fullermd is exactly right about your problem. As long as you trust the client you you have a security hole. This is not unique to web games.
The issue about it coming your page is irrelevant: when it's MY browser, it is trivial for me to to inject my javascript in YOUR page (I do this routinely). What you really want to do is detect if they're running ONLY your javascript and you can't do that remotely. Heck, I'll just call your function to gimme_refos() and have the high score in no time.
I suspect that most "web games with lots of mouse clicks" don't worry about site wide high score tables for exactly this reason.
|