react-armor
react-armor copied to clipboard
elierotenberg
Isn't this trivial to disable?
I apologise in advance if I am mistaken, as I have no experience with react. Perhaps there is something I am missing. To me though, it appears as though to a browser extension wishing to manipulate your DOM, this would be trivial to disable.
Couldn't an extension simply inject some Javascript between the declaration of the obfuscation functions and the script in which they are used, simply overriding them to directly return the node unmodified?
It depends. For someone targeting your app it could be easier to disable. But for something like AddBlocker it will be imposible to target your DOM
This is a legit question. First, obfuscation can (and typically will) be done at server-side rendering time, which of course your client-side scripts can't interfere with. Second, it would require your extension to be able to parse your entire javascript bundle, looking specifically for this decorator, rewrite it, and only then let the browser parse and execute this javascript bundle. I think the most frequent (and valid) case against ads is that ads slow the web; I hardly imagine an adblocker would spend this much CPU/memory resources on every single page.
Thanks, my misunderstanding was that templates were rendered server side. This indeed does make it more difficult to work around.
In terms of what I was saying (on the client side) I wasn't suggesting parsing the javascript bundle. Again, this is probably a misunderstanding on my part.
I was basically proposing this:
<script src="react-armor.js"></script>
<script src="bad-guy.js"></script>
<script src="myapp.js"></script>
where bad-guy.js redefines your decorators to return the DOM unmodified.
I'm guessing my misunderstanding is going to be that react-armor is bundled into "myapp.js" and therefore this wont work.
