Concerns about browser security due to making javascript calls to game from browser.

I’ve been reading through the unity documentation for executing functions in a game from the browser using javascript, and I’m concerned about players or malicious individuals exploiting the ability to call functions using the browser to change game state or to run malicious code. An potentially dangerous example could be if a hacker puts a comment on a site that allows an XSS attack (i.e. run javascript) to execute some code to cause further damage by running a command in the game or to even screw up someone’s game state. A player could also cheat using this sort of exploit by running javascript manually through their browser using a firefox plugin. Anyone with the right knowledge about unity 3d or the insight to read the javascript you use to call certain functions in your site’s javascript could do some damage, unless there is someway to control untrusted data from the browser (which should essentially be considered untrusted by default). Is there some way to set an allowed list of functions that the browser can call (so I can make sure to scrub input from the browser etc, control things in a secure way) or only allow methods in a class that derive from some data structure to be called from the browser? I think the javascript integration is incredibly powerful and useful, but I need some way to control it from a security aspect… Is there any documentation I’ve missed?

Thank you in advance.

There is no way I’m aware of to limit which functions can be called from JavaScript. However, I would argue that an attacker who uses browser JavaScript to hack your game needs to know exactly which GameObjects with which methods there are, at which point he has probably decompiled the dlls of your game and analyzed it pretty well. With that knowledge, he could probably also just make a custom version of the game with the changes he needs. In the end it boils down to the old mantra that you can never trust the client in online games.

If you still think that it is relevant to have more control over when can and can’t be called from browser javascript, i suggest you request a feature on our feedback site.