This question is mainly for security purposes. I need to know if it is possible to view by any means (plugins, programmatically or whatever) a list of all variables and their values in a gwt application compiled to javascript.
Let’s say I have a variable x created by gwt in its normal deployment mode…. let’s just ignore how did the value get there… Can the user somehow get to know that there is a var called x and its value…
Please note that I am not looking for software engineering best practices, the question is over simplified so that we get to the point. I know that I should not have anything sensitive on the client on the first place… but please let’s just skip that since the case is a much bigger story…
Thanks a lot..
Short awnser… yes..
GWT compiles to javascript and obfuscates everything, that said, all information is available from the compiled source if one knows what to look for. If someone succeeds in injecting a simple script tag into your application, they can simple retreive all scripts through XMLHttpRequest and parse them as text. No matter how obfuscated, it’s theoretically possible to get what you want from any javascript source. If you can see it in the raw script file, it’s attainable, doesn’t really matter if it’s locked away in anonymous closures or whatnot, any JS security mechanism can be circumvented.
Main condition is to get control of the page (script injection).
To quote yourself: ” I know that I should not have anything sensitive on the client on the first place…”
If it’s worth hacking, people will try it.