I want to distribute a simple game on the web using Javascript and
HTML5 and to keep record time scores on the web. But for that I want
to protect client-side execution of some scripts and Ajax calls.
I think the game would have to use a server / client model where the
game state info is maintained by the server and then pushed out to the
clients.
Say the whole game is this: While you hold the 'D' key, your player's
X velocity increases by 1 game unit per tic every tic, up to a max of
30 units per tic. When you release it, the X velocity decreases by 1
unit per tic until it reaches 0.
Now, you could just let everyone play, and whenever someone crosses
the finish line, their client sends the server 'i won,' the server
sees how long the race has been going and adds the winner to the
scoreboard. Obviously this can be hacked.
The thing to do is have the client always send *messages* to the
server... Every tic the 'D' key is held, client tells server "I'm
moving right." Immediately client uses client-side game physics
routine to move the actor right for visual feedback. When message
arrives from client, server does its physics routine (same routine as
client if client is unaltered) and calculates actor's position also.
When it is done, it calls back to client and the displayed position
based on client physics is replaced with server's calculated position,
which will ideally be close to identical to what the client calculated
(user shouldn't notice the change) if the network latency is low.
Now, if the client tries to cheat and sends the server some crazy
message like "hey, I'm moving at 1000 game units per tic," and even if
their hacked client supports showing this to the user and sending it
to the server, the server will reject the bogus input and the client
can be disconnected or left to suffer with broken gameplay.