According to this reference: https://developer.mozilla.org/en-US/docs/DOM/window.locationthese are properties. Thus you can "set them to navigate to another URL" - however, that would result in a redirection.

根据此参考：https: //developer.mozilla.org/en-US/docs/DOM/window.location这些是属性。因此，您可以“将它们设置为导航到另一个 URL”——但是，这会导致重定向。

Contrary to what others tell you, it is quite simple:

与其他人告诉您的相反，这很简单：

window.__defineGetter__("location", function(){
    return {
        hostname: 'malicious site'
    };
});

alert(window.location.hostname); // will alert 'malicious site'

window.__defineGetter__("location", function(){
    return {
        hostname: 'malicious site'
    };
});

alert(window.location.hostname); // will alert 'malicious site'

As a thumb rule: every validation you do in JavaScript can be circumvented.

作为一个经验法则：你在 JavaScript 中所做的每一个验证都可以被规避。

EDIT:

编辑：

The above will fail in decent browsers, because of security reasons, but not all browsers consider security an important aspect.

由于安全原因，上述在体面的浏览器中会失败，但并非所有浏览器都将安全视为重要方面。

Execute the following code in old IE (I did this with IE10 compatibility mode, I'm not sure which IE it tries to mimick):

在旧 IE 中执行以下代码（我使用 IE10 兼容模式执行此操作，我不确定它尝试模仿哪个 IE）：

var window = {
    location: {
        hostname: 'malicious site'
    }
};

alert(window.location.hostname);

It will result in malicious site.

它会导致malicious site.

I'm not sure in how many other browsers you can override windowin the given context but it's certainly alarming.

我不确定在window给定的上下文中您可以覆盖多少其他浏览器，但这确实令人担忧。

EDIT2:

编辑2：

You comment to an other answer:

您对另一个答案发表评论：

I want be sure that if someone paste my JS code on site then code didn't execute if he is not on 'the list'.

我想确保如果有人在网站上粘贴我的 JS 代码，那么如果他不在“列表”中，代码​​就不会执行。

You got this all wrong. Nothing prevents the user that pastes yourcode, from also modifying 'the list'! Or anything else in the JavaScript for that matter!

你这一切都错了。没有什么可以阻止粘贴您的代码的用户也修改“列表”！或者 JavaScript 中的任何其他内容！

Your original code is this for example:

例如，您的原始代码是这样的：

function isInList(hostname) {
    for (var i = 0; i < siteList.length; i++) {
      if (siteList[i] === hostname) {
        return true;
      }
    }
    return false;
}

if (isInList(window.location.hostname)) {
    // execute code
} else {
    // do not execute 
}

The user copying it can modify it to:

复制它的用户可以将其修改为：

function isInList(hostname) {
    return true;
}

if (isInList(window.location.hostname)) {
    // execute code
} else {
    // do not execute 
}

Or

或者

if (true) {
    // execute code
} else {
    // do not execute 
}

If the site is his, he has complete control over the javascript executed.

如果该站点是他的，则他可以完全控制所执行的 javascript。

It's a property, not a method. I am able to change its value from the Firefox console, and it tries to load the page from a different host (http://fake.host/questions/16462082/...)

它是一种属性，而不是一种方法。我可以从 Firefox 控制台更改它的值，并尝试从不同的主机加载页面（http://fake.host/questions/16462082/...）

Yes, the prototype can be overridden. The reality is that, for your use case, you can't prevent your users from executing Javascript code. Even if they could not override a particular property, they can just execute the code block in their console.

是的，原型可以被覆盖。现实情况是，对于您的用例，您无法阻止用户执行 Javascript 代码。即使他们无法覆盖特定属性，他们也可以在控制台中执行代码块。

Just store it into a variable and override the variable.

只需将它存储到一个变量中并覆盖该变量。

window.location.*are derived from the value of window.location and are read-only

window.location.*派生自 window.location 的值并且是只读的

you can change window.location but that will trigger a redirect

您可以更改 window.location 但这会触发重定向