4

I have written many javascript functions for my website and recently I found out that those functions can be called simply by writing javascript:FunctionName(); on URL bar. Calling functions like this can be vulnerable for my website so is there any ways to prevent this? Any ways to stop the use of Javascript on address bar?

Any subtle ways can also be helpful like any ways to detect from where the call to the function was made and if it was not from the address bar then the function should run, otherwise it won't run?

I tried using Javascript on address bar on Facebook but it didn't work. So there must be a way to stop this..

Paranoid
  • 1,913
  • 5
  • 16
  • 17
  • 3
    Facebook's functions are probably written inside closures and inaccessible. But it's not like people can't access your code regardless. If you're vulnerable because of Javascript you have an absolutely awful security architecture. – Chris Hayes Nov 13 '13 at 06:55
  • Javascript can always be modified at client side, you can't stop it. Make sure you must have validation at back end – Voonic Nov 13 '13 at 06:55
  • You can't stop anything people can on client side. The client side belongs to them, not you. If you think it's insecure, improve your server side. – Billy Chan Nov 13 '13 at 06:57
  • You know about the built in development tools that every browser has, right? With the JavaScript debugging consoles? – JAL Nov 13 '13 at 06:58
  • 1
    You can pack your javascript code, so that its not easily readable. But again its clientside, users can modify it. – Jithin Nov 13 '13 at 07:17

1 Answers1

2

I agree with the other commenters that detecting "where the call to the function was made and if it was not from the address bar then the function should run" is a bad way to approach client-side security, insofar as there is such a thing.

That said, function scope, closures, and how this relates to the URL bar is an interesting topic. Here's some more context on global variables and scope. The short version is that if you have a function like this:

function test (argument) {
    alert('hey')
}

It will be executable via the URL bar because it's in the window/global scope, which seems to be as far as javascript URI's will go. Whereas if you put that same function in a closure:

(function() {
    function test (argument) {
        alert('hey')
    }       
})()

...it should be inaccessible as far as executing the function in the URL bar goes.

I would be curious to learn the history of why browser vendors implemented Javascript-via-the-URL...it now has practical usage with bookmarklets and the like, but it doesn't seem to be well-documented.

Community
  • 1
  • 1
Jeff Sisson
  • 1,616
  • 11
  • 22
  • 1
    "I would be curious to learn the history of why browser vendors implemented Javascript-via-the-URL" ... Before `onclick` attributes and then proper event handling, there was `...`. It flowed naturally that if clicking that type of link in a page worked, then clicking that type of link in the bookmarks should also work. And what can be bookmarked can be also entered into the URL bar. – DG. Nov 15 '13 at 06:09