SitePoint Sponsor

User Tag List

Results 1 to 12 of 12
  1. #1
    SitePoint Evangelist SpaceFrog's Avatar
    Join Date
    Jan 2005
    Location
    Outerspace
    Posts
    511
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    external js file protection ...

    I was wondering if I could not put a little protection on my .js files by adding a couple of lines to start the file
    Something like a try catch

    I thinking of try top.location or try document.body

    just to avoid beeing able to put path to file directly in address bar ...
    is that fesable ?
    Although I know it is not a good protection I wouild like to know where to stand ...

  2. #2
    He's No Good To Me Dead silver trophybronze trophy stymiee's Avatar
    Join Date
    Feb 2003
    Location
    Slave I
    Posts
    23,426
    Mentioned
    2 Post(s)
    Tagged
    1 Thread(s)
    Shouldn't work because the javascript is not executing when being viewed in the browser window.

  3. #3
    SitePoint Evangelist SpaceFrog's Avatar
    Join Date
    Jan 2005
    Location
    Outerspace
    Posts
    511
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    shoot ...
    isn't there some kind of jscript or other language that wouls be executed by thebrowser that could be inserted with hiding tags at top of file ?
    or with .htacces something like :
    RewriteCond %{HTTP_REFERER} !^http://www.votredomaine.net/.*$ [NC]

  4. #4
    He's No Good To Me Dead silver trophybronze trophy stymiee's Avatar
    Join Date
    Feb 2003
    Location
    Slave I
    Posts
    23,426
    Mentioned
    2 Post(s)
    Tagged
    1 Thread(s)
    I'm pretty sure the web server just sends the file as plain text so it is never executed. The web browser only executes it when called in the context of the webpage. An apache solution might be available but I'm not sure how it can tell a file is being called without being in a webpage. Not sure it can.

    I think there are javascript obfuscators out there but it is pointless really. You can't effectively hide your javascript nor should you have reason to do so. If you have sensitive data you want tp protect it shouldn't be in your javascript in the first place.

  5. #5
    SitePoint Evangelist SpaceFrog's Avatar
    Join Date
    Jan 2005
    Location
    Outerspace
    Posts
    511
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I'm not looking for any kind of obfuscators as they are as you say pointless...
    I agree that sensitive data should not be in javascript but I really dont feel like implementing a nuclear power plant for a single information I need to hide ...

  6. #6
    He's No Good To Me Dead silver trophybronze trophy stymiee's Avatar
    Join Date
    Feb 2003
    Location
    Slave I
    Posts
    23,426
    Mentioned
    2 Post(s)
    Tagged
    1 Thread(s)
    Never try to hide anything on the client side. It's asking for trouble.

  7. #7
    SitePoint Addict Trent Reimer's Avatar
    Join Date
    Sep 2005
    Location
    Canada
    Posts
    228
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I guess first we need to know what the goal is?

    For exmaple, if this is about restricting code to folks who have logged in to a web application you could protect your scripts with your login mechanism. For example, if you use your server's authentication (e.g. HTTP authentication over SSL) you could have your scripts sitting in protected directories as well. If you use a programming platform like PHP to handle your logins you could put your javascript code in PHP files which first perform authentication checks before sending the javascript. That way your tags would like something like:

    Code:
    <script language="javascript" src="js.php"></script>

  8. #8
    SitePoint Addict NikoB's Avatar
    Join Date
    Nov 2005
    Location
    Austria
    Posts
    211
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    it's still not possible to hide javascript from the user if you want it to run, because the web browser has to download the .js file before it can start running the javascript - because of this you have to make it accessible. If you use apache tricks to not allow direct linking, it still cant prevent anyone from
    1.) faking the referer (if you check for that with apache)
    or easier
    2.) just look at the browser cache or let plugins like the webdev extension dispay the already loaded js code

    you could use obfuscating, but thats it basically. Even if you encrypt your javascript, you have to have some decrypting method in it - which can then be used to display the whole code clear text (alert/document.write in textarea/etc.)
    Corinis OpenSource Community & Content Management
    http://www.corinis.org

  9. #9
    SitePoint Evangelist SpaceFrog's Avatar
    Join Date
    Jan 2005
    Location
    Outerspace
    Posts
    511
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I thought it was going to be tricky...
    But now it seems impossible !

    Thanks for your ideas ...

  10. #10
    SitePoint Enthusiast
    Join Date
    Sep 2005
    Posts
    50
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Look into the JavaScript Packer. It does a pretty good job obfuscating the code.

  11. #11
    SitePoint Wizard silver trophy
    Join Date
    Mar 2006
    Posts
    6,132
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    i had to do something like this once for images, but it would work the same for any type of file

    it wont absolutely guarantee they cant get the file, but it will make it hard for most people.

    it basically allows the external file to be request from your server only 1 time, for each 1 time they request the main page. since the browser will load the external link each time you load the main page, it will make address bar copy/pasting not work.

    it requires using php sessions.

    when you output the page that has the link to the external file, you set a session variable with a random value, and attach it to the js link

    PHP Code:

    <?php

    session_start
    ();
    $_SESSION['js_val'] = rand(1,10000);

    >

    <
    script src="protect.php?js_val=<?php echo $_SESSION['js_val']; ?>">

    then in protect.php
    PHP Code:

    <?php

    session_start
    ();
    if (empty(
    $_GET['js_val'])) {
        exit;
    }
    if (empty(
    $_SESSION['js_val'])) {
        exit;
    }
    if (
    $_SESSION['js_val'] !== $_GET['js_val']) {
        exit;
    } else {
        
    // they sent a valid js_val, so now we must delete it since it has been consumed
        
    $_SESSION['js_val'] = null;
    }

    header('Content-Type: application/x-javascript');
    ?>

    js code here.....

    a screen scraper would easily get around this method though.
    also any browser that will show you the js code would make any attempt futile.

  12. #12
    SitePoint Enthusiast
    Join Date
    Sep 2005
    Posts
    50
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by clamcrusher
    also any browser that will show you the js code would make any attempt futile.
    In my testing I found that Firefox's Web developer extension actually retrieves the file again from the server. A script like that would work against this.
    There is still the thing about it being in the cache/temporary internet files.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •