A Note About Web Page Security - ThePix/QuestJS GitHub Wiki
Security For The User
QuestJS runs in the browser, and so the user's security is protected just as much as with any web site. This is inherently far safer for the user than downloading and installing an app to run your game or supplying your game as an executable itself.
There are issues authors may need to be aware of however. Browsers can have different ideas about what is safe, and so could potentially stop the game at some point. This is complicated by the fact that the user can set up the browser in different ways.
A user might choose to have LocalStorage wiped when the browser closes for example. Quest will give a warning about LocalStorage, but there is not much else we can do there.
For other features, QuestJS has a Content Security Policy (CSR) in the head that tells the browser what it wants to be able to do - and in particular what sites it wants to get assets from - and the browser can make a decision based on that. QuestJS has been written so the CSR can be as restrictive as possible to make it more universally acceptable. Two notable points:
The CSR prohibits the eval
JavaScript function, which is generally regarded as unsafe.
The CSR prohibits loading files from other sites. If, for example, you want to host images elsewhere you will need to update the CSR to allow that. As long as you specify the site you will be using, browsers will still consider your game to be secure.
Privacy for the Use
With regards to privacy, QuestJS games have no facilities to send any data to the server (besides the initial HTTP requests for the files) and do not use cookies. They only save data to the user's hard drive (in a place provided by your browser called localStorage) when she chooses to save her game progress (if a transcript is recorded, that is also saved to localStorage).
It would be possible to add features to a game, but that is beyond my control, and no different to any other web site. If a game does start asking you for personal information, be suspicious.
Security For The Game On The Server
As QuestJS games do not communicate back to the server, there is no way to access files on the server via the game. There is no way a user can hack your game to gain access to the files on the server.
This does not mean your files cannot be hacked - but that depends on the security of the server you are using, how good your password it, etc.
Security For The Game On The Client
On the other hand, there is virtually no security for the game when running. This means that once the game is running in the browser, the user can do whatever she likes to it. It must be emphasised that this only affects the copy on the user's computer, so cannot affect other users, but authors should appreciate that a savvy user can readily hack the game to give herself extra money, health, etc. find secret codes or whatever.