For security reasons I need to make it so that, once a website is loaded in a browser, that website cannot be updated at all, even with a manual refresh. Is this possible with Service Workers and/or some other technology, and if so, how?
Asked
Active
Viewed 540 times
-2
-
What is your main purpose here? Whatever you've said is not possible by any means. Since manual refresh will work in any case, one thing which you can do is, shift your code to electron and then maybe you'll be able to do what you want to do. – Kumar Shubham Nov 21 '17 at 14:18
-
3What does "for security reasons" mean? When a website is sent to a browser, you have no control whatsoever on what the user will do with your code. It's all public. Anyone can see your Javascript and delete HTML elements from the page, but anyway it will never be saved to your server, it happens only in an individual's browser, and everything will get back to normal upon reload, so why bother? I don't get it – Jeremy Thille Nov 21 '17 at 14:25
-
3Sounds like you want to build a desktop application, not a web application. – Matt S Nov 21 '17 at 14:26
-
@JeremyThille It's not the user who's the enemy, it's someone who might take over the server and change the scripts, putting the user at risk. – quadrupleslap Nov 22 '17 at 04:10
-
So, if someone hijacks your server, you still want to send to the user a safe, unhacked version of your site? That's be nice, wouldn't it? :) – Jeremy Thille Nov 22 '17 at 08:22
-
Yeah, load the unhacked version already in the user's cache. – quadrupleslap Nov 22 '17 at 11:22
2 Answers
2
If this were possible, any attacker could temporarily hijack a website, and do permanent damage (typically defacement). The security considerations of HTML5 offline web application standard discuss this in detail.
Therefore, it is not possible to prevent a website from being updated by its owner or the user.
phihag
- 278,196
- 72
- 453
- 469
1
EDIT after clarification on the nature of the question.
You want to ensure that the user is not affected by a (malicious) change of the website he initailly loaded the data from.
Again, this is against the design of client-server applications but you could consider to create a client-only page: a page which consists of only HTML, CSS an JavaScript which would not communicate with the server once it has been loaded.
This would break should the user refresh the page (which would reload data from the server, caching aside).
Other than that it is not possible to "freeze" what your browser received, it is up to the application to discuss with teh backend (you control that) and to the user to relad the page (the user controls that).
You could also imagine to blacklist the requester (based on an IP, maybe an fingerprint) once he has loaded the page one time.
All these are tricks which are not godd to implement, particularly in the context of a security-sensitive application.
(initial answer)
When you receive data from a website, you as a website owner loose all control over that data. It will be displayed the way the receiving client (usually a browser) sees it fit.
This also means that the person receiving the data can modify it.
Now, one can imagine all sorts of ideas to make life difficult for the receiver willing to modify the data. Out of my head I can think of
- sending images (screenshots of the application) instead of normal HTML
- setting up the application to connect to your server via websockets and build it in such a way where it would break if there is inconsistency of displayed data
- having the page refresh all the time
There will probably be other silly ideas as these ones but one thing must be clear: these are silly ideas. You are trying to bend a functionality against nature.
For security reasons (...)
Probably one of the worst contexts for such unnatural bending is security. You will have problems if you do.
WoJ
- 27,165
- 48
- 180
- 345
-
No, it's not the user I'm trying to protect the website from, it's changes to the server - for example, if a mean person took control of the website and replaced all the encryption code with code that sent all passwords to him, how would I defend the user against that? – quadrupleslap Nov 22 '17 at 04:14