Hide Java Script

Hi kpg,

If the browser can read it, so can you. So can anyone. It is not possible.

Hey, it's just JavaScript. Nothing worth protecting.

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
What You Seek Is What You Get.

"kpg" <ip***@thereforeiam.com> wrote in message
news:%2****************@TK2MSFTNGP10.phx.gbl...

Hello all,

I have an asp.net web application with tons of Java script files.

I would like to protect the Java Script somehow so it can't be
seen by a remote user.

I found several 3rd party solutions, but I thought I remember that
there was a way to 'compile' java script and use that instead of
the actual script?

The problem I have with 3rd party solutions is two-fold:

1) I'm cheap

2) I'm going to install the app on a customer's server for use by
their customers. I don't want them (my customer) or their customers
to have access to the java script files.

I think a 3rd party solution would work fine for me on my server, but I
can't really give the customer the app and the 3rd party protection thingy
and say: install this so you can't see my code (because they might not!).

Anyway, I'm open to any solution.

Thanks
kpg

You're thinking of the Windows Script Encoder
http://www.microsoft.com/downloads/d...displaylang=en

It doesn't encrypt the javascript, but it will "keep honest people honest"
if such a thing can be said.

"kpg" wrote:

Hello all,

I have an asp.net web application with tons of Java script files.

I would like to protect the Java Script somehow so it can't be
seen by a remote user.

I found several 3rd party solutions, but I thought I remember that
there was a way to 'compile' java script and use that instead of
the actual script?

The problem I have with 3rd party solutions is two-fold:

1) I'm cheap

2) I'm going to install the app on a customer's server for use by
their customers. I don't want them (my customer) or their customers
to have access to the java script files.

I think a 3rd party solution would work fine for me on my server, but I
can't really give the customer the app and the 3rd party protection thingy
and say: install this so you can't see my code (because they might not!).

Anyway, I'm open to any solution.

Thanks
kpg

you cant stop anyone whos determined however if you use a frameset you can
put all of your code into the _top object they'll have a jolly hard time
getting to it
"kpg" <ip***@thereforeiam.com> wrote in message
news:%2****************@TK2MSFTNGP10.phx.gbl...

Hello all,

I have an asp.net web application with tons of Java script files.

I would like to protect the Java Script somehow so it can't be
seen by a remote user.

I found several 3rd party solutions, but I thought I remember that
there was a way to 'compile' java script and use that instead of
the actual script?

The problem I have with 3rd party solutions is two-fold:

1) I'm cheap

2) I'm going to install the app on a customer's server for use by
their customers. I don't want them (my customer) or their customers
to have access to the java script files.

I think a 3rd party solution would work fine for me on my server, but I
can't really give the customer the app and the 3rd party protection thingy
and say: install this so you can't see my code (because they might not!).

Anyway, I'm open to any solution.

Thanks
kpg

"Josh" <s@a.com> wrote in message
news:Oh**************@TK2MSFTNGP14.phx.gbl...

you cant stop anyone whos determined however if you use a frameset you can
put all of your code into the _top object they'll have a jolly hard time
getting to it

Right-click the frame and go to view-source to view a specific frame. To
view the top frame, goto View->Source on the file menu to see it...if it's
disabled, use Mozilla.

Point is, there is always a way to view the source :)

Mythran

First of all, you're not crazy. Back in the day, I did some development for
the Netscape Enterprise Server. It used "Compiled" javascript and came with
it's own compiler.

Now, I'm not as closed minded as some of the others here, so, I'm betting
there's a way to approach this. You know you can set your javascript source
to a file right? So, what's to prevent us from making that file and aspx
file that sends content to the browser? Just make sure you set the content
type before you output it. Next, I would think about how we can prevent the
aspx file from being rendered by itself. You know, make sure it outputs
nothing if you typed it directly into the url. Should be easy enough to
accomplish.

Perhaps that's a good idea for my next project at home.

Dave

"kpg" <ip***@thereforeiam.com> wrote in message
news:%2****************@TK2MSFTNGP10.phx.gbl...

Hello all,

I have an asp.net web application with tons of Java script files.

I would like to protect the Java Script somehow so it can't be
seen by a remote user.

I found several 3rd party solutions, but I thought I remember that
there was a way to 'compile' java script and use that instead of
the actual script?

The problem I have with 3rd party solutions is two-fold:

1) I'm cheap

2) I'm going to install the app on a customer's server for use by
their customers. I don't want them (my customer) or their customers
to have access to the java script files.

I think a 3rd party solution would work fine for me on my server, but I
can't really give the customer the app and the 3rd party protection thingy
and say: install this so you can't see my code (because they might not!).

Anyway, I'm open to any solution.

Thanks
kpg

That's interesting! I posted a reply, but when I went to check on it, my
reader stated that the message was no longer on the server. Then, I
reloaded the headers and the message was gone alltogether. Anyway, here it
is again.

1) Compiled javascript is something that Netscape used in it's Enterprise
Servers. It came with it's own compiler and, from what I remember, was
pretty cool to use.

2) I'm not a quick to dismiss this option as some of my counterparts seem to
be. Why won't this work? First, you know you can keep you javascript in a
js file and reference it remotely right? Now just thinking off the top of
my head, here's two possibilities.
a) using encryption, encrypt the source file and have your page decrypt it
when you pull it up. Would be some overhead involved in this, but it will
work.

b) Instead of linking to a .js file, link to a .aspx file that sends your js
source to the output buffer. Just make sure you set the content type. Then
I would look for a way to make sure that the page renders nothing when you
pull it up in the browser.

In other words, there always a way.

Sounds like an interesting project to work on in my spare time at home.

Dave

"kpg" <ip***@thereforeiam.com> wrote in message
news:%2****************@TK2MSFTNGP10.phx.gbl...

Hello all,

I have an asp.net web application with tons of Java script files.

I would like to protect the Java Script somehow so it can't be
seen by a remote user.

I found several 3rd party solutions, but I thought I remember that
there was a way to 'compile' java script and use that instead of
the actual script?

The problem I have with 3rd party solutions is two-fold:

1) I'm cheap

2) I'm going to install the app on a customer's server for use by
their customers. I don't want them (my customer) or their customers
to have access to the java script files.

I think a 3rd party solution would work fine for me on my server, but I
can't really give the customer the app and the 3rd party protection thingy
and say: install this so you can't see my code (because they might not!).

Anyway, I'm open to any solution.

Thanks
kpg

Well I got both your messages!

Thanks for the input. You gave me something to think about.

--
kpg

Do honest people NEED to be kept honest?

Do well people need a doctor?

Does a PHD need a high school education?

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
What You Seek Is What You Get.

"Brad Quinn" <Br*******@discussions.microsoft.com> wrote in message
news:9D**********************************@microsof t.com...

You're thinking of the Windows Script Encoder.
http://www.microsoft.com/downloads/d...displaylang=en

It doesn't encrypt the javascript, but it will "keep honest people honest"
if such a thing can be said.

"kpg" wrote:

Hello all,

I have an asp.net web application with tons of Java script files.

I would like to protect the Java Script somehow so it can't be
seen by a remote user.

I found several 3rd party solutions, but I thought I remember that
there was a way to 'compile' java script and use that instead of
the actual script?

The problem I have with 3rd party solutions is two-fold:

1) I'm cheap

2) I'm going to install the app on a customer's server for use by
their customers. I don't want them (my customer) or their customers
to have access to the java script files.

I think a 3rd party solution would work fine for me on my server, but I
can't really give the customer the app and the 3rd party protection
thingy
and say: install this so you can't see my code (because they might not!).

Anyway, I'm open to any solution.

Thanks
kpg

> Now, I'm not as closed minded as some of the others here

Anyone who is open-minded about what they do know knows nothing. For
example, solve the following arithmentic problem:

1 + 2 = ?

Now, when I was 3 years old I was entitled to be open-minded about the
answer to that question. If I were open-minded about it now, I would be a
fool.

IOW, just because you don't know something doesn't make your open-mindedness
a virtue.

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
What You Seek Is What You Get.

"David Young" <RE******************@yahoo.com> wrote in message
news:Og**************@TK2MSFTNGP15.phx.gbl...

First of all, you're not crazy. Back in the day, I did some development
for
the Netscape Enterprise Server. It used "Compiled" javascript and came
with
it's own compiler.

Now, I'm not as closed minded as some of the others here, so, I'm betting
there's a way to approach this. You know you can set your javascript
source
to a file right? So, what's to prevent us from making that file and aspx
file that sends content to the browser? Just make sure you set the
content
type before you output it. Next, I would think about how we can prevent
the
aspx file from being rendered by itself. You know, make sure it outputs
nothing if you typed it directly into the url. Should be easy enough to
accomplish.

Perhaps that's a good idea for my next project at home.

Dave

"kpg" <ip***@thereforeiam.com> wrote in message
news:%2****************@TK2MSFTNGP10.phx.gbl...

Hello all,

I have an asp.net web application with tons of Java script files.

I would like to protect the Java Script somehow so it can't be
seen by a remote user.

I found several 3rd party solutions, but I thought I remember that
there was a way to 'compile' java script and use that instead of
the actual script?

The problem I have with 3rd party solutions is two-fold:

1) I'm cheap

2) I'm going to install the app on a customer's server for use by
their customers. I don't want them (my customer) or their customers
to have access to the java script files.

I think a 3rd party solution would work fine for me on my server, but I
can't really give the customer the app and the 3rd party protection
thingy
and say: install this so you can't see my code (because they might not!).

Anyway, I'm open to any solution.

Thanks
kpg

> Do honest people NEED to be kept honest?
Yes.

Do well people need a doctor? Only if you have an HMO.
Does a PHD need a high school education?

From schools today? Probably No.

Does my Java Script NEED protecting?
No. But my boss wants it protected.

Am I going to tell him it can't be done?
I haven't decided on that yet.

kpg

I shudder to think what this world would be like if we all had the same
opinion as you did.

Keeping an open mind is what gives birth to invention and discovery. I
doesn't matter what you know or know not, all that matters is that there are
people out there who look at a problem and say. You know, I bet there's a
way to get around that. You go ahead and say it can't be done while I find
a way to do it. And as for the why? Because I Can!

So, you continue to be closed minded and I'll continue to be an open-minded
"fool".

cheers.

"Kevin Spencer" <ke***@DIESPAMMERSDIEtakempis.com> wrote in message
news:%2****************@TK2MSFTNGP15.phx.gbl...

Now, I'm not as closed minded as some of the others here
Anyone who is open-minded about what they do know knows nothing. For
example, solve the following arithmentic problem:

1 + 2 = ?

Now, when I was 3 years old I was entitled to be open-minded about the
answer to that question. If I were open-minded about it now, I would be a
fool.

IOW, just because you don't know something doesn't make your

open-mindedness a virtue.

--
HTH,

Kevin Spencer
Microsoft MVP
.Net Developer
What You Seek Is What You Get.

"David Young" <RE******************@yahoo.com> wrote in message
news:Og**************@TK2MSFTNGP15.phx.gbl...

First of all, you're not crazy. Back in the day, I did some development
for
the Netscape Enterprise Server. It used "Compiled" javascript and came
with
it's own compiler.

Now, I'm not as closed minded as some of the others here, so, I'm betting there's a way to approach this. You know you can set your javascript
source
to a file right? So, what's to prevent us from making that file and aspx file that sends content to the browser? Just make sure you set the
content
type before you output it. Next, I would think about how we can prevent
the
aspx file from being rendered by itself. You know, make sure it outputs
nothing if you typed it directly into the url. Should be easy enough to
accomplish.

Perhaps that's a good idea for my next project at home.

Dave

"kpg" <ip***@thereforeiam.com> wrote in message
news:%2****************@TK2MSFTNGP10.phx.gbl...

Hello all,

I have an asp.net web application with tons of Java script files.

I would like to protect the Java Script somehow so it can't be
seen by a remote user.

I found several 3rd party solutions, but I thought I remember that
there was a way to 'compile' java script and use that instead of
the actual script?

The problem I have with 3rd party solutions is two-fold:

1) I'm cheap

2) I'm going to install the app on a customer's server for use by
their customers. I don't want them (my customer) or their customers
to have access to the java script files.

I think a 3rd party solution would work fine for me on my server, but I
can't really give the customer the app and the 3rd party protection
thingy
and say: install this so you can't see my code (because they might not!).
Anyway, I'm open to any solution.

Thanks
kpg

Hi David,

I was afraid you would misunderstand me. I wasn't calling YOU a fool. I was
saying that if I know something, and act like I don't then I am a fool. I
don't blame you at all for being open-minded. When you don't know something,
that is the right way to be. When one DOES know something, such as whether
you can hide or obfuscate JavaScript succesfully (and I do know that), one
would be a fool to say that one does not.

IOW, you are right to be open-minded about this, and I am right to be
close-minded about it.

Old saying (can't attribute the author):

"He who knows not, and knows not that he knows not is a fool. Shun him.
He who knows not, and knows that he knows not, is a student. Teach him.
He who knows, and knows not that he knows, is asleep. Wake him.
He who knows, and knows that he knows, is wise. Follow him."

Friends? :)

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
What You Seek Is What You Get.
"David Young" <RE******************@yahoo.com> wrote in message
news:OP**************@tk2msftngp13.phx.gbl...

I shudder to think what this world would be like if we all had the same
opinion as you did.

Keeping an open mind is what gives birth to invention and discovery. I
doesn't matter what you know or know not, all that matters is that there
are
people out there who look at a problem and say. You know, I bet there's a
way to get around that. You go ahead and say it can't be done while I
find
a way to do it. And as for the why? Because I Can!

So, you continue to be closed minded and I'll continue to be an
open-minded
"fool".

cheers.

"Kevin Spencer" <ke***@DIESPAMMERSDIEtakempis.com> wrote in message
news:%2****************@TK2MSFTNGP15.phx.gbl...

> Now, I'm not as closed minded as some of the others here

Anyone who is open-minded about what they do know knows nothing. For
example, solve the following arithmentic problem:

1 + 2 = ?

Now, when I was 3 years old I was entitled to be open-minded about the
answer to that question. If I were open-minded about it now, I would be a
fool.

IOW, just because you don't know something doesn't make your

open-mindedness

a virtue.

--
HTH,

Kevin Spencer
Microsoft MVP
.Net Developer
What You Seek Is What You Get.

"David Young" <RE******************@yahoo.com> wrote in message
news:Og**************@TK2MSFTNGP15.phx.gbl...

> First of all, you're not crazy. Back in the day, I did some
> development
> for
> the Netscape Enterprise Server. It used "Compiled" javascript and came
> with
> it's own compiler.
>
> Now, I'm not as closed minded as some of the others here, so, I'm betting > there's a way to approach this. You know you can set your javascript
> source
> to a file right? So, what's to prevent us from making that file and aspx > file that sends content to the browser? Just make sure you set the
> content
> type before you output it. Next, I would think about how we can
> prevent
> the
> aspx file from being rendered by itself. You know, make sure it
> outputs
> nothing if you typed it directly into the url. Should be easy enough
> to
> accomplish.
>
> Perhaps that's a good idea for my next project at home.
>
> Dave
>
> "kpg" <ip***@thereforeiam.com> wrote in message
> news:%2****************@TK2MSFTNGP10.phx.gbl...
>> Hello all,
>>
>> I have an asp.net web application with tons of Java script files.
>>
>> I would like to protect the Java Script somehow so it can't be
>> seen by a remote user.
>>
>> I found several 3rd party solutions, but I thought I remember that
>> there was a way to 'compile' java script and use that instead of
>> the actual script?
>>
>> The problem I have with 3rd party solutions is two-fold:
>>
>> 1) I'm cheap
>>
>> 2) I'm going to install the app on a customer's server for use by
>> their customers. I don't want them (my customer) or their customers
>> to have access to the java script files.
>>
>> I think a 3rd party solution would work fine for me on my server, but
>> I
>> can't really give the customer the app and the 3rd party protection
>> thingy
>> and say: install this so you can't see my code (because they might not!). >>
>> Anyway, I'm open to any solution.
>>
>> Thanks
>> kpg
>>
>
>

Ok, here's your solution:

Create an aspx page. Call it "JSSource.aspx"
Open the HTML view and delete everything except the contents of the <@ Page>
directive.
Open the Code Behind for this page.
Add two using statements:
using System.Text;
using System.IO;
Add the following to the Page_Load handler:
private void Page_Load(object sender, System.EventArgs e)
{
// Put user code to initialize the page here
string script;
StringBuilder b = new StringBuilder();
b.Append("function doOnLoad(){");
b.Append("alert('hello there');}");

if(Request.UrlReferrer==null||Request.UrlReferrer. Host!="localhost")
script = "var youbite = 'eat me';";
else
script = b.ToString();

ASCIIEncoding encoder = new ASCIIEncoding();
byte[] buffer = encoder.GetBytes(script);
Response.ContentType = "text/javascript";
Response.OutputStream.Write(buffer,0,buffer.Length );
}

Then create a new aspx page. Call it JSClient.aspx
Open the HTML View and add the following betweent the </HEAD> and <BODY>
tags.
<script Language="javascript" type="text/css" src="JSSource.aspx"></script>
in the Body tag, add the following onLoad="doOnLoad();"

Then create a third page. Call it "Launch.aspx" add a hyperlink control, or
a simple <A href> tag. the NavigateUrl = "JSClient.aspx"

Build and launch the "Launch.aspx" page. When you click on the link, it'll
load the JSClient.aspx page and you should get a nice little Hello World
popup.

Enhance as you see fit. Another think you may want to think about is
caching. You may want to make sure to add directives to prevent the browser
from caching the JSSource.aspx page. Also, if it's being deployed on a
client site, they could open the site's dll with something lik Reflector and
see your source, so you might want to obfuscate that.

It's a little simple I agree, but it's the best I could come up with on such
short notice.

BTW - Never accept never as an answer. When they say it can't be done, be
like me and say why not. Sometimes ignorance is bliss.

Dave
"kpg" <ip***@thereforeiam.com> wrote in message
news:%2****************@TK2MSFTNGP10.phx.gbl...

Hello all,

I have an asp.net web application with tons of Java script files.

I would like to protect the Java Script somehow so it can't be
seen by a remote user.

I found several 3rd party solutions, but I thought I remember that
there was a way to 'compile' java script and use that instead of
the actual script?

The problem I have with 3rd party solutions is two-fold:

1) I'm cheap

2) I'm going to install the app on a customer's server for use by
their customers. I don't want them (my customer) or their customers
to have access to the java script files.

I think a 3rd party solution would work fine for me on my server, but I
can't really give the customer the app and the 3rd party protection thingy
and say: install this so you can't see my code (because they might not!).

Anyway, I'm open to any solution.

Thanks
kpg

Oh, I understand perfectly. You are saying that since I don't know any
better, it's ok to be "open-minded".

You also said that since you already know that it is not possible to do what
he asked, then in your case, it's ok to be "closed-minded", because you know
it can't be done (and you do know that).

I really appreciate you clearing all that up for me. Next time, I guess
I'll know better.

Friends?;)

"Kevin Spencer" <ke***@DIESPAMMERSDIEtakempis.com> wrote in message
news:%2***************@TK2MSFTNGP12.phx.gbl...

Hi David,

I was afraid you would misunderstand me. I wasn't calling YOU a fool. I was saying that if I know something, and act like I don't then I am a fool. I
don't blame you at all for being open-minded. When you don't know something, that is the right way to be. When one DOES know something, such as whether
you can hide or obfuscate JavaScript succesfully (and I do know that), one
would be a fool to say that one does not.

IOW, you are right to be open-minded about this, and I am right to be
close-minded about it.

Old saying (can't attribute the author):

"He who knows not, and knows not that he knows not is a fool. Shun him.
He who knows not, and knows that he knows not, is a student. Teach him.
He who knows, and knows not that he knows, is asleep. Wake him.
He who knows, and knows that he knows, is wise. Follow him."

Friends? :)

--
HTH,

Kevin Spencer
Microsoft MVP
.Net Developer
What You Seek Is What You Get.
"David Young" <RE******************@yahoo.com> wrote in message
news:OP**************@tk2msftngp13.phx.gbl...

I shudder to think what this world would be like if we all had the same
opinion as you did.

Keeping an open mind is what gives birth to invention and discovery. I
doesn't matter what you know or know not, all that matters is that there
are
people out there who look at a problem and say. You know, I bet there's a way to get around that. You go ahead and say it can't be done while I
find
a way to do it. And as for the why? Because I Can!

So, you continue to be closed minded and I'll continue to be an
open-minded
"fool".

cheers.

"Kevin Spencer" <ke***@DIESPAMMERSDIEtakempis.com> wrote in message
news:%2****************@TK2MSFTNGP15.phx.gbl...

> Now, I'm not as closed minded as some of the others here

Anyone who is open-minded about what they do know knows nothing. For
example, solve the following arithmentic problem:

1 + 2 = ?

Now, when I was 3 years old I was entitled to be open-minded about the
answer to that question. If I were open-minded about it now, I would be a fool.

IOW, just because you don't know something doesn't make your

open-mindedness

a virtue.

--
HTH,

Kevin Spencer
Microsoft MVP
.Net Developer
What You Seek Is What You Get.

"David Young" <RE******************@yahoo.com> wrote in message
news:Og**************@TK2MSFTNGP15.phx.gbl...
> First of all, you're not crazy. Back in the day, I did some
> development
> for
> the Netscape Enterprise Server. It used "Compiled" javascript and came > with
> it's own compiler.
>
> Now, I'm not as closed minded as some of the others here, so, I'm

betting

> there's a way to approach this. You know you can set your javascript
> source
> to a file right? So, what's to prevent us from making that file and

aspx

> file that sends content to the browser? Just make sure you set the
> content
> type before you output it. Next, I would think about how we can
> prevent
> the
> aspx file from being rendered by itself. You know, make sure it
> outputs
> nothing if you typed it directly into the url. Should be easy enough
> to
> accomplish.
>
> Perhaps that's a good idea for my next project at home.
>
> Dave
>
> "kpg" <ip***@thereforeiam.com> wrote in message
> news:%2****************@TK2MSFTNGP10.phx.gbl...
>> Hello all,
>>
>> I have an asp.net web application with tons of Java script files.
>>
>> I would like to protect the Java Script somehow so it can't be
>> seen by a remote user.
>>
>> I found several 3rd party solutions, but I thought I remember that
>> there was a way to 'compile' java script and use that instead of
>> the actual script?
>>
>> The problem I have with 3rd party solutions is two-fold:
>>
>> 1) I'm cheap
>>
>> 2) I'm going to install the app on a customer's server for use by
>> their customers. I don't want them (my customer) or their customers
>> to have access to the java script files.
>>
>> I think a 3rd party solution would work fine for me on my server, but >> I
>> can't really give the customer the app and the 3rd party protection
>> thingy
>> and say: install this so you can't see my code (because they might

not!).

>>
>> Anyway, I'm open to any solution.
>>
>> Thanks
>> kpg
>>
>
>

Your solution has been tried before. Many times.

Don't forget, Columbus only discovered America for those that didn't already
know it was there (like the Indians).

I don't cliam to know everything. I simply claim to know what I do know of
what is already known.

Ignorance may be bliss, but knowledge is power. I'll settle for bliss when
I'm sleeping, and when I die. Until then, I have too many responsibilities
that require knowledge to fulfill. And I take my responsiblities seriously.

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
What You Seek Is What You Get.

"David Young" <RE******************@yahoo.com> wrote in message
news:u5**************@TK2MSFTNGP10.phx.gbl...

Oh, I understand perfectly. You are saying that since I don't know any
better, it's ok to be "open-minded".

You also said that since you already know that it is not possible to do
what
he asked, then in your case, it's ok to be "closed-minded", because you
know
it can't be done (and you do know that).

I really appreciate you clearing all that up for me. Next time, I guess
I'll know better.

Friends?;)

"Kevin Spencer" <ke***@DIESPAMMERSDIEtakempis.com> wrote in message
news:%2***************@TK2MSFTNGP12.phx.gbl...

Hi David,

I was afraid you would misunderstand me. I wasn't calling YOU a fool. I

was

saying that if I know something, and act like I don't then I am a fool. I
don't blame you at all for being open-minded. When you don't know

something,

that is the right way to be. When one DOES know something, such as
whether
you can hide or obfuscate JavaScript succesfully (and I do know that),
one
would be a fool to say that one does not.

IOW, you are right to be open-minded about this, and I am right to be
close-minded about it.

Old saying (can't attribute the author):

"He who knows not, and knows not that he knows not is a fool. Shun him.
He who knows not, and knows that he knows not, is a student. Teach him.
He who knows, and knows not that he knows, is asleep. Wake him.
He who knows, and knows that he knows, is wise. Follow him."

Friends? :)

--
HTH,

Kevin Spencer
Microsoft MVP
.Net Developer
What You Seek Is What You Get.
"David Young" <RE******************@yahoo.com> wrote in message
news:OP**************@tk2msftngp13.phx.gbl...

>I shudder to think what this world would be like if we all had the same
> opinion as you did.
>
> Keeping an open mind is what gives birth to invention and discovery. I
> doesn't matter what you know or know not, all that matters is that
> there
> are
> people out there who look at a problem and say. You know, I bet
> there's a > way to get around that. You go ahead and say it can't be done while I
> find
> a way to do it. And as for the why? Because I Can!
>
> So, you continue to be closed minded and I'll continue to be an
> open-minded
> "fool".
>
> cheers.
>
> "Kevin Spencer" <ke***@DIESPAMMERSDIEtakempis.com> wrote in message
> news:%2****************@TK2MSFTNGP15.phx.gbl...
>> > Now, I'm not as closed minded as some of the others here
>>
>> Anyone who is open-minded about what they do know knows nothing. For
>> example, solve the following arithmentic problem:
>>
>> 1 + 2 = ?
>>
>> Now, when I was 3 years old I was entitled to be open-minded about the
>> answer to that question. If I were open-minded about it now, I would
>> be a >> fool.
>>
>> IOW, just because you don't know something doesn't make your
> open-mindedness
>> a virtue.
>>
>> --
>> HTH,
>>
>> Kevin Spencer
>> Microsoft MVP
>> .Net Developer
>> What You Seek Is What You Get.
>>
>> "David Young" <RE******************@yahoo.com> wrote in message
>> news:Og**************@TK2MSFTNGP15.phx.gbl...
>> > First of all, you're not crazy. Back in the day, I did some
>> > development
>> > for
>> > the Netscape Enterprise Server. It used "Compiled" javascript and came >> > with
>> > it's own compiler.
>> >
>> > Now, I'm not as closed minded as some of the others here, so, I'm
> betting
>> > there's a way to approach this. You know you can set your
>> > javascript
>> > source
>> > to a file right? So, what's to prevent us from making that file and
> aspx
>> > file that sends content to the browser? Just make sure you set the
>> > content
>> > type before you output it. Next, I would think about how we can
>> > prevent
>> > the
>> > aspx file from being rendered by itself. You know, make sure it
>> > outputs
>> > nothing if you typed it directly into the url. Should be easy
>> > enough
>> > to
>> > accomplish.
>> >
>> > Perhaps that's a good idea for my next project at home.
>> >
>> > Dave
>> >
>> > "kpg" <ip***@thereforeiam.com> wrote in message
>> > news:%2****************@TK2MSFTNGP10.phx.gbl...
>> >> Hello all,
>> >>
>> >> I have an asp.net web application with tons of Java script files.
>> >>
>> >> I would like to protect the Java Script somehow so it can't be
>> >> seen by a remote user.
>> >>
>> >> I found several 3rd party solutions, but I thought I remember that
>> >> there was a way to 'compile' java script and use that instead of
>> >> the actual script?
>> >>
>> >> The problem I have with 3rd party solutions is two-fold:
>> >>
>> >> 1) I'm cheap
>> >>
>> >> 2) I'm going to install the app on a customer's server for use by
>> >> their customers. I don't want them (my customer) or their
>> >> customers
>> >> to have access to the java script files.
>> >>
>> >> I think a 3rd party solution would work fine for me on my server, but >> >> I
>> >> can't really give the customer the app and the 3rd party protection
>> >> thingy
>> >> and say: install this so you can't see my code (because they might
> not!).
>> >>
>> >> Anyway, I'm open to any solution.
>> >>
>> >> Thanks
>> >> kpg
>> >>
>> >
>> >
>>
>>
>
>

I guess I just don't understand you then. You told KPG that what he wanted
to do was not possible. You ridicule me for saying that we should keep an
open mind about it. I post a solution that WORKS and you say it's been
tried that way before.

If you knew of the solution, why didn't you just post it in the first place
instead of telling him it couldn't be done?

"Kevin Spencer" <ke***@DIESPAMMERSDIEtakempis.com> wrote in message
news:OA****************@TK2MSFTNGP14.phx.gbl...

Your solution has been tried before. Many times.

Don't forget, Columbus only discovered America for those that didn't already know it was there (like the Indians).

I don't cliam to know everything. I simply claim to know what I do know of
what is already known.

Ignorance may be bliss, but knowledge is power. I'll settle for bliss when
I'm sleeping, and when I die. Until then, I have too many responsibilities
that require knowledge to fulfill. And I take my responsiblities seriously.
--
HTH,

Kevin Spencer
Microsoft MVP
.Net Developer
What You Seek Is What You Get.

"David Young" <RE******************@yahoo.com> wrote in message
news:u5**************@TK2MSFTNGP10.phx.gbl...

Oh, I understand perfectly. You are saying that since I don't know any
better, it's ok to be "open-minded".

You also said that since you already know that it is not possible to do
what
he asked, then in your case, it's ok to be "closed-minded", because you
know
it can't be done (and you do know that).

I really appreciate you clearing all that up for me. Next time, I guess
I'll know better.

Friends?;)

"Kevin Spencer" <ke***@DIESPAMMERSDIEtakempis.com> wrote in message
news:%2***************@TK2MSFTNGP12.phx.gbl...

Hi David,

I was afraid you would misunderstand me. I wasn't calling YOU a fool. I

was

saying that if I know something, and act like I don't then I am a fool. I don't blame you at all for being open-minded. When you don't know

something,

that is the right way to be. When one DOES know something, such as
whether
you can hide or obfuscate JavaScript succesfully (and I do know that),
one
would be a fool to say that one does not.

IOW, you are right to be open-minded about this, and I am right to be
close-minded about it.

Old saying (can't attribute the author):

"He who knows not, and knows not that he knows not is a fool. Shun him.
He who knows not, and knows that he knows not, is a student. Teach him.
He who knows, and knows not that he knows, is asleep. Wake him.
He who knows, and knows that he knows, is wise. Follow him."

Friends? :)

--
HTH,

Kevin Spencer
Microsoft MVP
.Net Developer
What You Seek Is What You Get.
"David Young" <RE******************@yahoo.com> wrote in message
news:OP**************@tk2msftngp13.phx.gbl...
>I shudder to think what this world would be like if we all had the same > opinion as you did.
>
> Keeping an open mind is what gives birth to invention and discovery. I > doesn't matter what you know or know not, all that matters is that
> there
> are
> people out there who look at a problem and say. You know, I bet
> there's

a

> way to get around that. You go ahead and say it can't be done while I > find
> a way to do it. And as for the why? Because I Can!
>
> So, you continue to be closed minded and I'll continue to be an
> open-minded
> "fool".
>
> cheers.
>
> "Kevin Spencer" <ke***@DIESPAMMERSDIEtakempis.com> wrote in message
> news:%2****************@TK2MSFTNGP15.phx.gbl...
>> > Now, I'm not as closed minded as some of the others here
>>
>> Anyone who is open-minded about what they do know knows nothing. For >> example, solve the following arithmentic problem:
>>
>> 1 + 2 = ?
>>
>> Now, when I was 3 years old I was entitled to be open-minded about the >> answer to that question. If I were open-minded about it now, I would
>> be

a

>> fool.
>>
>> IOW, just because you don't know something doesn't make your
> open-mindedness
>> a virtue.
>>
>> --
>> HTH,
>>
>> Kevin Spencer
>> Microsoft MVP
>> .Net Developer
>> What You Seek Is What You Get.
>>
>> "David Young" <RE******************@yahoo.com> wrote in message
>> news:Og**************@TK2MSFTNGP15.phx.gbl...
>> > First of all, you're not crazy. Back in the day, I did some
>> > development
>> > for
>> > the Netscape Enterprise Server. It used "Compiled" javascript and

came

>> > with
>> > it's own compiler.
>> >
>> > Now, I'm not as closed minded as some of the others here, so, I'm
> betting
>> > there's a way to approach this. You know you can set your
>> > javascript
>> > source
>> > to a file right? So, what's to prevent us from making that file and > aspx
>> > file that sends content to the browser? Just make sure you set the >> > content
>> > type before you output it. Next, I would think about how we can
>> > prevent
>> > the
>> > aspx file from being rendered by itself. You know, make sure it
>> > outputs
>> > nothing if you typed it directly into the url. Should be easy
>> > enough
>> > to
>> > accomplish.
>> >
>> > Perhaps that's a good idea for my next project at home.
>> >
>> > Dave
>> >
>> > "kpg" <ip***@thereforeiam.com> wrote in message
>> > news:%2****************@TK2MSFTNGP10.phx.gbl...
>> >> Hello all,
>> >>
>> >> I have an asp.net web application with tons of Java script files.
>> >>
>> >> I would like to protect the Java Script somehow so it can't be
>> >> seen by a remote user.
>> >>
>> >> I found several 3rd party solutions, but I thought I remember that >> >> there was a way to 'compile' java script and use that instead of
>> >> the actual script?
>> >>
>> >> The problem I have with 3rd party solutions is two-fold:
>> >>
>> >> 1) I'm cheap
>> >>
>> >> 2) I'm going to install the app on a customer's server for use by
>> >> their customers. I don't want them (my customer) or their
>> >> customers
>> >> to have access to the java script files.
>> >>
>> >> I think a 3rd party solution would work fine for me on my server,

but

>> >> I
>> >> can't really give the customer the app and the 3rd party protection >> >> thingy
>> >> and say: install this so you can't see my code (because they might > not!).
>> >>
>> >> Anyway, I'm open to any solution.
>> >>
>> >> Thanks
>> >> kpg
>> >>
>> >
>> >
>>
>>
>
>

Hi David,

First, I didn't ridicule you.

Second, your solution doesn't "work." It can be circumvented just like all
the others.

Third, I said it had been tried. I didn't say succesfully. If it had been
tried successfully, I would not have said that there is no solution. There
is no solution. I could go into details (there are excellent technical
reasons why it can't be done), but this is all old history. Only interesting
to someone that hasn't heard it all before. And most of the rest of us have
heard it all before. We're Indians. You're Columbus. Welcome to the New
World.

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
What You Seek Is What You Get.

"David Young" <RE******************@yahoo.com> wrote in message
news:uE**************@TK2MSFTNGP14.phx.gbl...

I guess I just don't understand you then. You told KPG that what he wanted
to do was not possible. You ridicule me for saying that we should keep an
open mind about it. I post a solution that WORKS and you say it's been
tried that way before.

If you knew of the solution, why didn't you just post it in the first
place
instead of telling him it couldn't be done?

"Kevin Spencer" <ke***@DIESPAMMERSDIEtakempis.com> wrote in message
news:OA****************@TK2MSFTNGP14.phx.gbl...

Your solution has been tried before. Many times.

Don't forget, Columbus only discovered America for those that didn't

already

know it was there (like the Indians).

I don't cliam to know everything. I simply claim to know what I do know
of
what is already known.

Ignorance may be bliss, but knowledge is power. I'll settle for bliss
when
I'm sleeping, and when I die. Until then, I have too many
responsibilities
that require knowledge to fulfill. And I take my responsiblities

seriously.

--
HTH,

Kevin Spencer
Microsoft MVP
.Net Developer
What You Seek Is What You Get.

"David Young" <RE******************@yahoo.com> wrote in message
news:u5**************@TK2MSFTNGP10.phx.gbl...

> Oh, I understand perfectly. You are saying that since I don't know any
> better, it's ok to be "open-minded".
>
> You also said that since you already know that it is not possible to do
> what
> he asked, then in your case, it's ok to be "closed-minded", because you
> know
> it can't be done (and you do know that).
>
> I really appreciate you clearing all that up for me. Next time, I
> guess
> I'll know better.
>
> Friends?;)
>
>
>
> "Kevin Spencer" <ke***@DIESPAMMERSDIEtakempis.com> wrote in message
> news:%2***************@TK2MSFTNGP12.phx.gbl...
>> Hi David,
>>
>> I was afraid you would misunderstand me. I wasn't calling YOU a fool.
>> I
> was
>> saying that if I know something, and act like I don't then I am a
>> fool. I >> don't blame you at all for being open-minded. When you don't know
> something,
>> that is the right way to be. When one DOES know something, such as
>> whether
>> you can hide or obfuscate JavaScript succesfully (and I do know that),
>> one
>> would be a fool to say that one does not.
>>
>> IOW, you are right to be open-minded about this, and I am right to be
>> close-minded about it.
>>
>> Old saying (can't attribute the author):
>>
>> "He who knows not, and knows not that he knows not is a fool. Shun
>> him.
>> He who knows not, and knows that he knows not, is a student. Teach
>> him.
>> He who knows, and knows not that he knows, is asleep. Wake him.
>> He who knows, and knows that he knows, is wise. Follow him."
>>
>> Friends? :)
>>
>> --
>> HTH,
>>
>> Kevin Spencer
>> Microsoft MVP
>> .Net Developer
>> What You Seek Is What You Get.
>>
>>
>> "David Young" <RE******************@yahoo.com> wrote in message
>> news:OP**************@tk2msftngp13.phx.gbl...
>> >I shudder to think what this world would be like if we all had the same >> > opinion as you did.
>> >
>> > Keeping an open mind is what gives birth to invention and discovery. I >> > doesn't matter what you know or know not, all that matters is that
>> > there
>> > are
>> > people out there who look at a problem and say. You know, I bet
>> > there's
> a
>> > way to get around that. You go ahead and say it can't be done while I >> > find
>> > a way to do it. And as for the why? Because I Can!
>> >
>> > So, you continue to be closed minded and I'll continue to be an
>> > open-minded
>> > "fool".
>> >
>> > cheers.
>> >
>> > "Kevin Spencer" <ke***@DIESPAMMERSDIEtakempis.com> wrote in message
>> > news:%2****************@TK2MSFTNGP15.phx.gbl...
>> >> > Now, I'm not as closed minded as some of the others here
>> >>
>> >> Anyone who is open-minded about what they do know knows nothing.
>> >> For >> >> example, solve the following arithmentic problem:
>> >>
>> >> 1 + 2 = ?
>> >>
>> >> Now, when I was 3 years old I was entitled to be open-minded about the >> >> answer to that question. If I were open-minded about it now, I
>> >> would
>> >> be
> a
>> >> fool.
>> >>
>> >> IOW, just because you don't know something doesn't make your
>> > open-mindedness
>> >> a virtue.
>> >>
>> >> --
>> >> HTH,
>> >>
>> >> Kevin Spencer
>> >> Microsoft MVP
>> >> .Net Developer
>> >> What You Seek Is What You Get.
>> >>
>> >> "David Young" <RE******************@yahoo.com> wrote in message
>> >> news:Og**************@TK2MSFTNGP15.phx.gbl...
>> >> > First of all, you're not crazy. Back in the day, I did some
>> >> > development
>> >> > for
>> >> > the Netscape Enterprise Server. It used "Compiled" javascript
>> >> > and
> came
>> >> > with
>> >> > it's own compiler.
>> >> >
>> >> > Now, I'm not as closed minded as some of the others here, so, I'm
>> > betting
>> >> > there's a way to approach this. You know you can set your
>> >> > javascript
>> >> > source
>> >> > to a file right? So, what's to prevent us from making that file and >> > aspx
>> >> > file that sends content to the browser? Just make sure you set the >> >> > content
>> >> > type before you output it. Next, I would think about how we can
>> >> > prevent
>> >> > the
>> >> > aspx file from being rendered by itself. You know, make sure it
>> >> > outputs
>> >> > nothing if you typed it directly into the url. Should be easy
>> >> > enough
>> >> > to
>> >> > accomplish.
>> >> >
>> >> > Perhaps that's a good idea for my next project at home.
>> >> >
>> >> > Dave
>> >> >
>> >> > "kpg" <ip***@thereforeiam.com> wrote in message
>> >> > news:%2****************@TK2MSFTNGP10.phx.gbl...
>> >> >> Hello all,
>> >> >>
>> >> >> I have an asp.net web application with tons of Java script
>> >> >> files.
>> >> >>
>> >> >> I would like to protect the Java Script somehow so it can't be
>> >> >> seen by a remote user.
>> >> >>
>> >> >> I found several 3rd party solutions, but I thought I remember that >> >> >> there was a way to 'compile' java script and use that instead of
>> >> >> the actual script?
>> >> >>
>> >> >> The problem I have with 3rd party solutions is two-fold:
>> >> >>
>> >> >> 1) I'm cheap
>> >> >>
>> >> >> 2) I'm going to install the app on a customer's server for use
>> >> >> by
>> >> >> their customers. I don't want them (my customer) or their
>> >> >> customers
>> >> >> to have access to the java script files.
>> >> >>
>> >> >> I think a 3rd party solution would work fine for me on my
>> >> >> server,
> but
>> >> >> I
>> >> >> can't really give the customer the app and the 3rd party protection >> >> >> thingy
>> >> >> and say: install this so you can't see my code (because they might >> > not!).
>> >> >>
>> >> >> Anyway, I'm open to any solution.
>> >> >>
>> >> >> Thanks
>> >> >> kpg
>> >> >>
>> >> >
>> >> >
>> >>
>> >>
>> >
>> >
>>
>>
>
>

"Kevin Spencer" <ke***@DIESPAMMERSDIEtakempis.com> wrote in message
news:%2****************@TK2MSFTNGP12.phx.gbl...

Second, your solution doesn't "work." It can be circumvented just like all
the others.
Ok, aside from packet sniffing and decompiling the source, how can it be
circumvented. Not being a smartass here, just the ignorant student asking a
question of the master.
We're Indians. You're Columbus. Welcome to the New
World.
Whatever.
--
HTH,

Kevin Spencer
Microsoft MVP
.Net Developer
What You Seek Is What You Get.

Hi David,

I'm no master. I'm not sure what a "master" is. I am faced every day with
problems that I must learn something new in order to solve. Lately, for
example, I've been struggling with modelling a small aircraft in a 3D
terrain scene based on GPS data that comes in at about 1 data point per
second. To do the interpolation/extrapolation requires some trigonometry
(not a problem) and some calculus (a problem). So, I've been getting help
with the calculus, and kicking myself for not knowing it, and costing my
employer money as a result. I've bought a couple of books on calculus, and
hopefully will get better at it as I go. I plan to study it at home in my
free time.

I couldn't begin to write an operating system. There are programmers out
there who seem like gods to me. Most of them work for Microsoft or some
Gaming software company.

I only know one thing that you do not, that I know of. And I'm sure you know
a thing or 2 that I do not. That's what we're here for, to help each other
out along the way.

I may come across as a "master" because I tend to keep my mouth shut about
the things I do not know, and speak with authority about the things I DO
know. Occasionally I will make a guess, but not often, and then I will
qualify my remarks by saying that I am guessing. But the perception would be
merely on the part of the perceiver.

So relax, we're all in the same leaky boat together. It's not about people
and personalities, it's about knowledge. I'll share mine with you, and
hopefully, when I'm stuck, you'll share yours with me.

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
What You Seek Is What You Get.

"David Young" <RE******************@yahoo.com> wrote in message
news:uj**************@TK2MSFTNGP14.phx.gbl...

"Kevin Spencer" <ke***@DIESPAMMERSDIEtakempis.com> wrote in message
news:%2****************@TK2MSFTNGP12.phx.gbl...

Second, your solution doesn't "work." It can be circumvented just like
all
the others.

Ok, aside from packet sniffing and decompiling the source, how can it be
circumvented. Not being a smartass here, just the ignorant student asking
a
question of the master.

We're Indians. You're Columbus. Welcome to the New
World.

Whatever.

--
HTH,

Kevin Spencer
Microsoft MVP
.Net Developer
What You Seek Is What You Get.

So, I guess that means you're not going to share with me how my solution can
be circumvented? Again, outside packet sniffing and decompiling (both of
which can be addressed).

Google it. It's old news.

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
What You Seek Is What You Get.

"David Young" <RE******************@yahoo.com> wrote in message
news:%2****************@TK2MSFTNGP10.phx.gbl...

So, I guess that means you're not going to share with me how my solution
can
be circumvented? Again, outside packet sniffing and decompiling (both of
which can be addressed).

Really?

I'm guessing one of the two apply here:
a) You didn't take time to review and try the solution that I posted,
because you are a pompus, self-righteous, arrogant
cotton-headed-ninny-muggin who scoff's at anyone who dares to question you.
Or;

b) You have looked at my solution, applied it, and discoved that it does
indeed work, but are too arrogant and hard-headed to admit you were wrong.

In light of all that. If you can show me where I'm wrong, I'll gladly admit
my error and apologise for the ranting. Otherwise...I'm done here.
"Kevin Spencer" <ke***@DIESPAMMERSDIEtakempis.com> wrote in message
news:O2**************@TK2MSFTNGP12.phx.gbl...

Google it. It's old news.

--
HTH,

Kevin Spencer
Microsoft MVP
.Net Developer
What You Seek Is What You Get.

"David Young" <RE******************@yahoo.com> wrote in message
news:%2****************@TK2MSFTNGP10.phx.gbl...

So, I guess that means you're not going to share with me how my solution
can
be circumvented? Again, outside packet sniffing and decompiling (both of which can be addressed).

Hi David:

At best though, this is security through obfuscation. Someone
determined to see the underlying javascript will get to it.

System.Net.WebClient client = new WebClient();
client.Header.Add("Referer", "http://AUrlToSpoofOnYourSite.com");
byte[] buffer = client.DownloadData ("http://TheUrl/JSScript.aspx");
Console.WriteLine(Encoding.ASCII.GetString(buffer) );

--
Scott
http://www.OdeToCode.com/blogs/scott/
On Wed, 27 Apr 2005 16:09:39 -0500, "David Young"
<RE******************@yahoo.com> wrote:

Ok, here's your solution:

Create an aspx page. Call it "JSSource.aspx"
Open the HTML view and delete everything except the contents of the <@ Page>
directive.
Open the Code Behind for this page.
Add two using statements:
using System.Text;
using System.IO;
Add the following to the Page_Load handler:
private void Page_Load(object sender, System.EventArgs e)
{
// Put user code to initialize the page here
string script;
StringBuilder b = new StringBuilder();
b.Append("function doOnLoad(){");
b.Append("alert('hello there');}");

if(Request.UrlReferrer==null||Request.UrlReferrer. Host!="localhost")
script = "var youbite = 'eat me';";
else
script = b.ToString();

ASCIIEncoding encoder = new ASCIIEncoding();
byte[] buffer = encoder.GetBytes(script);
Response.ContentType = "text/javascript";
Response.OutputStream.Write(buffer,0,buffer.Length );
}

Then create a new aspx page. Call it JSClient.aspx
Open the HTML View and add the following betweent the </HEAD> and <BODY>
tags.
<script Language="javascript" type="text/css" src="JSSource.aspx"></script>
in the Body tag, add the following onLoad="doOnLoad();"

Then create a third page. Call it "Launch.aspx" add a hyperlink control, or
a simple <A href> tag. the NavigateUrl = "JSClient.aspx"

Build and launch the "Launch.aspx" page. When you click on the link, it'll
load the JSClient.aspx page and you should get a nice little Hello World
popup.

Enhance as you see fit. Another think you may want to think about is
caching. You may want to make sure to add directives to prevent the browser
from caching the JSSource.aspx page. Also, if it's being deployed on a
client site, they could open the site's dll with something lik Reflector and
see your source, so you might want to obfuscate that.

It's a little simple I agree, but it's the best I could come up with on such
short notice.

BTW - Never accept never as an answer. When they say it can't be done, be
like me and say why not. Sometimes ignorance is bliss.

Dave
"kpg" <ip***@thereforeiam.com> wrote in message
news:%2****************@TK2MSFTNGP10.phx.gbl...

Hello all,

I have an asp.net web application with tons of Java script files.

I would like to protect the Java Script somehow so it can't be
seen by a remote user.

I found several 3rd party solutions, but I thought I remember that
there was a way to 'compile' java script and use that instead of
the actual script?

The problem I have with 3rd party solutions is two-fold:

1) I'm cheap

2) I'm going to install the app on a customer's server for use by
their customers. I don't want them (my customer) or their customers
to have access to the java script files.

I think a 3rd party solution would work fine for me on my server, but I
can't really give the customer the app and the 3rd party protection thingy
and say: install this so you can't see my code (because they might not!).

Anyway, I'm open to any solution.

Thanks
kpg

Scott,
Correct. I believe I stated "aside from packet sniffing and decompiling the
dll" (or looking at it in .NetReflector). I fully understand that, however,
the comment was made that:

"If the browser can read it, so can you. So can anyone. It is not
possible.".

I just disagreed with that philosophy and posted a solution that discounts
that. To get at it, they would have to get the dll or capture the packets
as they came across the wire.

I also agree that packet sniffing and decompiling are both issues that have
to be overcome. However, I also know that there are ways to address both
those issues as well.

For instance:
a) Build a COM object in C++ that contains the JS code and build a callable
wrapper to make it accesible to your ASP.net code. (haven't actually done
this so I'm not sure what you'll see in reflector) And yes, I know if you
have Borlands old decompiler :) ....

b) Use web services to have the client app contact you're app to get the JS
code. (that keeps them from getting your dll).

I'll probably come up with more.

I do have to agree with Kevin on one point. Why? But then, that's not for
me to question.

Thanks for your response though.

"Scott Allen" <sc***@nospam.odetocode.com> wrote in message
news:s1********************************@4ax.com...

Hi David:

At best though, this is security through obfuscation. Someone
determined to see the underlying javascript will get to it.

System.Net.WebClient client = new WebClient();
client.Header.Add("Referer", "http://AUrlToSpoofOnYourSite.com");
byte[] buffer = client.DownloadData ("http://TheUrl/JSScript.aspx");
Console.WriteLine(Encoding.ASCII.GetString(buffer) );

--
Scott
http://www.OdeToCode.com/blogs/scott/
On Wed, 27 Apr 2005 16:09:39 -0500, "David Young"
<RE******************@yahoo.com> wrote:

Ok, here's your solution:

Create an aspx page. Call it "JSSource.aspx"
Open the HTML view and delete everything except the contents of the <@ Page>directive.
Open the Code Behind for this page.
Add two using statements:
using System.Text;
using System.IO;
Add the following to the Page_Load handler:
private void Page_Load(object sender, System.EventArgs e)
{
// Put user code to initialize the page here
string script;
StringBuilder b = new StringBuilder();
b.Append("function doOnLoad(){");
b.Append("alert('hello there');}");

if(Request.UrlReferrer==null||Request.UrlReferrer. Host!="localhost") script = "var youbite = 'eat me';";
else
script = b.ToString();

ASCIIEncoding encoder = new ASCIIEncoding();
byte[] buffer = encoder.GetBytes(script);
Response.ContentType = "text/javascript";
Response.OutputStream.Write(buffer,0,buffer.Length );
}

Then create a new aspx page. Call it JSClient.aspx
Open the HTML View and add the following betweent the </HEAD> and <BODY>
tags.
<script Language="javascript" type="text/css" src="JSSource.aspx"></script>in the Body tag, add the following onLoad="doOnLoad();"

Then create a third page. Call it "Launch.aspx" add a hyperlink control, ora simple <A href> tag. the NavigateUrl = "JSClient.aspx"

Build and launch the "Launch.aspx" page. When you click on the link, it'llload the JSClient.aspx page and you should get a nice little Hello World
popup.

Enhance as you see fit. Another think you may want to think about is
caching. You may want to make sure to add directives to prevent the browserfrom caching the JSSource.aspx page. Also, if it's being deployed on a
client site, they could open the site's dll with something lik Reflector andsee your source, so you might want to obfuscate that.

It's a little simple I agree, but it's the best I could come up with on suchshort notice.

BTW - Never accept never as an answer. When they say it can't be done, belike me and say why not. Sometimes ignorance is bliss.

Dave
"kpg" <ip***@thereforeiam.com> wrote in message
news:%2****************@TK2MSFTNGP10.phx.gbl...

Hello all,

I have an asp.net web application with tons of Java script files.

I would like to protect the Java Script somehow so it can't be
seen by a remote user.

I found several 3rd party solutions, but I thought I remember that
there was a way to 'compile' java script and use that instead of
the actual script?

The problem I have with 3rd party solutions is two-fold:

1) I'm cheap

2) I'm going to install the app on a customer's server for use by
their customers. I don't want them (my customer) or their customers
to have access to the java script files.

I think a 3rd party solution would work fine for me on my server, but I
can't really give the customer the app and the 3rd party protection thingy and say: install this so you can't see my code (because they might not!).
Anyway, I'm open to any solution.

Thanks
kpg

> In light of all that. If you can show me where I'm wrong, I'll gladly

admit
my error and apologise for the ranting. Otherwise...I'm done here.
In that case... you're done here.

I don't care if you apologize or not. My feelings aren't hurt. I have the
skin of a rhinocerous.

By not admitting your mistakes, you only hurt yourself.

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
What You Seek Is What You Get.

"David Young" <RE******************@yahoo.com> wrote in message
news:ua*************@TK2MSFTNGP12.phx.gbl... Really?

I'm guessing one of the two apply here:
a) You didn't take time to review and try the solution that I posted,
because you are a pompus, self-righteous, arrogant
cotton-headed-ninny-muggin who scoff's at anyone who dares to question
you.
Or;

b) You have looked at my solution, applied it, and discoved that it does
indeed work, but are too arrogant and hard-headed to admit you were wrong.

In light of all that. If you can show me where I'm wrong, I'll gladly
admit
my error and apologise for the ranting. Otherwise...I'm done here.
"Kevin Spencer" <ke***@DIESPAMMERSDIEtakempis.com> wrote in message
news:O2**************@TK2MSFTNGP12.phx.gbl...

Google it. It's old news.

--
HTH,

Kevin Spencer
Microsoft MVP
.Net Developer
What You Seek Is What You Get.

"David Young" <RE******************@yahoo.com> wrote in message
news:%2****************@TK2MSFTNGP10.phx.gbl...

> So, I guess that means you're not going to share with me how my
> solution
> can
> be circumvented? Again, outside packet sniffing and decompiling (both of > which can be addressed).
>
>

Show me where I'm wrong and I'll gladly admit it.
And "Because I said so" just won't cut it.

"Kevin Spencer" <ke***@DIESPAMMERSDIEtakempis.com> wrote in message
news:%2****************@TK2MSFTNGP15.phx.gbl...

By not admitting your mistakes, you only hurt yourself.

--
HTH,

Kevin Spencer
Microsoft MVP
.Net Developer
What You Seek Is What You Get.

I wanted to chime in on the invective between David Young & Kevin Spencer by
suggesting that Shakespeare probably best summed it up here guys:

"Light seeking light doth light of light beguile."

It's one of my favs and probably best characterizes your exchanges regarding
this issue.

Brice

True.
Would have been almost comical had it not been such a sad display.

Dave :)

"Brice Richard" <Br**********@discussions.microsoft.com> wrote in message
news:93**********************************@microsof t.com...

I wanted to chime in on the invective between David Young & Kevin Spencer by suggesting that Shakespeare probably best summed it up here guys:

"Light seeking light doth light of light beguile."

It's one of my favs and probably best characterizes your exchanges regarding this issue.

Brice

Thanks for your input and example.

Another programmer here discovered a simple and effective solution
to the problem. It won't prevent the 'determined' hacker either but it
does accomplish my main objective - to prevent the java script from
being viewed when the page is saved. (that just makes it too easy).

Here it is:

The javascript is in a seperate .js file, and the include line that normally
looks something like:

<script language="javascript" src="/file.js"></script>

is encoded to look like:

<script language=javascript>document.write(unescape(%3F%22 ...))</script>

where unescape is a javascript function that decodes the text (not a simple
hex encoding)

Suprisingly (to me) this prevents the actual javascript file from being
saved
and prevents the end users from veiwing the name of the jacascript source
file.

I'm a little unclear at this time where the unescape function is declared
but I
could not find it locally when veiwing a page downloaded with this
technique.

If anyone is interested in more details I will acquire them, just ask.

PS

Although not everything is possible, there are always options. ;-)

kpg

kpg wrote:

Here it is:

The javascript is in a seperate .js file, and the
include line that normally looks something like:

<script language="javascript" src="/file.js"></script>

is encoded to look like:

<script language=javascript>
document.write(unescape(%3F%22...))
</script>

where unescape is a javascript function that
decodes the text (not a simple hex encoding)

Suprisingly (to me) this prevents the actual
javascript file from being saved and prevents
the end users from veiwing the name of the
jacascript source file.

Just to chime in here real quick!

If I understand what you are doing above, you are basically unescaping
a serialzed, escaped version of all your javascript functions, which
would normally go it file.js?

Using document.write doesn't work, atleast for me. I had to use eval
to change it back into javascript that the browser would recognize, for
example:

<script type="text/javascript">

// mystring contains the escaped version of my javascript function.
//
mystring = escape("function sayHi(){alert(\"hello\");");
eval(unescape(mystring));
</script>
I'm a little unclear at this time where the unescape
function is declared but I could not find it locally
when veiwing a page downloaded with this technique.

unescape() is the converse of escape(), which are both functions built
into javascript core. If the person is knowledgable enough to need a
reason to steal your javascript, they are sure as hell going to know
how to to unescape the escaped string to retrieve the clean javascript,
but I am not touching why or why you shouldn't obfustication your code
with a 10' pole.

-- brian

Brian Munroe wrote:

[snip]

sorry, a little typo..here is the corrected version:

<html>
<body>

<script type="text/javascript">
// url encode sayHi()
//
mystring = escape("function sayHi() { alert(\"hello\");}");
eval(unescape(mystring));
</script>

<script type="text/javascript">

// This is what the encoded javascript looks like
//
document.write(mystring);

// here is the function in action, available to the browser
//
sayHi();
</script>

</body>
</html>

This does work and I've been using it for a while

Just put a response.end in sever tags at the top of the file in case someone
wants to serve it directly, something like:

<html>
<title>Bad request method</title>
<body>
Error - You are attempting inappropriate access to files on this server!<br>
Your IP address has been logged, and a reverse lookup has been done. The
results have been emailed to the webmaster.
</body>
</html>
<%
response.end
End If
%>
Dan
"David Young" <RE******************@yahoo.com> wrote in message
news:Og**************@TK2MSFTNGP15.phx.gbl...

First of all, you're not crazy. Back in the day, I did some development for the Netscape Enterprise Server. It used "Compiled" javascript and came with it's own compiler.

Now, I'm not as closed minded as some of the others here, so, I'm betting
there's a way to approach this. You know you can set your javascript source to a file right? So, what's to prevent us from making that file and aspx
file that sends content to the browser? Just make sure you set the content type before you output it. Next, I would think about how we can prevent the aspx file from being rendered by itself. You know, make sure it outputs
nothing if you typed it directly into the url. Should be easy enough to
accomplish.

Perhaps that's a good idea for my next project at home.

Dave

"kpg" <ip***@thereforeiam.com> wrote in message
news:%2****************@TK2MSFTNGP10.phx.gbl...

Hello all,

I have an asp.net web application with tons of Java script files.

I would like to protect the Java Script somehow so it can't be
seen by a remote user.

I found several 3rd party solutions, but I thought I remember that
there was a way to 'compile' java script and use that instead of
the actual script?

The problem I have with 3rd party solutions is two-fold:

1) I'm cheap

2) I'm going to install the app on a customer's server for use by
their customers. I don't want them (my customer) or their customers
to have access to the java script files.

I think a 3rd party solution would work fine for me on my server, but I
can't really give the customer the app and the 3rd party protection thingy and say: install this so you can't see my code (because they might not!).
Anyway, I'm open to any solution.

Thanks
kpg

Problem: Jscript provided to client in discernable form.
Asset/Threat Analysis
0) View Source : UI/DHTML block
1) Js file link reference : prevent direct access via isapi filter|dynamic
rendering with check (asp/aspx/web svc)
2) Js content pulled from browser cache or intercepted with non SSL : SSL
for interception, "encode" for obfuscation
3) Decode encoded jscript C/O $29.99 utility available via internet : ...

Solution:
Strongly Encrypt js file content (VS encode) as function of "session"
(do misc AES homework for the background)
Generate AES Cipher Key and Ini Vector for "session" with "time" info
Call encrypted JS text via script (xmlhttp, web svc, etc)
Decrypt in client
Dynamically insert script element
(wink wink) Kill/Overwrite cookie with IV info

....google javascrypt and check out (msdn) AES resources for the details; or
check the academic publishing and (carefully!) roll your own implementation
of AES in jscript

Hi David

I don't quite understand what you are saying here.

First of all, doesn't Javascript have to be downloaded to the browser in
plain format for it to be executed? Will the browser execute "compiled" code?

Secondly, if the code is set to to a file, will the file not be in the local
cache where it can be viewed?

Regards

Manjit Dosanjh

"David Young" wrote:

First of all, you're not crazy. Back in the day, I did some development for
the Netscape Enterprise Server. It used "Compiled" javascript and came with
it's own compiler.

Now, I'm not as closed minded as some of the others here, so, I'm betting
there's a way to approach this. You know you can set your javascript source
to a file right? So, what's to prevent us from making that file and aspx
file that sends content to the browser? Just make sure you set the content
type before you output it. Next, I would think about how we can prevent the
aspx file from being rendered by itself. You know, make sure it outputs
nothing if you typed it directly into the url. Should be easy enough to
accomplish.

Perhaps that's a good idea for my next project at home.

Dave

"kpg" <ip***@thereforeiam.com> wrote in message
news:%2****************@TK2MSFTNGP10.phx.gbl...

Hello all,

I have an asp.net web application with tons of Java script files.

I would like to protect the Java Script somehow so it can't be
seen by a remote user.

I found several 3rd party solutions, but I thought I remember that
there was a way to 'compile' java script and use that instead of
the actual script?

The problem I have with 3rd party solutions is two-fold:

1) I'm cheap

2) I'm going to install the app on a customer's server for use by
their customers. I don't want them (my customer) or their customers
to have access to the java script files.

I think a 3rd party solution would work fine for me on my server, but I
can't really give the customer the app and the 3rd party protection thingy
and say: install this so you can't see my code (because they might not!).

Anyway, I'm open to any solution.

Thanks
kpg