nebie - keeping javascript code away from prying eyes

Is it possible to 'hide' javascript from a user. I am thinking of
putting some fairly proprietary logic client side (to release burden on
server) - but I dont want to make the source freely available to every
Tom, Dick and Harry. any suggestions?

re: nebie - keeping javascript code away from prying eyes

Dave Schwimmer wrote:[color=blue]
> Is it possible to 'hide' javascript from a user. I am thinking of
> putting some fairly proprietary logic client side (to release burden on
> server) - but I dont want to make the source freely available to every
> Tom, Dick and Harry. any suggestions?
>[/color]
The only thing you can do is make it obscure.

--
Ian Collins.

re: nebie - keeping javascript code away from prying eyes

"Dave Schwimmer" <dschwim@nospam.com> wrote in message
news:dt5vgk$kkr$1@nwrdmz02.dmz.ncs.ea.ibs-infra.bt.com...[color=blue]
> Is it possible to 'hide' javascript from a user. I am thinking of putting
> some fairly proprietary logic client side (to release burden on server) -
> but I dont want to make the source freely available to every Tom, Dick and
> Harry. any suggestions?[/color]

The short answer is....it can't be done.

re: nebie - keeping javascript code away from prying eyes

Jim wrote:
[color=blue]
> "Dave Schwimmer" <dschwim@nospam.com> wrote in message
> news:dt5vgk$kkr$1@nwrdmz02.dmz.ncs.ea.ibs-infra.bt.com...
>[color=green]
>>Is it possible to 'hide' javascript from a user. I am thinking of putting
>>some fairly proprietary logic client side (to release burden on server) -
>>but I dont want to make the source freely available to every Tom, Dick and
>>Harry. any suggestions?[/color]
>
>
> The short answer is....it can't be done.
>
>
>[/color]

Ok. precise and to the point. Thats good. But theres always a way though
(or is there?). What if I have my libraries in *.js files on the server
in a location that the user does not have permissions to (I will
ofcourse need something server side to load the files - which defeats
the purpose of client side processing, so I shot myself in the foot
already).

Does anyone know how to get around this?.

re: nebie - keeping javascript code away from prying eyes

Dave Schwimmer wrote:[color=blue]
> Jim wrote:
>[color=green]
> > "Dave Schwimmer" <dschwim@nospam.com> wrote in message
> > news:dt5vgk$kkr$1@nwrdmz02.dmz.ncs.ea.ibs-infra.bt.com...
> >[color=darkred]
> >>Is it possible to 'hide' javascript from a user. I am thinking of putting
> >>some fairly proprietary logic client side (to release burden on server) -
> >>but I dont want to make the source freely available to every Tom, Dick and
> >>Harry. any suggestions?[/color]
> >
> >
> > The short answer is....it can't be done.
> >
> >
> >[/color]
>
> Ok. precise and to the point. Thats good. But theres always a way though
> (or is there?). What if I have my libraries in *.js files on the server
> in a location that the user does not have permissions to (I will
> ofcourse need something server side to load the files - which defeats
> the purpose of client side processing, so I shot myself in the foot
> already).
>
> Does anyone know how to get around this?.[/color]

You can't have your cake and eat it, too :) What you're basically
asking for is the ability to have the client (which is out of your
control, nonetheless) read, parse, and execute some code -- without
reading that same code.

But, honestly, if your code is that proprietary and sensitive you
shouldn't even consider have some (unknown) client run it for you.

re: nebie - keeping javascript code away from prying eyes

Dave Schwimmer wrote:[color=blue]
> Is it possible to 'hide' javascript from a user. I am thinking of
> putting some fairly proprietary logic client side (to release burden on
> server) - but I dont want to make the source freely available to every
> Tom, Dick and Harry. any suggestions?[/color]

You can only make the script difficult to obtain. This may be enough to
keep Tom, Dick, and Harry away, but not many users of this group :-).

You will find a tool at
http://www.dynamicdrive.com/dynamicindex9/encrypter.htm that has been
around for ages and that will make the script difficult to read.
However, even if a viewer does not know about this site, a person who
knows javascript well will see what has been done and likely can write
a little program to decode it quite rapidly.

re: nebie - keeping javascript code away from prying eyes

Dave Schwimmer wrote:[color=blue][color=green]
>> The short answer is....it can't be done.
>>
>>
>>[/color]
>
> Ok. precise and to the point. Thats good. But theres always a way though
> (or is there?). What if I have my libraries in *.js files on the server
> in a location that the user does not have permissions to (I will
> ofcourse need something server side to load the files - which defeats
> the purpose of client side processing, so I shot myself in the foot
> already).
>
> Does anyone know how to get around this?.
>[/color]
Live with it, everything the UA executes has to be downloaded. You
could obscure the algorithm by doing pars of it server side I guess.

--
Ian Collins.

re: nebie - keeping javascript code away from prying eyes

On Sat, 18 Feb 2006 06:10:12 +0200, Dave Schwimmer <dschwim@nospam.com>
wrote:
[color=blue]
> Ok. precise and to the point. Thats good. But theres always a way though
> (or is there?). What if I have my libraries in *.js files on the server
> in a location that the user does not have permissions to (I will
> ofcourse need something server side to load the files - which defeats
> the purpose of client side processing, so I shot myself in the foot
> already).
>
> Does anyone know how to get around this?.[/color]

In my projects I use AJAX-like connections through IFRAME, which loads JS
from the server (generated
on the fly), and then executes it via eval(). If I instruct a browser not
to cache this loaded page (with
no-cache header), it might be possible to hide JS source.

Vladas
ProData Ltd.

re: nebie - keeping javascript code away from prying eyes

Vladas Saulis wrote:[color=blue]
> Dave Schwimmer wrote:[color=green]
>> Ok. precise and to the point. Thats good. But theres
>> always a way though (or is there?).[/color][/color]

Sometimes no means 'no, not ever' .
[color=blue][color=green]
>> What if I have my
>> libraries in *.js files on the server in a location that
>> the user does not have permissions to (I will ofcourse
>> need something server side to load the files - which
>> defeats the purpose of client side processing, so I shot
>> myself in the foot already).
>>
>> Does anyone know how to get around this?.[/color]
>
> In my projects I use AJAX-like connections through IFRAME,
> which loads JS from the server (generated on the fly), and
> then executes it via eval(). If I instruct a browser
> not to cache this loaded page (with no-cache header), it
> might be possible to hide JS source.[/color]

Web browsers often treat 'instructions' not to cache a resource as an
instruction not to hang on to a copy of that resource once they have
closed down. If you look in the cache while the site is still in the
browser all the downloaded resources (irrespective of protocol or
headers) are likely to be available (and you only need to know one
browser where that is true to get around any number of browsers that may
act in a manner that is more friendly to the prospective code hider).

And that is assuming the site is not using plain HTTP and the
prospective student of the code is not just recording all the incoming
HTTP traffic to disc.

The whole 'code hiding' notion is a dead loss; the only people against
whom it is effective are the people who would have no use for what they
found (most of whom do not know enough to even look for the code). As
soon as you are trying to defeat people with even an intermediate
understanding of javascript and web technologies the client-side code is
wide open to examination.

Richard.

re: nebie - keeping javascript code away from prying eyes

Dave Schwimmer wrote:[color=blue]
> Is it possible to 'hide' javascript from a user. I am thinking of
> putting some fairly proprietary logic client side (to release burden on
> server) - but I dont want to make the source freely available to every
> Tom, Dick and Harry. any suggestions?[/color]

Unless a server is badly overloaded, many serverside scripts, such as
php, take very little space and time to operate. Thus I would strongly
suggest writing as much of your code as possible in php. In general,
you can do most things with php that you can do with javascript,
provided that some operation, perhaps selecting a color, is not
required after download. However you can also use just enough
javascript to do the things that can not be done with php in this case.

If the server resources really are a problem, you could write most of
the code in javascript. However you could use php on the server for
just enough code to make it difficult to impossible to tell everything
that is being done. Javascript and php mix and match very well in many
cases. However, if use of pure php and no javascript is possible, your
code will not only be hidden, but your page will also work on the small
number of browsers that have javascript turned off.

re: nebie - keeping javascript code away from prying eyes

Dave Schwimmer said the following on 2/17/2006 11:10 PM:[color=blue]
>
>
> Jim wrote:
>[color=green]
>> "Dave Schwimmer" <dschwim@nospam.com> wrote in message
>> news:dt5vgk$kkr$1@nwrdmz02.dmz.ncs.ea.ibs-infra.bt.com...
>>[color=darkred]
>>> Is it possible to 'hide' javascript from a user. I am thinking of
>>> putting some fairly proprietary logic client side (to release burden
>>> on server) - but I dont want to make the source freely available to
>>> every Tom, Dick and Harry. any suggestions?[/color]
>>
>>
>> The short answer is....it can't be done.
>>
>>
>>[/color]
>
> Ok. precise and to the point. Thats good. But theres always a way though
> (or is there?). What if I have my libraries in *.js files on the server
> in a location that the user does not have permissions to (I will
> ofcourse need something server side to load the files - which defeats
> the purpose of client side processing, so I shot myself in the foot
> already).
>
> Does anyone know how to get around this?.
>[/color]

Open the site.
File>Save As
Save the site.

Now, I have the files.

--
Randy
comp.lang.javascript FAQ - http://jibbering.com/faq & newsgroup weekly
Javascript Best Practices - http://www.JavascriptToolbox.com/bestpractices/

re: nebie - keeping javascript code away from prying eyes

Dave Schwimmer <dschwim@nospam.com> wrote:
[color=blue]
>Ok. precise and to the point. Thats good. But theres always a way though
>(or is there?). What if I have my libraries in *.js files on the server
>in a location that the user does not have permissions to (I will
>ofcourse need something server side to load the files - which defeats
>the purpose of client side processing, so I shot myself in the foot
>already).[/color]

You said it. You're talking about code that will be executed on the
client. The client can't execute it if it can't get it. Once the
client gets the code, you no longer have control over it, the client
can display it, save it, parse it, whatever. You have no idea what's
being done and absolutely no control over it.

So: if you really, really, need to keep this stuff secret, then keep
it on the server. Server-side processing cannot be seen by the client,
and you have total control over it.

--
Tim Slattery
Slattery_T@bls.gov

re: nebie - keeping javascript code away from prying eyes

Vladas Saulis wrote:

[snip][color=blue]
> In my projects I use AJAX-like connections through IFRAME, which loads JS
> from the server (generated
> on the fly), and then executes it via eval(). If I instruct a browser not
> to cache this loaded page (with
> no-cache header), it might be possible to hide JS source.[/color]
[/snip]

One simple attack to start with is to use the HTTPRequest object with
the URL of your JavaScript producing server page. You can then access
the results through the responseText property.

Regards

Julian

re: nebie - keeping javascript code away from prying eyes

If it was possible to hide the code your computer would have already
been taken over by some script kiddie.

Ken Girard