Hi all, Here I would like to share one of my concerns about Javascript data security. I don't know how many of us really aware of the user's Data security in a JavaScript application. In my understanding, if we have some user data which we will store dynamically in variable as reference and it can be passwords, credit card numbers, other user confidential data. It will be available when the specific JavaScript function execute. So it means we can access those data in console. Doesn't it a less security? Please correct me and give an exact answer if I am wrong. I hope the question is clear.
Thanks!
Shreyansh Pandey
node, coffee and everything in between
Following reductio ad absurdum, that's the case with any programming language. When you enter your credit card information or whatever information into an application (say Amazon.com), it's you who is entering or someone who already knows it so stealing would be redundant.
However, in all seriousness, I guess you are talking about something called a global variable leak where you can access variables like these:
var a = 'test';Alt+Cmd+Jandconsole.log( a );Yeah. It will work.However, if there is global variable leak, then it'll fail the security assessment (in case of credit-card data) or it'll be removed in the code-review process (in other cases).
Since functions execute extremely fast (depending on the complexity and your computer's clock cycle), it'll take you nanosecond precision to capture the memory address of a variable and then get the information. By the time you do it, the data will be considered stale (see XSRF on why this is done.)
Lastly, most of the times, the JS script (tautology?) handling such interactions is wrapped in an immediately invoked function expression which expose an internally-scoped (and they're, by extension, "protected") functional abstractions to manipulate and mutate your data.
I hope this answers it. I'd be glad to help you further with this! :)