Is javascript reliable for preventing actions on the front end such as form submission?

Question

I have a webservice that I need called, the result of which determines whether or not the user is allowed to submit the form.

Since this call is from javascript and not from code behind is it not reliable? Is there any way the user can get around the check -- by either going in with firebug and enabling the submit button, somehow making the method give a different result than was actually returned by the webservice, any other ways of being able to get around it?

Basically is there any way to call a webservice from javascript and have it's result determine whether or not a form can be submitted, and actually prevent the user from submitting the form at all? -- whether or not they have firebug, etc...

Answer 1

Javascript isn't reliable for preventing anything. It shouldn't be seen as a security-wall, as it's too easily disassembled with things like firebug, iedevelopertoolbar, and many other browser toys.

Even if you could prevent them from submitting your form on your page, nothing stops them from creating a brand new form, on their own page, and point it toward the action of your form. Thus they're removing themselves from your "secure" environment, and instead chosing to play in their own.

Answer 2

Your suspicion is correct; the user can easily get around any possible Javascript validation.

You will need to use server-side code.

Answer 3

No, not possible.

Just to name a few possible reasons:

• what if javascript is disabled?
• what if the user submits the raw POST (using libcurl, for example)?
• what if the browser, that the user is using interprets javascript in a way, different from your expectations (think, portable devices)?

Javascript validation is there for your users' convenience only and should never ever be used as a means of providing security.

Answer 4

No, it is not reliable. Try disabling Javascript in your browser to see for yourself how easily you can get around it.

Answer 5

You can never prevent the user from making an HTTP request that mimics submission of the form. While disabling the form via Javascript prevents submission for 95% of the users who both have Javascript enabled and don't want to circumvent your access control, anyone who understands HTTP can make the call and you are correct in showing that anyone with Firebug can do it in a matter of seconds.

Answer 6

The user could simply disable javascript in their browser, or use something like NoScript. The best you could do is to try setting the form action itself in the return from the Ajax request, that way the form, as loaded, won't submit (except to itself). This will probably stop casual users but would be no impediment to a slightly more determined (or just bored and tech savvy) user. You will need to check on the server side whatever you do.

Answer 7

In general, no. You can make the form hard to submit without going through Javascript. Make the submit button not an actual submit button (<input type="submit">), but a pushbutton (<input type="button">) that submits the form in its onClick handler.

Answer 8

As everyone else said, no you can't do it. The only real solution is to have the web service return some dynamic value which the Javascript inserts in a hidden form input. Then whatever server-side code processes the form submission should reject the request if that value is not present.