安全/保护 JavaScript 中的代码

发布于 2024-08-31 12:50:41 字数 232 浏览 5 评论 0原文

随着最近有关 JavaScript 和 HTML5 取代 Flash 的大肆宣传,我想知道 - 如何才能保护客户端 js 代码?当然,可以对其进行混淆,但这只会让事情变得更加困难。另外,对于向服务器提交高分的游戏,在发送到服务器之前修改这些分数不是非常容易吗?我知道即使 Flash 文件也可以反编译,但它们可以被混淆,并且 Flash 反编译并不像修改 JS 中的数据那么容易 - 可以使用 Firebug 等插件轻松完成。我想知道大家对此的看法。

With all the recent hype about JavaScript and HTML5 replacing Flash, I wanted to know - How would it be possible to protect client-side js code? Of course, it is possible to obfuscate it, but that would only make it a little harder. Also, for games which submit high scores to the server, wouldn't it be incredibly easy to modify those scores before they are sent to the server? I know even Flash files can be decompiled, but they can be obfuscated and flash decompilation is not as easy as modifying data in JS - could be done easily using a plugin such as Firebug. I'd like to know everyone's views on this.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

魄砕の薆 2024-09-07 12:50:41

在客户端解析的 JavaScript 永远不是 100% 安全的。 总是有办法找出它的作用。几天前,我什至看到了一个可以解压打包的 javascript 的工具,所以你唯一能做的就是使用“丑陋”的变量名称(或者实际上,让 javascript 打包器将你的“好”变量名称转换为短/丑陋/ 为了保护游戏结果

,你必须将一些游戏逻辑移至服务器,这样客户端就无法发送任意结果。

总结一下:不要将秘密放入 javascript 代码中,也不信任来自客户端的任何内容 - 无论它是来自表单还是通过 javascript 生成/提交。

Javascript, being parsed on the client, is never 100% safe. There will always be ways to find out what it does. A few days ago I've even seen a tool which unpacks packed javascript so the only thing you can really do is using "ugly" variable names (or actually, make a javascript packer transform your "good" variable names into short/ugly/nonsense ones)

To protect game results, you have to move some of the game logic to the server so the client cannot send arbitrary results.

Summarizing it: Don't put secrets in javascript code and don't trust anything coming from the client - no matter if it's from a form or generated/submitted via javascript.

韵柒 2024-09-07 12:50:41

你说对于向服务器发送高分的游戏来说,修改javascript和伪造请求太容易了?

除特殊情况外,当您在客户端上使用某种加密技术时,伪造此类请求的最简单方法是甚至不分析脚本而是发送虚假请求本身。您在服务器和浏览器之间发送的所有内容都可以在计算机上轻松查看、分析和更改。

You say that for game that sends high scores to the server it would be too easy to modify javascript and forge request?

Except for case, when you use some cryptography on the client, it is the easiest way to forge such request not even analysing the script but sending false request itself. Everything you send between server and browser can be easily viewed on computer, analysed and changed.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文