Can window.location be faked?

SJH · November 16, 2011, 5:20pm

On my client’s website there is a ‘find address’ button on a contact form where people can fill in their postcode and it will send an AJAX request to a PHP script to return street name, town and county.

This PHP script queries a SOAP web service and my client is charged for each postcode lookup that is performed.

It would be trivial for someone with a basic knowledge of development to hotlink my JavaScript file and start using my client’s postcode search functionality free of charge, while costing my client money.

With this in mind I’ve written my JavaScript like this:


(function() {

    if('www.mydomain.com' == window.location.hostname) {

        myButton.onclick = function() {
            doAjaxyStuff('myPostcodeScript.php');
        };

    }

})();

I wanted to know if there was any chance somebody could somehow forge the window.location object on their own site and trick my code into running.

Any input would be much appreciated

P.S. I know that I can control access to the script using the HTTP_REFERER request header. I also know that this can be faked or not present at all so would rather not rely on it if possible.

sdleihssirhc · November 16, 2011, 7:40pm

My understanding is no, not really.

They can’t create a new object called window.
They can’t assign a new object to window.location
They can’t assign a new string to window.location.hostname
They can’t execute your function in a different context, so that “window” points to a different object.

These are basically the drop-dead laziest ways to try to spoof it, but you’re probably fine.

SJH · November 16, 2011, 8:24pm

Thanks, that’s made me feel much more comfortable

I guess it was point number four that you made that was worrying me the most. I couldn’t think of any way of doing that but there’s a lot I don’t know about JavaScript so thought I would let the community weigh in.

Thanks again for responding!

Paul_Wilkins · November 16, 2011, 9:23pm

Someone with a slightly more advanced knowledge of development will be able to modify your script so that they can continue to gain access.

Perhaps the worst-case scenario is where they load up your web page, edit the script file contents live within their web browser (Google Chrome can do that) so that the page then runs that modified version of your script.