I’ve just realised injecting for example a custom table or any element using javascript and protecting it using a login doesnt work.
I have a login protected page and in javascript I listen to the page load and inject some custom table in it. When I refresh the page, it sure asks for the login and I cant see the custom table but when I get to the page through normal navigation, the custom table gets exposed, with the login form appearing below it
This means anything injected with javascript cant be protected by login? How’s everyone dealing with this
JavaScript will run from any page even a login screen. You shouldn’t be able to get the data into the table from an API call unless the user is logged in or you are exposing your API key and doing object based API calls (Never put your API key in your JavaScript).
You can check if the page has a login element before running your code to make sure it doesn’t run on a login screen. Or you can check if the user is logged in before running your code.
