0

I am trying to understand which files everybody can edit through the browser to understand what the risks of running some code in the client-side.
For example I saw in one site(In Chrome):


enter image description here


The gray file is read only file and the yellow one can be edited.
My questions are:

1.What's the difference between the yellow and the gray? why the gray is read only?
2. Is it still possible to edit the gray one in other ways? Maybe not through the browser? Whats the options to edit files in the client side?
3.Which files can be edited and which not?(js,css,html,aspx... What's all the options)
4.Is there a way to know if someone change the html or js files and look at the changes he did? save logs of the changes or something like that?

MosheCh
  • 99
  • 3
  • 12

1 Answers1

0

Assuming we are talking about standard web usage and not security exploits, the user is able to edit and change anything you send to them, and the user can send whatever they like back to your server. Any code that runs on your server cannot be edited by your users, and any code that runs in the user's browser is trivial to edit by your users. There is no way to log when a user messes with the data that you send them. There is also no way (again, unless we're talking security exploits) for your users to change files on your server, as any edits they make will apply to their local copy only.

In practice this means that you cannot trust the result of any code that runs on the client side (js, html, css), so you should keep all of your security-sensitive logic in server-side code (aspx, etc.)

Here is a related question on why client-side validation is not enough for a secure web app: Why is client-side validation not enough?

Community
  • 1
  • 1
Maximillian Laumeister
  • 19,884
  • 8
  • 59
  • 78
  • Thanks for the answer. but I still didn't understand why I couldn't edit the gray file if every code in the client can be edited as you said – MosheCh Aug 27 '16 at 15:34