Websockets + Javascript private variables: Security?

Question

If I send some data through websockets to the client. Is it them for some reason impossible for the client to get access to this data if all the infrastructure works through non-global variables? (I guess not) Does the same hold for manipulation of these variables?

Best regards

Answer 1

Yes

In short, yes! Just like traditional TCP-Sockets, WebSocket transmit text- or binary frames, even if you use SSL-Enabled websockets (wss) it will be decryptet when arrived at the certain endpoint.

I do not know which framework you are using but even if you have "the feeling" of sending objects throught the socket this is not really the case.

Every object will in some way be marshalized - be it to XML, JSON or some other protocol which will end up as pure text or bytecode. This will then be read on the other endpoint and again demarshalized into an object.

A potential hacker would not only have the possibility to read the marshalized text/bytecode (e.g. using builtin-tools from his browser) but easily access javascript DOM to get the datam or even maniuplate it.