Everything in the user land can be changed/transformed/spoofed and can't be trusted.
Why hide the key? Show it off. The only option you have any way, is to use back end database of randomly generated hashes, then you integrate the hash into the bookmarklet. This way you have a signature that can't be faked without access to the back end database. Because it is just random data it also can't be reverse engineered. Make the process of obtaining a working hash-signature hard, with captcha, email registration, stuff like that. This way you won't get flooded with machine generated working signatures. Log only the data obtained from legal signatures (from humans), everything else just scews the statistical analysis and should be ignored, never stored. If there is any foul play you'll be able to detect it and ignore/erase all of the traffic coming from that hash. Keep it simple, invite the "wannabe hackers" to think they are winning and they won't try harder or hide their tracks. This way the statistical analysis to weed out "bad hashes" will be as trivial as it gets and you'll be able to delete all the trash with a single simple sql delete sentence and block it with killing the offending hash. On Sun, Jan 2, 2011 at 18:27, porneL <[email protected]> wrote: > > I'm wondering if it's possible to execute code in a bookmarklet in a way > that prevents interference from a hostile web page. Specifically I'm > interested if a secret value can be hidden in bookmarklet that cannot be > intercepted by the page. > > My goal is to write password generator (that generates hash(secret + > domain)) and 1-click "vote on this" bookmarklets (which similarly has to > contain secret to prevent CSRF). > > I've tried that few years ago, but back then browsers executed Array and > String constructors for literals. This is fixed now, right? > > If this were a bookmarklet, would it keep the secret safe? > > (function(){ > try { > var secret = "secret"; > } > catch(e){} > })(); > > Is there any point fiddling with function's toString? Can I call untrusted > functions without exposing the function in arguments.callee? > > How can I ensure that charCodeAt() hasn't been tampered with? To hash > domain I need to iterate over characters in window.location.hostname. > > Speaking of window.location.hostname, is it trustworthy? Can someone fake > it with getters, prototypes, variable shadowing or any other trick? > > -- > regards, porneL > > -- > To view archived discussions from the original JSMentors Mailman list: > http://www.mail-archive.com/[email protected]/ > > To search via a non-Google archive, visit here: > http://www.mail-archive.com/[email protected]/ > > To unsubscribe from this group, send email to > [email protected]<jsmentors%[email protected]> > -- To view archived discussions from the original JSMentors Mailman list: http://www.mail-archive.com/[email protected]/ To search via a non-Google archive, visit here: http://www.mail-archive.com/[email protected]/ To unsubscribe from this group, send email to [email protected]
