W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2012

Re: how to protect javascript codes

From: Dan Veditz <dveditz@mozilla.com>
Date: Fri, 16 Nov 2012 17:49:36 -0800
Message-ID: <50A6ED30.5080204@mozilla.com>
To: Mountie Lee <mountie.lee@mw2.or.kr>
CC: webcrypto-comments@w3.org, public-webappsec@w3.org, public-sysapps@w3.org
On 11/16/12 5:07 PM, Mountie Lee wrote:
> the reason why we need to protect javascript codes are as following
> - javascript codes are easily changed on client side.
> - service provider want to make sure the business logic implemented with
> javascript is exactly same to server's

You can't ever guarantee that. In the trivial case let's say we do come 
up with a fool-proof mechanism, then a user can just create their own 
client without that mechanism (both Gecko and Webkit are open source).

So who's your threat? If it's the user give up now. The user's computer 
likewise: malware can replace or hack into browser components.

If both the user and site are trustworthy then we can do things to make 
sure the code is reliably transmitted between the two. The WebAppSec 
working group has discussed things along these lines.

-Dan Veditz
Received on Saturday, 17 November 2012 01:50:05 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Saturday, 17 November 2012 01:50:05 GMT