1

Hi i was thinking about if there could be any way of disable the ability to change the javascript/jquery from the inspector console?

Just in case you want to avoid that a user interacts and change things from the DOM using the console, or maybe send forms avoiding some checks from javascript.

Or is impossible to do that and you just have to do all the security or this kind of things on the serverside?

Thanks!

victorgb6
  • 91
  • 2
  • 10

2 Answers2

3

Anything on the client side is never going to be fully secure. This is because it can be manipulated not only by the browser's developer tools, but by any number of other 3rd party tools.

The server itself must be fully secured, because there is no way of guaranteeing that a request is even being made from the web site itself, let alone that the javascript validation was not tampered with.

Will P.
  • 8,437
  • 3
  • 36
  • 45
  • however still I guess it's cool option. At least will prevent getting user info by leaving changed website on some public PCs eg in libraries or something. Most people would only check url – Lapsio Mar 05 '14 at 18:04
0

Yes to disable the console just run this on the client 

Object.defineProperty(console, '_commandLineAPI', {
    get : function() {
        throw "Console is disabled";
    }
});

This won't leave then to use the console.

Note: There isn't a 100% secure option to get around this, but at least doing this won't allow console usage. Add security to your server to see which request are legit.

Also this will only work in Chrome this is because Chrome wraps all the console code in:

with ((console && console._commandLineAPI) || {}) {
  <code area>
 }

Firefox has a different way to wrap the code from the console. This is why this is not a 100% secure protection from console commands

joseantgv
  • 1,943
  • 1
  • 26
  • 34
Eduardo Quintana
  • 2,368
  • 1
  • 15
  • 20
  • 1
    except that anyone could run some javascript from the URL anyway, which could embed their own custom console, or simply remove what you've added. – zzzzBov Mar 05 '14 at 17:23
  • The point is that i don't wont to disable javascript, just the abilty to execute javascript from inspector console. – victorgb6 Mar 05 '14 at 17:24
  • There is no 100% secure options but at least with this they can't just press F12 and send a $.ajax with the info they want. Even Facebook has this on his login page. – Eduardo Quintana Mar 05 '14 at 17:24
  • Edited this will disable the console. The javascript will work as normal but the console will be disabled it will return the error. – Eduardo Quintana Mar 05 '14 at 17:25
  • But yes as @Will says the server itself must be fully secured to see which request to respond. – Eduardo Quintana Mar 05 '14 at 17:29
  • I think that is what i was looking for, keeping in mind that the server must be fully secured also. Thanks! – victorgb6 Mar 05 '14 at 17:36
  • This simply disables the console logging, but does not at all prevent people from using the developer tools to manipulate javascript execution – Will P. Mar 05 '14 at 17:37
  • Using this they won't be able to use anything o the commandLine but yes they can still use the developers tools to alter the DOM, not by the command line. That's why there isn't a perfect solution because as you said this is the client side – Eduardo Quintana Mar 05 '14 at 17:42
  • you could add `configurable:false,writable:false` (after get property) to make it unable to revert by external script. – Lapsio Mar 05 '14 at 18:01
  • It seems that if we add writable:false we get this error: A property cannot both have accessors and be writable or have a value – Eduardo Quintana Mar 05 '14 at 18:08