Secure your Unity3D web applications

One of the uncountable advantages of Unity3D is the ease to deploy and host web applications.

The counter part of it is the ease to find and copy your web application files and host it somewhere else…

Tom Higgins from Unity, is talking about it in this “Unite 07 Dev for Web” video (shift to the 18th minute if you want to skip the general web development discussion).

So here’s a little script implementing his first recommendation. It allows you to define the authorized “contexts” (context = application absolute URL + unity3d file relative path) for your application so that no one but you will be able to host and run it. As soon as the script detects an unauthorized context, it will load the scene you specified.

You’ll find the source code below. Please comment if you spot anything unoptimized/bugged/uggly ūüôā


Download the installation package and import it in your project.


Add the SecuredWebApp component to one of your game objects.


Check this game object in the inspector tab and set its parameters according to the following instructions:

  • Hacked Scene Name:¬†specify the name of the scene you want to be displayed when an unauthorized context has been detected
  • Authorized Contexts: add the contexts you want to authorize: each context must specify:
    • Application URL: the¬†application¬†absolute URL as defined in the¬†Application.absoluteURL documentation
    • Application URL Comparison Method:¬†the method you want to use to compare your context application URL to the current application URL (default method is “Equals” and should be used in most of the cases, “StartsWith” and “EndsWith” methods should be used for web applications hosted on dynamically generated URLs)
    • Src Value: the “source value”/unity3d file relative path ¬†as defined in the¬†Application.srcValue documentation
    • Src Value Comparison Method:¬†the method you want to use to compare your context src value to the current src value (default method is “Equals” and should be used in most of the cases, “StartsWith” and “EndsWith” methods should be used for web applications hosted on dynamically generated URLs)


If you have problems making it work on your project or don’t want to code anything, download the¬†demo project¬†package (which already contains the script) and see it in action.


<br />
using UnityEngine;<br />
using System.Collections;</p>
<p>public enum ContextComparisonMethod<br />
{<br />
Equals,<br />
StartsWith,<br />
EndsWith<br />
<p>[System.Serializable]<br />
public class AuthorizedContext<br />
{<br />
public string absoluteURL;<br />
public ContextComparisonMethod absoluteURLComparisonMethod;<br />
public string srcValue;<br />
public ContextComparisonMethod srcValueComparisonMethod;<br />
<p>public class SecuredWebApp : MonoBehaviour<br />
{<br />
public string hackedSceneName = &quot;Hacked&quot;;<br />
public AuthorizedContext[] authorizedContexts;</p>
<p>void Awake()<br />
{<br />
// Skips check for editor<br />
if (Application.isEditor) return;</p>
<p>bool isAbsoluteURLMatching = false;<br />
bool isSrcValueMatching = false;<br />
foreach(AuthorizedContext authorizedContext in authorizedContexts)<br />
{<br />
// Compares absoluteURL to context<br />
switch (authorizedContext.absoluteURLComparisonMethod)<br />
{<br />
case ContextComparisonMethod.Equals:<br />
isAbsoluteURLMatching = Application.absoluteURL.Equals(authorizedContext.absoluteURL);<br />
<p>case ContextComparisonMethod.StartsWith:<br />
isAbsoluteURLMatching = Application.absoluteURL.StartsWith(authorizedContext.absoluteURL);<br />
<p>case ContextComparisonMethod.EndsWith:<br />
isAbsoluteURLMatching = Application.absoluteURL.EndsWith(authorizedContext.absoluteURL);<br />
break;<br />
<p>// Compares srcValue to context<br />
switch (authorizedContext.srcValueComparisonMethod)<br />
{<br />
case ContextComparisonMethod.Equals:<br />
isSrcValueMatching = Application.srcValue.Equals(authorizedContext.srcValue);<br />
<p>case ContextComparisonMethod.StartsWith:<br />
isSrcValueMatching = Application.srcValue.StartsWith(authorizedContext.srcValue);<br />
<p>case ContextComparisonMethod.EndsWith:<br />
isSrcValueMatching = Application.srcValue.EndsWith(authorizedContext.srcValue);<br />
break;<br />
<p>// Matching authorized context<br />
if (isAbsoluteURLMatching &amp;amp;&amp;amp; isSrcValueMatching) return;<br />
<p>// Matching none of the authorized contexts<br />
if (Application.loadedLevelName != hackedSceneName)<br />
Application.LoadLevel(hackedSceneName);<br />
}<br />
}<br />

Related posts:

Leave a Reply

Your email address will not be published. Please enter your name, email and a comment.