RE: Allow custom prefix instead of q- for css classes (for built-in components, not custom)

@s-molinari would you agree that there should be a property of build in quasar.conf.js called obfuscate where when a “salt” for the “hash” is placed the JavaScript and CSS of the project is obfuscated when built? If you agree I’d be happy to work on it.

@s-molinari The 2 applications I’m working will need the class names to be smaller anyway, so even though I accept that client-side security methods like this wont really protect anything I’ll still need the obfuscation because one is an integrated form and document management platform and the other is a platform to handle communication from multiple sources from emails to site chats to Instagram DMs to Facebook comments and even SMS so I dont believe its fair to assume I dont a codebase that’s as big as a platform like Facebook or Google Mail just because I’m currently a “nobody”, I just didnt know how to word what I wanted properly and that the chrome extension incident in high school was a simple way to explain “systematic” renaming of classes to something different from whats in the source files.

@s-molinari is there anyone you would recommend that I check with?

Hi @s-molinari , checking back to see if you decided that obfuscation is worthy of your help

I know how this could be achieved by making a few changes to quasar, i could’ve forked it and do it but I want to check if its built in since so far everything else I needed seemed to have been built into quasar.

Again, you misunderstood what I was saying. Its not about Quasar specifically, its about IDs and classes. I only mentioned Quasar because its the perfect framework to me (not joking) so I assumed it had something built in to achieve what I want to achieve.

I didn’t say React obfuscate its CSS naming automatically

Facebook and Google does it using a minification process
https://develoger.com/how-to-obfuscate-css-class-names-with-react-and-webpack-20e2b5c49cda

Let me give an example of one of the attacks my chrome extension did…

I added the class for the selector of the yahoo mail recipient field and the send button to the script which then (in less than a second) adds my “capture” email address to the field when my friends press send then removes it from the field within that sub-second… this allowed me to get a copy of their emails… if it was a case where yahoo changed the css selectors automatically at random times the script in my extension would be void after a while… this same approach could be used to steal credit card info and passwords by having a dictionary of common css selectors for these fields… obfuscation would make this harder

Is it possible to get quasar/vue class names to be things like _8Qm7L instead of q-field__native like when I am using react?

The attack I speak of is something I’ve done to my friends in high school by letting them install my emoji extension for chrome and the only way to prevent it is to have obfuscated classes and ids

@s-molinari I believe you misunderstood my message… I believe its best if I ask “How can I get class names to be things like _8Rm4L instead of q-field__native like when I am using react?”

Because sometimes its easier to exploit sites when the selectors are predictable or the framework used is obvious… as a security measure, before I starting using frameworks I’d make the server change the prefix at random times or every time I restart the server/servers