React Armor: Protect your DOM from third-party tampering

What they thought this will achieve is: people will stop using scripts that changes &quot;ul li .Bar&quot;.<p>What it will actually achieve is: people will spend more scripts to heuristically check which element under &quot;ul li&quot; could be &quot;.Bar&quot; based on the layout, attributes, and contents. Then they&#x27;ll change &quot;ul li .whatever&quot;, sometimes mistaking the class and getting a broken website. Or worse, they&#x27;ll select on &quot;ul li @background-color=&#x27;red&#x27;&quot; (or whatever the syntax is), which you can&#x27;t obfuscate any further, but is almost guaranteed to randomly be incorrect.<p>I get where they come from (user extensions affecting how the website works), but I&#x27;d say the alternative it worse :&#x2F;

This should be called React Obfuscate rather that React Armor.<p>I&#x27;ve done a fair amount of web scraping before and each of their tricks can be broken with enough care. Obfuscating html not only breaks many of the good things about the web but also makes things harder to debug.

This is such a horrendous idea. Apart from the fact that this does virtually nothing, this is a prime example of the difference between security and obscurity and how neither is the other.

Hooray, get ready for broken websites with modal overlays, CSS popups, ads, and tracking built-in, and no way to disable them!

Sounds like a great way to make my browser waster more RAM &amp; CPU on rendering your site (useless span-subtrees?!?!)<p>WTF, really?

Great example of security theater.<p><a href="https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Security_theater" rel="nofollow">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Security_theater</a>

Yeah, I genuinely don&#x27;t understand what they&#x27;re going for here. Anything that happens client-side can be modified by the client. Because, you know... it&#x27;s on their side. Front-end validation and stuff is nice for UI&#x2F;UX, but nothing that comes from the client should ever be trusted just because you put an obfuscated property on an input or something.<p>At the end of the day, it all has to be valid HTML tags and javascript that runs without crashing. In terms of security, nothing on the front end even registers on the scale. Absolute worst case scenario, it&#x27;s like solving a Wheel Of Fortune where I have most but not all of the the letters.<p>I&#x27;m pretty uncomfortable with the description of a user on their own machine, running their own browser running plugins they chose and installed as a &quot;third party&quot; that&#x27;s engaging in &quot;tampering.&quot;

This is kind of gross.<p>Pretty sure this is why we need shadow dom.

But why stop there? Compile Chrome in Emscripten and render to canvas, with flickering to prevent screenshots! No DOM, no problems, right?<p>Until someone just types the data into Excel and manipulates it themselves. If you don&#x27;t trust your user with data, don&#x27;t show it to them in the first place!

The end of transparent web source code. I hate this. :(

The extra work needed to do this pretty makes it very unlikely to be implemented much. Additionally the DOM level obfuscating is just bad for performance.<p>if you&#x27;re looking to prevent Ad Blockers, this is not your solution.

Performance would probably not suffer at all...<p>EDIT: But if you really want to make this a useful lib, bake in a way to disable the `armor` for debugging&#x2F;development.

The tool is cool but in practice just detecting that DOM is violated and notifying the user in one way or another (like reducing functionality of the site) should work better. Also it is much harder to defeat especially if detection takes into account the layout.<p>Update: the detection-only also helps with accessibility as obfuscated DOM makes it impossible to use with screen readers etc.

&quot;Such third-party scripts include browser extensions (adblockers...)&quot;<p>ROFL, soon all the annoying garbage ads will be written in React. Yay!

I thought this was a joke when I saw it at React Conf. Apparently not.

The headline lead me to believe this was some kind of DOM integrity technology, which would be cool. I have a vague notion this is bad for both security and performance.

I know this is malicious to those who want the web to be open, but I love it. Not because I particularly agree with the motive, but it&#x27;s just such a cool demonstration of the power of React. Doing this has never been so easy. Google has been doing this for a while for a few of their products (Google Plus is one of them, I believe), but they&#x27;ve got large engineering teams who can commit time and resources to protecting data.<p>If you have a justifiable business reason for doing this, then your life just got a little easier. I think this would also help against some forms of XSS too - so there&#x27;s some silver lining for you.

so many haters here...<p>Make things that solve your problems.<p>Have fun while doing it.<p>Continue.