Using Script to Hide Content: Not Always a Good Idea

I got a question on one of my other blog posts today called Determining if a User Is in a Permission Group with SharePoint’s Web Services:

hi marc,
do u know a good solution to hide something on a page for authorization concern ? js is not a good idea to secure something. there must be something to do with xslt to get the groups of current user.

Great question. Here’s my response to the comment:


You’re right that running script to filter based on security is not, well, secure. Using scripting in this way is useful for targeting and responding to user behavior, but it isn’t security.

You can use a DVWP with an AggregateDataSource, one of which is the GetGroupCollectionFromUser Web Service operation.


The bottom line is that you should not use script for security. Was that clear enough? Do not use script for security.

It’s important to note that Web Services calls, as are available in SPServices, always run under the credentials of the current user, so the results of those calls are permission trimmed just as when the user tries to accomplish something through the UI.

If what you want is obscurity, meaning that the user will have to work a bit to get at what you have hidden, then script is an excellent answer.

So, here’s the rule of thumb:

Security requires server side code, but script can provide obscurity.

Many times, obscurity is really all you need. A smart user can often get to content you don’t intend simply by hacking the URL to go to a known page, such as AllItems.aspx. Your permissions must be set well, or else all of your security efforts are for nil. (I can’t tell you how many times I’ve seen poorly implemented security, but that’s another post altogether.)

This IE8 Popup Drives Me Nuts: “Do you want to view only the webpage content that was delivered securely?”


I’ve fixed it on multiple machines, but I always forget where the setting is.  Here, for future me when he needs them, are the simple steps to make this annoying popup go away:

  1. Go to Tools->Internet Options->Security
  2. Select the ‘Security’ tab
  3. Click the ‘Custom Level’ button
  4. In the ‘Miscellaneous’ section change ‘Display mixed content’ to Enable

Thanks to this article at HTTPWatch: Fixing the IE 8 warning – ‘Do you want to view only the webpage content that was delivered securely?’