0

I was implementing Olark live chat on my website and all I had to do is implement following js code.

  <script type="text/javascript" async>
      ;(function(o,l,a,r,k,y){if(o.olark)return;
      r="script";y=l.createElement(r);r=l.getElementsByTagName(r)[0];
      y.async=1;y.src="//"+a;r.parentNode.insertBefore(y,r);
      y=o.olark=function(){k.s.push(arguments);k.t.push(+new Date)};
      y.extend=function(i,j){y("extend",i,j)};
      y.identify=function(i){y("identify",k.i=i)};
      y.configure=function(i,j){y("configure",i,j);k.c[i]=j};
      k=y._={s:[],t:[+new Date],c:{},l:a};
      })(window,document,"static.olark.com/jsclient/loader.js");

      /* Add configuration calls below this comment */
      olark.identify('XXXX-XXX-XX-XXXX');
  </script>

I am wondering what technique uses Third Party JavaScript plugin like Olark, Disqus and similar companies?

As you can see olark.identify() is public available on my web page and you can find it with "inspect element". So how they handle security and bounce unwanted requests?

  olark.identify('XXXX-XXX-XX-XXXX');
Sven
  • 63
  • 1
  • 11

1 Answers1

0

It's a fairly broad question, but I'll make an attempt to answer:

Lots of these tools don't really block unwanted requests. For example, it's possible to embed a disqus comment block on a completely unrelated website.

I don't think this is the worst thing, because: what's the issue with comments showing up somewhere else? It was already public information to begin with.

Scripts that need to prevent exactly which domain they are embedded in tend to use CORS and the Origin header to make sure of this. Alternatively, they can use the information from document.location.

This is not 'hard' security in a sense that it completely disables mis-use, but it uses the browser sandbox to make it a lot harder to abuse.

Evert
  • 93,428
  • 18
  • 118
  • 189
  • Thank you for answer Evert! Can you suggest me some content for read? I still don't understand how can Olark use just JS client? Is that secure? Can u point me in right way? Thanks – Sven Dec 05 '18 at 21:12
  • I think it's hard to answer because it depends on your definition of secure. Everyone can see your 'code' but what do you think the harm is they can do? – Evert Dec 05 '18 at 21:14
  • Let's say that I am making JS widget that comunicate with my API and count every request that was made by that widget. If someone stole that code from widget website and implement it to their website and start making same requests, my count will be wrong and not secure. What is best practice for this kinda stuff? @Evert – Sven Dec 05 '18 at 21:28
  • If the JS widget uses CORS, it will always include a Origin header which contains the domainname where it was embedded, but people can still proxy your API and circumvent it. There is no perfect way to prevent this and it's better to simply not try to prevent it. – Evert Dec 05 '18 at 21:44