3

As Douglas Crockford says we can have private properties using closures in JavaScript and they are very handy to handle secure data.

Now I understand the concept of Encapsulation, as it helps us to manage and structure the code . Even private variables are useful for performance, eg: you can cache DOM elements, properties and global variables for iterative access.

So the question is: How exactly closures or private variables help us in handling the sensitive data?

Gurpreet Singh
  • 20,907
  • 5
  • 44
  • 60
  • 3
    I guess private variables are used to protect yourself and other programmers from making changes inadvertently. Doesn't have much to do with security, at least when it comes to javascript IMHO. – Pramod Oct 27 '12 at 16:31
  • Do you have a specific issue you need to address? – Christophe Oct 27 '12 at 16:32
  • 1
    Securing the data against what/whom? – Bergi Oct 27 '12 at 16:32
  • @Bergi: Against end users who like to play with Firebug perhaps? :-) – Platinum Azure Oct 27 '12 at 16:34
  • This is a general question, I agree with Pramod. – Gurpreet Singh Oct 27 '12 at 16:35
  • possible duplicate of [Securing javascript game timing](http://stackoverflow.com/questions/12861419/securing-javascript-game-timing) (see also [followup question](http://stackoverflow.com/questions/12864537/javascript-security-concern)) or [is storing sensitive data in a self invoking function more secure than cookies?](http://stackoverflow.com/q/11768832/1048572) – Bergi Oct 27 '12 at 16:37
  • @PlatinumAzure: That was I joke, right? – Bergi Oct 27 '12 at 16:39
  • Of course. My point was more of a "preventing end users from messing with the page functionality" sort of thing, not real security. – Platinum Azure Oct 27 '12 at 17:30

1 Answers1

3

You can secure the data of a certain component of your code against the rest of the code. Or maybe any third party scripts you might have included in your page. So you can protect any sensitive intermediate data from being exploited through XSS attacks.

While any data that is present in DOM (say in input elements) is accessible to any script in the page. However some variable in javascript can be closed inside a closure scope making it virtually inaccessible by any other script. 


x = {}
(function(){
    var a;

    x.fn = function(arg){
        a = arg;  // Can access and modify a;
    }

})();

function fn2(){
    a = 12; // This does not change the a above;
}
lorefnon
  • 12,875
  • 6
  • 61
  • 93
  • Once you include any third-party scripts, they could hijack so many global objects that nothing is really safe any more. – Bergi Oct 27 '12 at 17:42
  • Well then, don't add third-party scripts right in the beginning. In the first script you run, store a reference to the global variables you are going to use, of-course inside a closure, and then let let third party scripts play around. – lorefnon Oct 27 '12 at 19:52
  • Understood, this is a very ugly and error-prone solution. But theoritically it is feasible. – lorefnon Oct 27 '12 at 19:52