4

I have written many javascript functions for my website and recently I found out that those functions can be called simply by writing javascript:FunctionName(); on URL bar. Calling functions like this can be vulnerable for my website so is there any ways to prevent this? Any ways to stop the use of Javascript on address bar?

Any subtle ways can also be helpful like any ways to detect from where the call to the function was made and if it was not from the address bar then the function should run, otherwise it won't run?

I tried using Javascript on address bar on Facebook but it didn't work. So there must be a way to stop this..

Improve this question
5
  • 3
    Facebook's functions are probably written inside closures and inaccessible. But it's not like people can't access your code regardless. If you're vulnerable because of Javascript you have an absolutely awful security architecture. Commented Nov 13, 2013 at 6:55
  • Javascript can always be modified at client side, you can't stop it. Make sure you must have validation at back end Commented Nov 13, 2013 at 6:55
  • You can't stop anything people can on client side. The client side belongs to them, not you. If you think it's insecure, improve your server side. Commented Nov 13, 2013 at 6:57
  • You know about the built in development tools that every browser has, right? With the JavaScript debugging consoles? Commented Nov 13, 2013 at 6:58
  • 1
    You can pack your javascript code, so that its not easily readable. But again its clientside, users can modify it. Commented Nov 13, 2013 at 7:17

1 Answer 1

Reset to default
2

I agree with the other commenters that detecting "where the call to the function was made and if it was not from the address bar then the function should run" is a bad way to approach client-side security, insofar as there is such a thing.

That said, function scope, closures, and how this relates to the URL bar is an interesting topic. Here's some more context on global variables and scope. The short version is that if you have a function like this:

function test (argument) {
    alert('hey')
}

It will be executable via the URL bar because it's in the window/global scope, which seems to be as far as javascript URI's will go. Whereas if you put that same function in a closure:

(function() {
    function test (argument) {
        alert('hey')
    }       
})()

...it should be inaccessible as far as executing the function in the URL bar goes.

I would be curious to learn the history of why browser vendors implemented Javascript-via-the-URL...it now has practical usage with bookmarklets and the like, but it doesn't seem to be well-documented.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

"I would be curious to learn the history of why browser vendors implemented Javascript-via-the-URL" ... Before onclick attributes and then proper event handling, there was <a href="javascript:...">...</a>. It flowed naturally that if clicking that type of link in a page worked, then clicking that type of link in the bookmarks should also work. And what can be bookmarked can be also entered into the URL bar.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.