0

I am using the drag&drop function from HTML5 with sockets. If one drags an object into an area, another user will see this object appearing on his site. If user one removes the object by dragging it back into the area it came from, it disappears for user two.

I remove the element for user two by sending the objects div id via sockets and removing it with .remove().

However, if user one changes the div ID in chrome developer tools, the object wont disappear for user two because the div id is invalid.

Is there a way to prevent this issue?

Thank you

Dawg
  • 69
  • 9
  • 2
    No. You cannot protect your client-side code from the user of the browser. You can't even be sure that the code will even be running in anything like a browser. You have to validate access rights etc. on the server, so that user one can only affect the appropriate objects. – Pointy Sep 10 '15 at 13:58
  • Anyone can destroy your site for themselves completely using the console, personally I don't think this is an issue worth trying to fix. Any precaution you take can be nullified from the console. – Etheryte Sep 10 '15 at 13:58
  • @Nit there is variables that you cannot access from the console – Hacketo Sep 10 '15 at 14:01
  • @Dawg css animation sometimes make hard to change value from the DOM explorer – Hacketo Sep 10 '15 at 14:11
  • @Hacketo That's not true. You can simply attach the debugger on page load and edit any variable you fancy when the code is executing. – Etheryte Sep 10 '15 at 14:12
  • @Nit you said console. A script cannot change all values, debugger yes sure – Hacketo Sep 10 '15 at 14:12
  • @Hacketo A script can just as well override all values with identical code if you want, that's hardly an issue by itself. – Etheryte Sep 10 '15 at 14:21
  • 2
    Okay I guess there's nothing to prevent it then. But to make it slightly harder i created an array with every object id (unique), if one drops an item i check its id against the array, if it isnt in there nothing happens. I guess they can just push the id to the array via console, but yeah. – Dawg Sep 10 '15 at 14:23
  • @Nit well I wrap my app in a closure, so you would have to rewrite the entire app to change some values, and you cannot change function that are already running in a closure by themself, like timeout/interval – Hacketo Sep 10 '15 at 14:25
  • @Hacketo But that demonstrates the point exactly, that you can if you want to. I would've expected more imagination from your username. Which way is easier depends a lot on the context and a thousand other things, but the central idea is the same, client-side code is never safe from modifications. Also, regarding timeouts, see http://stackoverflow.com/a/16718225/1470607 – Etheryte Sep 10 '15 at 14:31
  • @Nit I never said that the client code can be safe from modification :) You just can make a little bit harder to change some values. was talking about the console, not debugger . – Hacketo Sep 10 '15 at 14:35
  • @Hacketo You did claim that you cannot make modifications via the console, but that's not true, as you showed yourself above. The question is simply a trade-off of time spent and complexity. – Etheryte Sep 10 '15 at 14:38
  • @Nit I just said that a variable contained in a closure cannot be changed from the simple console tool, but well nvm.. – Hacketo Sep 10 '15 at 14:45
  • @Hacketo But it can, the question is simply a matter of effort. – Etheryte Sep 10 '15 at 15:45

0 Answers0