Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Page 1 of 3 123 LastLast
Results 1 to 15 of 39
  1. #1
    New Coder
    Join Date
    Oct 2004
    Posts
    65
    Thanks
    0
    Thanked 0 Times in 0 Posts

    hiding javascript

    I really want to hide my javascript code such that no one can read it. I know that I should implement my code in server side language, such as PHP, if I really want to hide code. But for various reasons (primarily that my code checks the time zone of the visitor - this can only be done in javascript (or other client side language) from what I have researched. Please correct me if I am wrong) I want to use javascript.

    I have read quite a bit about hiding HTML source code and lots of people say that this is a bit of a red herring. Gold at the end of the rainbow kind of thing - it is not possible. But how about hiding the code of a javascript.js file. Is this possbile? One method that seems pretty good to me can be found at

    http://www.devpapers.com/article/52

    I would like you guys to look at this and see what weaknesses may be associated with it. Is there anyway someone could get around it to see my javascript code? Thanks guys.

    In case the moderator pulls the url - I have cut and paste the webpage here:

    Don't want your JavaScript copied? Here's a very simple script that will hide it!



    On the page where the JavaScript is placed, add:

    <?
    session_start();
    if(!session_is_registered('allow_script'))
    {
    session_register('allow_script');
    $allow_script = true;
    }
    ?>
    <html>
    <head>
    <script language="JavaScript" src="script.php"></script>
    </head>
    <body>
    Body goes here...
    </body>
    </html>


    And now create a new file called script.php and place your JavaScript there:

    <?
    session_start();
    if($allow_script)
    {
    header("Content-type: text/javascript");
    ?>

    alert("Woohoo! My JavaScript Works!");

    <?
    $allow_script = false;
    }
    ?>



    As you can see it uses a session. When you open the page where the JavaScript is placed it creates a session which allows the JavaScript to be viewed. But if you open script.php by its self, no session is created!

    Try opening script.php in your browser window and you'll notice you can't view the code!

  • #2
    Supreme Master coder! glenngv's Avatar
    Join Date
    Jun 2002
    Location
    Philippines
    Posts
    11,068
    Thanks
    0
    Thanked 256 Times in 252 Posts
    Glenn
    ____________________________________

    My Blog
    Tower of Hanoi Android app (FREE!)
    Tower of Hanoi Leaderboard
    Samegame Facebook App
    vBulletin Plugins
    ____________________________________

  • #3
    Kor
    Kor is offline
    Red Devil Mod Kor's Avatar
    Join Date
    Apr 2003
    Location
    Bucharest, ROMANIA
    Posts
    8,478
    Thanks
    58
    Thanked 379 Times in 375 Posts
    src="url" will always copy that file at url address (as well as the whole HTML page and all the src files) into the browser's cache folder, where it can be open with notepad...

    This is why people are still seeking for the perpetum mobile

    Nice link glenngv
    KOR
    Offshore programming
    -*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

  • #4
    Senior Coder
    Join Date
    Feb 2004
    Location
    Edinburgh
    Posts
    1,352
    Thanks
    0
    Thanked 0 Times in 0 Posts
    rhodopsin: don't listen to them. you can hide your JS. use this tag and your clothes will be whiter than white:

    Code:
    <script hide="true" src="url.js"/>
    *keep it simple (TM)

  • #5
    Senior Coder
    Join Date
    Jun 2002
    Location
    Wichita
    Posts
    3,880
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by rhodopsin
    Try opening script.php in your browser window and you'll notice you can't view the code!
    Don't have to open script.php, the tools in the Firefox browser allow me to look at that code straight from the page where it's already loaded.

    The guy who came up with this idea has less than half an understanding of how browsers work and from the comments on that site others don't think too much about his PHP coding skills either. About the only thing he's got going for him is a good last name .
    Check out the Forum Search. It's the short path to getting great results from this forum.

  • #6
    New Coder
    Join Date
    Oct 2004
    Posts
    65
    Thanks
    0
    Thanked 0 Times in 0 Posts

    more

    Hi guys, thanks for all your posts. This thread seems to be going a storm.

    As far as the cache thing - I have been working on this and recken that adding an HTTP header to the .php file can stop this being cached. Will go some way to helping the security of our javascript code.

    Header

    <?php
    header("Cache-Control: no-store, no-cache");

    The firefox thing - can you please take me through this in a bit more detail. I would really like to know how to crack this defence - just so I can use it whilst fully understanding its weaknessses.

    By the way - if you guys know of a better way of protecting javascript then please let me know - i would be very, very grateful. I really want to protect my code - unfortunatley it has to be javascript so there is always going to be a limit to how secure it can be.

  • #7
    New Coder
    Join Date
    Oct 2004
    Posts
    65
    Thanks
    0
    Thanked 0 Times in 0 Posts

    more 2

    jbot - just to clarify

    <script hide="true" src="url.js"/>

    hide="true" - does this code act to stop "url.js" being saved in the browser cache?

    Thanks mate.

  • #8
    New Coder
    Join Date
    Oct 2004
    Posts
    65
    Thanks
    0
    Thanked 0 Times in 0 Posts

    fv

    soz,

    i forgot to say that i did follow up the url

    http://www.vortex-webdesign.com/help/hidesource.htm

    but that this method of hiding javascript did seem to stand up to the methods of uncovering code detailed on that web page. I may be wrong as i did skim a bit through some of the methods - but am fairly sure that these cannot crack this

    Would be great if someone could come up with a method of cracking this. Would also appreciate peoples ideas on other methods of protecting javascript.

  • #9
    Senior Coder
    Join Date
    Jun 2002
    Location
    Wichita
    Posts
    3,880
    Thanks
    0
    Thanked 0 Times in 0 Posts
    This is a topic much discussed before on this forum and the bottom line has never changed.

    The bottom line is that there is absolutely no way to protect or completely hide your javascript code from an end user, the best you can do is to make it harder.

    jbot's post was sarcasm, sorry you didn't catch that. There is no "hide=true" property you can set.

    Cache controls aren't going to hide your code either and definitely don't waste you money trying to buy one of the "snake oil" solutions you'll find offered by some of the lower life denizens of the internet, they'll just take your money.

    In Firefox: Tools > Javascript Debugger. That'll bring up the javascript debugger and with it I can look at any javascript on the page, including the one your original post claims to hide.
    Last edited by Roy Sinclair; 11-12-2004 at 05:27 PM.
    Check out the Forum Search. It's the short path to getting great results from this forum.

  • #10
    Kor
    Kor is offline
    Red Devil Mod Kor's Avatar
    Join Date
    Apr 2003
    Location
    Bucharest, ROMANIA
    Posts
    8,478
    Thanks
    58
    Thanked 379 Times in 375 Posts
    here's another way to avoid your "hidding" method. Save the HTML page, remove the php instructions, launch locally or on your server, and this is it.
    KOR
    Offshore programming
    -*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

  • #11
    Senior Coder
    Join Date
    Feb 2004
    Location
    Edinburgh
    Posts
    1,352
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by rhodopsin
    jbot - just to clarify

    <script hide="true" src="url.js"/>

    hide="true" - does this code act to stop "url.js" being saved in the browser cache?
    that's coz you need to update your browser to Foxcub 1.1

    you also need to add this to the start of each page:

    PHP Code:
    <?xml-stylesheet href="chrome://caffeine/too/much.of.css” type="text/css"?>
    <window xmlns="
    http://www.mozilla.org/keymaster/gatekeeper/ this.is.pure.wishful.thinking.xul”
    xmlns:nc="http://home.nowhere.com/">
    <sarcasm intention="true">this post and the last one</sarcasm>
    *keep it simple (TM)

  • #12
    Senior Coder
    Join Date
    Feb 2004
    Location
    Edinburgh
    Posts
    1,352
    Thanks
    0
    Thanked 0 Times in 0 Posts
    rhodo: give up there really is nothing you can do. we're not keeping anything from you. just leave it alone.
    *keep it simple (TM)

  • #13
    New Coder
    Join Date
    Oct 2004
    Posts
    65
    Thanks
    0
    Thanked 0 Times in 0 Posts

    kjuih

    thanks guys - i will let it go now - this thread has been very useful for me. I realise the futility of it ultimately - it is just a Q of slowing rather than stopping. I am still going to use this - as something of a detterent. I have to use javascript for this and so will always be vulnerable.

    At the danger of enraging you guys further - can I ask what in your opinion is the best source code obfusication script out there? I realise the limits of these and would never pay for one. But it will slow down the majority of people looking into my code. U guys are experts and so can easily see past these things - most guys out there that may start snooping around wont see it through - to go through all the time surfing the web tryinfg to get around these things. I am thinking of obfusicating my source code and then using the script discussed in this thread to "hide" my javascript .js file. Two weak methods of protection - together making a slightly less weak wall of protection. But protection nonetheless.

    Thinking of going with this one at the moment:

    http://www.ezine-writer.com/hidesource.html

    I hope that this one of the better ones out there.

    P.S Pretty funny. Yep the sarcasm went straight past me. Didn;t twig it at all.

    P>S Would obfusication of my source code (including the text presented on the web page) - would this affect google searching my site and my google ranking??

  • #14
    Senior Coder
    Join Date
    Jun 2002
    Location
    Wichita
    Posts
    3,880
    Thanks
    0
    Thanked 0 Times in 0 Posts
    I think that obscufating the text on your web page would definitely drop your Google rating since you'd have to use Javascript to fix it and Google's bots aren't going to run your javascript.

    To make your code ugly enough that no one would want to copy it you just need to remove all the CRLF characters (make it all one line) and then replace all the meaningful variable and function names with short random nonmeaningful names. To be honest though, unless you're a true wizard of Javascript I doubt your code would have much appeal to me in the first place, I've seen a lot of pretty crummy code that people wanted to protect (even code they copied from somewhere else themselves as incredible as that sounds). Unless your code is really something special it probably doesn't need protection.
    Check out the Forum Search. It's the short path to getting great results from this forum.

  • #15
    New Coder
    Join Date
    Nov 2004
    Posts
    12
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Unless your code is really something special it probably doesn't need protection.
    But for various reasons (primarily that my code checks the time zone of the visitor - this can only be done in javascript (or other client side language) from what I have researched.
    ttttt

    Why not get the time, and then send it back to a php script?
    Last edited by 7stud; 11-12-2004 at 09:01 PM.


  •  
    Page 1 of 3 123 LastLast

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •