I decided to use knockout.js for my web application and have some concerns regarding security.
The flow of data is as follows:
- user requests controller via url
- controller gathers together required information, sends to view as json string
- json string is saved to dom to allow my javascript code to access it
- json is loaded into knockout view model inside the $(document).ready
My issue is that the json string is clearly viewable by users by just clicking 'View Source' and this worries me because I'm aware this can easily be changed client-side but I'm not fully sure of the implications.
Here is some example code to illustrate my point. First, the controller:
function view($id = null)
{
//other processing...
$data = array();
$data['json'] = $this->get_profile_json($id);
$this->load->view('profile_page',$data);
}
The profile page view
<script type="text/javascript">
window.profile_json = "<?php echo $json; ?>";
</script>
<script type="text/javascript" src="<?php echo site_url('assets/js/profile_page.js'); ?>"></script>
<!-- The profile page below... -->
The profile page javascript
var vm = new ViewModel(profile_json); //load the json into view model
ko.applyBindings(vm);
Now I understand I can achieve the same goal by loading the json from the javascript code just before
creating the view model, using $.getJSON for example.
However, someone with a developer tools extension on their browser could also see (and possibly edit?) this data too. This is a particular problem is some of that data contains things like permissions flags and so on.
My question is, how do you ensure data passed down to your view model is unable to be tampered with?
