Javascript 如何禁用浏览器开发者工具?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/7559409/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to disable browser developer tools?
提问by Brandon
I'm developing a web application and since it has access to a database underneath, I require the ability to disable the developer tools from Safari, Chrome, Firefox and Internet Explorer and Firebug in Firefox and all similar applications. Is there a way to do this?
我正在开发一个 Web 应用程序,因为它可以访问下面的数据库,所以我需要能够禁用 Safari、Chrome、Firefox 和 Internet Explorer 中的开发人员工具,以及 Firefox 和所有类似应用程序中的 Firebug。有没有办法做到这一点?
Note: The AJAX framework provided by the database requires that anything given to the database to be in web parameters that can be modified and that anything it returns be handled in JavaScript. Therefore when it returns a value like whether or not a user has access to a certain part of the website, it has to be handled in JavaScript, which developer tools can then access anyway. So this is required.
注意:数据库提供的 AJAX 框架要求提供给数据库的任何内容都在可以修改的 Web 参数中,并且它返回的任何内容都在 JavaScript 中处理。因此,当它返回一个值,比如用户是否可以访问网站的某个部分时,它必须在 JavaScript 中处理,然后开发人员工具无论如何都可以访问。所以这是必需的。
UPDATE: For those of you still thinking I'm making bad assumptions, I did ask the vendor. Below is their response:
更新:对于那些仍然认为我做出错误假设的人,我确实询问了供应商。以下是他们的回应:
Here are some suggestions for ways of mitigating the risk:
以下是降低风险的一些建议:
1) Use a javascript Obfuscator to obfuscate the code and only provide the obfuscated version with the sold application; keep the non obfuscated version for yourself to do edits. Here is an online obfuscator: How can I obfuscate (protect) JavaScript?http://en.wikipedia.org/wiki/Obfuscated_codehttp://javascriptobfuscator.com/default.aspx
2) Use a less descriptive name; maybe 'repeatedtasks.js' instead of 'security.js' as 'security.js' will probably stand out more to anyone looking through this type of information as something important.
1) 使用 javascript Obfuscator 对代码进行混淆,只提供混淆后的版本;保留未混淆的版本供您自己进行编辑。这是一个在线混淆器: 如何混淆(保护)JavaScript?http://en.wikipedia.org/wiki/Obfuscated_code http://javascriptobfuscator.com/default.aspx
2)使用描述性较低的名称;也许 'repeatedtasks.js' 而不是 'security.js',因为 'security.js' 可能会更突出任何浏览此类信息作为重要信息的人。
回答by Naftali aka Neal
No you cannot do this.
不,你不能这样做。
The developer menu is on the client side and is provided by the user's browser.
开发者菜单位于客户端,由用户浏览器提供。
Also the browser developer should have nothingto do with your server side database code, and if it does, you need some maaaaaajor restructuring.
此外,浏览器开发人员应该与您的服务器端数据库代码无关,如果有,您需要进行一些 maaaaaajor 重组。
回答by SingleNegationElimination
If your framework requires that you do authorization in the client, then...
如果您的框架要求您在客户端进行授权,那么...
You need to change your framework
你需要改变你的框架
When you put an application in the wild, where users that you don't trust can access it; you must draw a line in the sand.
当您将应用程序置于野外时,您不信任的用户可以访问它;你必须在沙滩上画一条线。
- Physical hardware that you own; and can lock behind a strong door.You can do anything you like here; this is a great place to keep your database, and to perform the authorization functions to decide who can do what with your database.
- Everything else;Including browsers on client computers; mobile phones; Convenience Kiosks located in the lobby of your office. You cannot trust these! Ever!There's nothing you can do that means you can be totally sure that these machines aren't lying to cheat you and your customers out of money. You don't control it, so you can't ever hope to know what's going on.
- 您拥有的物理硬件;并且可以锁在一扇坚固的门后面。你可以在这里做任何你喜欢的事情;这是一个很好的地方来保存你的数据库,并执行授权功能来决定谁可以对你的数据库做什么。
- 其他一切;包括客户端计算机上的浏览器;手机;便利亭位于您办公室的大堂。 你不能相信这些!曾经!您无能为力,这意味着您可以完全确定这些机器不会欺骗您和您的客户。你无法控制它,所以你永远无法希望知道发生了什么。
回答by Liberat0r
In fact this is somehow possible (how-does-facebook-disable-developer-tools), but this is terribly bad idea for protecting your data. Attacker may always use some other (open, self written) engines that you don't have any control on. Even javascript obfuscation may only slow down a bit cracking of your app, but it also gives practically no security.
事实上,这在某种程度上是可能的(how-does-facebook-disable-developer-tools),但这对于保护您的数据来说是非常糟糕的主意。攻击者可能总是使用其他一些您无法控制的(开放的、自行编写的)引擎。即使 javascript 混淆可能只会减慢您的应用程序的破解速度,但它实际上也没有提供任何安全性。
The only reasonable way to protect your data is to write secure code on server side. And remember, that if you allow someone to download some data, he can do with it whatever he wants.
保护数据的唯一合理方法是在服务器端编写安全代码。请记住,如果您允许某人下载一些数据,他可以随心所欲地使用它。
回答by sarnold
There's no way your development environment is thisbrain-dead. It just can't be.
有没有办法,你的开发环境是这个死脑筋。简直不能。
I strongly recommend emailing your boss with:
我强烈建议给你的老板发电子邮件:
- A demand for a week or two in the schedule for training / learning.
- A demand for enough support tickets with your vendor to figure out how to perform server-side validation.
- A clear warning that if the tool cannot do server-side validation, that you willbe made fun of on the front page of the Wall Street Journal when your entire database is leaked / destroyed / etc.
- 在培训/学习计划中需要一两个星期。
- 要求您的供应商提供足够的支持票,以确定如何执行服务器端验证。
- 一个明确的警告,如果该工具无法进行服务器端验证,那么当您的整个数据库被泄露/破坏/等时,您将在华尔街日报的头版被取笑。
回答by Justin Niessner
No. It is not possible to disable the Developer Tools for your end users.
不可以。无法为您的最终用户禁用开发人员工具。
If your application is insecure if the user has access to developer tools, then it is just plain insecure.
如果您的应用程序在用户有权访问开发人员工具的情况下不安全,那么它就是不安全的。
回答by trailmax
Don't forget about tools like Fiddler. Where even if you lock down all the browsers' consoles, http requests can be modified on client, even if you go HTTPS. Fiddler can capture requests from browser, user can modify it and re-play with malicious input. Unless you secure your AJAX requests, but I'm not aware of a method how to do this.
不要忘记像Fiddler这样的工具。即使您锁定所有浏览器的控制台,也可以在客户端修改 http 请求,即使您使用 HTTPS。Fiddler 可以捕获来自浏览器的请求,用户可以对其进行修改并使用恶意输入重新播放。除非你保护你的 AJAX 请求,但我不知道如何做到这一点。
Just don't trust any input you receive from any browser.
只是不要相信您从任何浏览器收到的任何输入。
回答by mumair
Update at the time (2015) when this answer was posted, this trick was possible. Now (2017) browsers are mature. Following trick no longer works!
在发布此答案时(2015 年)更新,此技巧是可能的。现在(2017 年)浏览器已经成熟。以下技巧不再有效!
Yes it is possible. Chrome wraps all console code in
对的,这是可能的。Chrome 将所有控制台代码封装在
with ((console && console._commandLineAPI) || {}) {
<code goes here>
}
... so the site redefines console._commandLineAPIto throw:
Object.defineProperty(console, '_commandLineAPI',
{ get : function() { throw 'Nooo!' } })
with ((console && console._commandLineAPI) || {}) {
<code goes here>
}
...所以该站点重新定义console._commandLineAPI为抛出:
Object.defineProperty(console, '_commandLineAPI',
{ get : function() { throw 'Nooo!' } })
This is the main trick!
这是主要的技巧!
回答by Nicholas Valbusa
You can easily disable Developer tools by defining this:
您可以通过定义以下内容轻松禁用开发人员工具:
Object.defineProperty(console, '_commandLineAPI', { get : function() { throw 'Nooo!' } })
Have found it here: How does Facebook disable the browser's integrated Developer Tools?
在这里找到它:Facebook 如何禁用浏览器的集成开发人员工具?
回答by vimal1083
Brandon ,
布兰登
You can do something like this , this is a very basic idea, You can override native code by doing this , This not the exact you looking for , you have develop from from this
你可以做这样的事情,这是一个非常基本的想法,你可以通过这样做覆盖本机代码,这不是你想要的,你是从这里开发的
delete window.console
console.log('test'); // Noting will work
