问题
This is related to this security question regarding what it is that secures credentials inside a single page webapp.
Suppose we are using an app that is not ours and uses JWT Tokens for security. Are we able to log the contents through browser developer tooling or otherwise of the variables that the app uses for state. Specifically could someone log or see the contents of the JWT token that the user obtained post authentication?
回答1:
Yes, it's entirely possible. Any user can just open the developer console and put breakpoints to see the value of the variables on runtime at a particular instance of time. This is how developers debug their applications.
The front end JS code runs on browser and since that needs to be interpreted, the source code needs to be downloaded on the browser and then run using a JS engine (V8 for chrome, webkit for Safari, Chakra for MS Edge etc.)
To secure your application you need to put as much business logic as possible on your server side code whenever security is concerned. With respect to JWT, I suggest you look at this SO question.
来源:https://stackoverflow.com/questions/49726180/is-it-possible-to-see-the-values-of-browser-based-javascript-variables-in-a-web