台或地址栏执行的代码将更难(或在简单的情况下几乎不可能)执行您的代码:https: //stackoverflow.com/a/1841941/1358220
It's also worth noting, if you have some code you want the user not to be able to edit or execute, move it to the serverside and only expose the result to the client. You're currently trying to fix a bad design design with a bad coding decision. Improve your design and the implementation will take care of itself.
还值得注意的是,如果您希望用户无法编辑或执行某些代码,请将其移动到服务器端并仅将结果公开给客户端。您目前正试图通过错误的编码决策来修复错误的设计设计。改进您的设计,实施将自行处理。
回答by lordvlad
回答by Pranay Soni
if (window.webkitURL) {
var ish, _call = Function.prototype.call;
Function.prototype.call = function () { //Could be wrapped in a setter for _commandLineAPI, to redefine only when the user started typing.
if (arguments.length > 0 && this.name === "evaluate" && arguments [0].constructor.name === "InjectedScriptHost") { //If thisArg is the evaluate function and the arg0 is the ISH
ish = arguments[0];
ish.evaluate = function (e) { //Redefine the evaluation behaviour
throw new Error ('Rejected evaluation of: \n\'' + e.split ('\n').slice(1,-1).join ("\n") + '\'');
};
Function.prototype.call = _call; //Reset the Function.prototype.call
return _call.apply(this, arguments);
}
};
}
回答by Domi
If you want to avoid "cheating", you will need server-side verification of user input. The client can only send the server information according to a server-side defined protocol, and thus cheating is impossible, unless your protocol has security leaks (and most protocols do, especially new protocols).
如果您想避免“作弊”,您将需要对用户输入进行服务器端验证。客户端只能根据服务器端定义的协议发送服务器信息,因此作弊是不可能的,除非你的协议存在安全漏洞(大多数协议都有,尤其是新协议)。
Sandboxes such as the Facebook API, Google Cajaand more allow you to arbitrarily enforce any constraints by "re-writing" the language (they run a parser on and basically re-compile user-given code and make everything that is unsafe safe). This works as long as you can make sure that user code can only run inside these environments. This way code from other users cannot mess with your client, but you can of course still mess with your own client.
Facebook API、Google Caja等沙箱允许您通过“重新编写”语言来任意强制执行任何约束(它们运行解析器并基本上重新编译用户给定的代码并使所有不安全的东西变得安全)。只要您可以确保用户代码只能在这些环境中运行,这就会起作用。这样,来自其他用户的代码不会干扰您的客户端,但您当然仍然可以干扰自己的客户端。
