Protecting javascript content

software development

#1

I want to use some javascript code (via includes) in my html, but I don’t teh code accessible except via the web site itself.

Is this feasible/possible, either via a combination of .htaccess/chmod or some other manner ?

Many thanks
Miss Pixie


#2

If you’re saying you don’t want people to be able to read your JavaScript, you’re pretty much out of luck. In order for a browser to parse your JS, it has to be readable by any client. You can try using some sort of JavaScript obfuscator, but they are trivial to get around.

The answer is to not put sensitive information in JavaScript and don’t worry about it.


If you want useful replies, ask smart questions.


#3

I don’t know how much web development experience you have Miss Pixie, so that first reply may not be completely clear to you. I apologize if I’m assuming that incorrectly.

Basically, you can use .htaccess to make sure that no one can directly link to your javascript file, except by way of your website itself. For example no one could go to www.yourhost.com/js/script.js and grab a copy of your page directly, and they couldn’t hotlink it.

Here’s the problem: since the code itself is executed client-side, it eventually has to be rendered on the user’s browser for processing. Once this is done, it’s a simple matter to view and save the code using some tool, or the browser itself.

What exactly does the file do? If it contains some code that might reveal something you’d rather not, such as business logic, you might be able to hide the important parts using something like AJAX to help you out.

If you can give a little more detail, maybe we can offer some suggestions.

BC Tech
Team Shocker


#4

No there is a script that literally hides all web page content so that when you view source all you see is a blank page. Forget the name of it now but saw it for sale on eBay somewhere recently. Search eBay using the words … protect website

Hope that helps you.


#5

That’s not technically true. I believe there’s an IE bug that can be exploited to achieve this (I’ve seen phisher sites use it), but it only works in IE, and possibly only certain versions/patch levels. Generally speaking, there’s no reliable way to prevent people looking at your client-rendered code.


If you want useful replies, ask smart questions.


#6

98% of the internet uses IE, and yes IE itself is a bug :slight_smile:


#7

I would suggest that trusting people to use IE is not a reliable security model.


If you want useful replies, ask smart questions.


#8

And where did you get that ludicrous statistic?

  1. TheCounter.com
  2. Browser News
  3. W3Schools

Simon Jessey | Keystone Websites
Save $97 on yearly plans with promo code [color=#CC0000]SCJESSEY97[/color]


#9

Perhaps not but then again what’s so great about any website code that she is using that warrants trying to hide it, afterall taking a look at the source is the best way to learn how to code html by hand, now I know that is often seen as slow now in this age of instant website creation by so-called super duper web developers who rely on Dreamweaver, and can’t code by hand, but I have yet to see any website code that warrants being hidden even if it was totally possible, infact switch off javascript and many sites won’t function, refuse to accept cookies and you won’t be able to login to many sites.

No Pixie you can’t hide your code for certain sorry. Hope you’re not trying to cloak a paypal return page :wink:


#10

Well I was being generous to FireFox and the other browser users actually (I prefer FireFox to IE so don’t think I’m a IE advocate).

Fact is that IE is bundled with M$ windows, another fact most people use windows, another fact I’ve never been to 1, 2 or 3 but I have used computers since 1993 for many hours daily :wink:

Lastly, I don’t care if everyone uses IE or FireFox, so long as they can see my sites and buy products.


#11

[quote]Fact is that IE is bundled with M$ windows, another fact most people use windows, another fact I’ve never been to 1, 2 or 3 but I have used computers since 1993 for many hours daily

Lastly, I don’t care if everyone uses IE or FireFox, so long as they can see my sites and buy products.[/quote]
The fact that IE is bundled with Windows does not mean that everyone always uses it, and the millions of Firefox users prove that.

You should care about what browser a customer is using, because you need to be sure that they can access your content - over 10% of your customers (and perhaps as many as 20%) do NOT use Internet Explorer; therefore, if you are serious about selling products you need to make sure your sites support these customers.

And I’ve been using computers extensively since 1980, so that “1993 brag” doesn’t count for much with me.


Simon Jessey | Keystone Websites
Save $97 on yearly plans with promo code [color=#CC0000]SCJESSEY97[/color]


#12

[quote]The fact that IE is bundled with Windows does not mean that everyone always uses it, and the millions of Firefox users prove that.

You should care about what browser a customer is using, because you need to be sure that they can access your content - over 10% of your customers (and perhaps as many as 20%) do NOT use Internet Explorer; therefore, if you are serious about selling products you need to make sure your sites support these customers.

And I’ve been using computers extensively since 1980, so that “1993 brag” doesn’t count for much with me.[/quote]
Like I said… so long as people can view my sites, I don’t care what they use. That means I do check at least that my sites appear fine in IE and FireFox, for the remaining users of other browsers, well I guess I’m possibly missing out on some purchases :slight_smile:

1980… wow that’s impressive, I’m in awe. Hope you got a newer computer by now though… don’t tell, you know cobol too, hows the fingers…

As it goes I wasn’t bragging, neither was I being confrontational but if you are try it on with someone else eh?


#13

IE7 is currently in Beta and once the final release is out, it will be automatically updated via Windows Update, which by default comes enabled on all new computers now. That means the adoption rate will be incredibly high and very quick.

The most common way of hiding code from IE6 and earlier version was through the use of a CSS hack. I’ve done some reading on this and that hack will NOT work with IE7.

In fact, I’m quite looking forward to the release of IE7. I’ve been using it for a couple of months now and my web dev business is probably going to be quite busy when that hack breaks tons of web sites.

================================
Angela Gann
CrimsonDryad Web Design Services
Web Design, Custom Software Development
http://www.crimsondryad.com


#14

Just to add my not-really-worth-anything-because-of-inflation two cents…

There is no way to prevent a knowledgable user from obtaining your JavaScript. It is executed in their browser, so they HAVE to be able to get it for it to work. There are ways to make it harder for them to utilize, but they generally come at the sacrifice of accessibility.

As far as IE users, they make up between 45% and 80% of the users for the various websites I work on. It’s been said a million times, but it should be said again. Design for W3 standards, adjust for IE.

At best, that could have been a bug exploit as suggested above. Regardless, there is no way to truly hide the source from the end user. In fact, Safari (and Opera now I believe) has ways of editting the source so they can play around with the cached version of your website. And trusting some script kiddie on eBay, well, as told to the preschoolers: you get what you get and you don’t throw a fit.

JavaScript “tricks” to hide source are useless, because people can disable JS (especially with the dev toolbar in FF).

How so?

Pssh, C++ was all the rage in the 80’s :wink: At least, by people in the in…

And hopefully by then it doesn’t suck as much as now. I haven’t used RC1, but B3 was absolutely terrible.

Check out Gordaen’s Knowledge, the blog, and the MR2 page.


#15

It’s worth noting that while IE7 can be installed via Windows Update, it will require user approval to do so. It will not install automatically.


If you want useful replies, ask smart questions.


#16

You’re right, the user will have to approve it. However, most users are dumb. Which means they will click yes when prompted by the automatic update to download IE7 because they’ve been trained like mice to do so.

I remember when IE6 came out, the adoption rate was pretty slow. It seems that Microsoft has learned their lesson.

Also, since the current turnover rate for computers is about 2 years and the new ones will have IE7, most will have it sooner rather than later. I’m really hoping for sooner though…it makes developing a lot easier.

================================
Angela Gann
CrimsonDryad Web Design Services
Web Design, Custom Software Development
http://www.crimsondryad.com


#17

Really? You hated B3? I ran B2 and I’m on B3 now. Haven’t had issues with either. I just checked, I don’t think RC1 is out yet.

One thing I really really wish Microsoft would do is figure out an easy way for developers to run multiple versions of IE. IE7 usually renders like Firefox. It’s still quirky sometimes, but light years better than IE6. It’s a huge pain for me to be on IE7 and then have to go into another room to check sites on IE6.

================================
Angela Gann
CrimsonDryad Web Design Services
Web Design, Custom Software Development
http://www.crimsondryad.com


#18

B3 still had a lot of issues for me. It crashed on some sites (I think intel.tw was one if my memory serves correctly). A lot of the CSS implementation is only slightly less quirky than IE6 and much of it is still the same. The implementation of HTML standards still sucks (such as with select boxes not being able to default to the enclosed value and being forced to use the value attribute). I double-checked and IE7 does have RC1 out. They claim “we heard you you wanted easier and more secure.” Obviously they didn’t hear me. I wanted compliance with standards and an emphasis on efficiency… not that I would use IE7 myself, but it would take a lot of pain out of design and the complaints that I hear.

I do agree about running multiple versions though. Most of the time I am developing, I am on an OSX box so I can check Safari and FF. I remote in to two different WinXP boxes, so I can test IE6, IE7, Opera 9, and FF there. It’s quite the pain, but necessary for big sites. Plus, I get to do a lot of testing of my own sites when no-one is looking :wink:

Check out Gordaen’s Knowledge, the blog, and the MR2 page.