Not allowing javascript function call from the address bar

Question

I was working with a online game website. There are some event which call a javascript function and the function have some action with callback.

something like this,

 <input type="button" onclick="changeSomething"/>


 function changeSomething() {
         /// some call back, which changes something 
 }

now anybody who knows this can call this changeSomething from the address bar of the browser, which I do not want.

Very unlikely that somebody will do it, but I want to allow it.

Is there anyway to prevent situation like this ?

Thanks.

P.S. I tried, but still not sure whether I explained it well enought. Please let me know if you are not getting something.

Answer 1

You can check the source of the click by passing an ID:

<input id="good' type="button" onclick="changeSomething(this.id)"/>

 function changeSomething(myId) {
   if(myId!='good') {
    return;
  }

 //......code
}

Revised to:

<input id="good' type="button" onclick="changeSomething(this)"/>

     function changeSomething(myId) {
       if(myId.id!='good') {
        return;
      }

     //......code
    }

Answer 2

I dont think that there is anything you can do about this. The client can run whatever they want within their own browser. The only thing to do is validate everything on the server side. This is an important concept in all web programming. Client side code can be freely modified and should be treated as an additional check to speed things up rather than a security method.

Answer 3

You will never be able to get 100% protected from any technique you try. It's a losing game.

Having said that one way to get closer to your goal is to remove the onclick attribute altogether, and bind your click handler (ie "changeSomething") via javascript:

html:

<input id="foo" type="button" />

js:

addEvent(document.getElementById("foo"), 'click', function() {
 /// some call back, which changes something
})

The callback becomes anonymous then (eg there is no "changeSomething" function anymore). These evil users can't call it directly if they don't know its name!

There are still ways around this technique too, but we won't mention those lest we give the evil doers ideas :)

(BTW addEvent is just a sample library function for adding event handlers. I'm sure you have access to one. If not here you go.)

Answer 4

Any "solution" will be as efficient as disabling right-click in Web page... For the latter problem, I found at least a dozen of workarounds, including viewing the page in Opera!

If you disable this, one will workaround with Firebug, Greasemonkey, or even some proxy modifying HTML on the fly, not to mention using a local copy of the page, etc.

Answer 5

You have to handle this on whatever back-end you've got accepting the request. Assuming you only give the user the option to doSomething() upon certain conditions, you probably have this information in the database (or whatever).

Don't worry about the JavaScript being called (no way around it), and do the same check you did on the front-end on the back-end. This way you can simply forget about securing your front-end, since you can't anyway... yet you still prevent malicious users from doSomethinging when they aren't supposed to.

Let me know if you need further clarification of what I mean, but I'll need more details about what your app architecture is like.

Answer 6

I am also searching for the solution. Till now no luck..