view all javascript variables of a GWT app

This question is mainly for security purposes. I need to know if it is possible to view by any means (plugins, programmatically or whatever) a list of all variables and their values in a gwt application compiled to javascript.

Let's say I have a variable x created by gwt in its normal deployment mode.... let's just ignore how did the value get there... Can the user somehow get to know that there is a var called x and its value...

Please note that I am not looking for software engineering best practices, the question is over simplified so that开发者_C百科 we get to the point. I know that I should not have anything sensitive on the client on the first place... but please let's just skip that since the case is a much bigger story...

Thanks a lot..

Short awnser... yes..

GWT compiles to javascript and obfuscates everything, that said, all information is available from the compiled source if one knows what to look for. If someone succeeds in injecting a simple script tag into your application, they can simple retreive all scripts through XMLHttpRequest and parse them as text. No matter how obfuscated, it's theoretically possible to get what you want from any javascript source. If you can see it in the raw script file, it's attainable, doesn't really matter if it's locked away in anonymous closures or whatnot, any JS security mechanism can be circumvented.

Main condition is to get control of the page (script injection).

To quote yourself: " I know that I should not have anything sensitive on the client on the first place..."

If it's worth hacking, people will try it.

GWT code is compiled to javascript. So ultimately user can use javascript introspection to discover all objects and their properties.

Short answer - No, not unless you know what you are looking for.

GWT compiler does something called as cross-compiling, it transforms java code into java script/ECMA script. The mapping between a variable in java to that in generated script is not straight forward. The language semantics are not the same; the compiler tries to optimize and generates obfuscated JS (to reduce the size). You can tweak this to certain extent by passing arguments at compile time (by setting PRETTY). This still does not guarantee a one on one mapping.

On different quote, even decompiled java code does not look like the original source. ( thats' the complexity of the problem)