The password you are providing is sent as a get parameter, so no matter if you bypass the client test, the server still knows what the real password for the level is. That’s not the right way to do it, but it was a good idea. Remember you have full control over the code as it is being ran on your browser, you can see what it does, edit it, and so on.