Browser Extensions

How do you protect your scripts that parse on a page from browser extensions, such as Firebug, where users can edit variables and other queries?

You can’t because the browser owner has the final say. That’s why any input you receive from the page needs to be validated on the server.

Anyway Firefox is the only browser to require an extension to fo that. Internet Explorer, Opera, Safari, and Chrome all have the functionality to fo that built in.

Also browser owners can override anything in the stylesheet with their own replacement and can run their own JavaScript immediately after the page loads and before any event triggered JavaScript runs (either via a bookmarklet or userscript - although only Opera supports user scripts without needing an extension).

It’s impossible to protect scripts from browser extensions. However, you can always secure your sites by using multiple checks for each form to make sure these “smart” guys won’t be able to bypass site limits and restrictions.

It’s impossible to protect scripts from browsers.

No extensions required.

Anyone can just turn off JavaScript to bypass any JavaScript validation. With Opera you can install a userscript to selectively turn off JavaScript automatically on selected web pages (You can do it in IE or Firefox as well if you install an appropriate extension to add support for userscripts).

That’s why ALL validation for your purposes needs to be done on the server. Anything you do using JavaScript is just to make things easier for your visitors. If it doesn’t make things easier they’ll turn it off.

More to the point, why would you want to protect your scripts? All it does is increase the workload on your server (verifying everything), increase the chances of theft (surprisingly if you try and protect your code, the “bad people” often see this as a challenge to rip your work apart and redistribute it) and it’s pointless bulk being added to your scripts (as there’s always a very simple way to override your code - the great thing about the web being open). Sorry to say it but it’s pointless to try and control your users, at best the most you will achieve is punishing your legitimate users and leaving them the ones all the worse off. :slight_smile:

Thanks everyone for the support.

We decided that blocking browser extensions wasn’t the best way to protect our cross-forum chat system, so we’ll likely be resorting to a login system.