Hello all,
I have an asp.net web application with tons of Java script files.
I would like to protect the Java Script somehow so it can't be
seen by a remote user.
I found several 3rd party solutions, but I thought I remember that
there was a way to 'compile' java script and use that instead of
the actual script?
The problem I have with 3rd party solutions is two-fold:
1) I'm cheap
2) I'm going to install the app on a customer's server for use by
their customers. I don't want them (my customer) or their customers
to have access to the java script files.
I think a 3rd party solution would work fine for me on my server, but I
can't really give the customer the app and the 3rd party protection thingy
and say: install this so you can't see my code (because they might not!).
Anyway, I'm open to any solution.
Thanks
kpg 34 3277
Hi kpg,
If the browser can read it, so can you. So can anyone. It is not possible.
Hey, it's just JavaScript. Nothing worth protecting.
--
HTH,
Kevin Spencer
Microsoft MVP
..Net Developer
What You Seek Is What You Get.
"kpg" <ip***@thereforeiam.com> wrote in message
news:%2****************@TK2MSFTNGP10.phx.gbl... Hello all,
I have an asp.net web application with tons of Java script files.
I would like to protect the Java Script somehow so it can't be seen by a remote user.
I found several 3rd party solutions, but I thought I remember that there was a way to 'compile' java script and use that instead of the actual script?
The problem I have with 3rd party solutions is two-fold:
1) I'm cheap
2) I'm going to install the app on a customer's server for use by their customers. I don't want them (my customer) or their customers to have access to the java script files.
I think a 3rd party solution would work fine for me on my server, but I can't really give the customer the app and the 3rd party protection thingy and say: install this so you can't see my code (because they might not!).
Anyway, I'm open to any solution.
Thanks kpg
You're thinking of the Windows Script Encoder http://www.microsoft.com/downloads/d...displaylang=en
It doesn't encrypt the javascript, but it will "keep honest people honest"
if such a thing can be said.
"kpg" wrote: Hello all,
I have an asp.net web application with tons of Java script files.
I would like to protect the Java Script somehow so it can't be seen by a remote user.
I found several 3rd party solutions, but I thought I remember that there was a way to 'compile' java script and use that instead of the actual script?
The problem I have with 3rd party solutions is two-fold:
1) I'm cheap
2) I'm going to install the app on a customer's server for use by their customers. I don't want them (my customer) or their customers to have access to the java script files.
I think a 3rd party solution would work fine for me on my server, but I can't really give the customer the app and the 3rd party protection thingy and say: install this so you can't see my code (because they might not!).
Anyway, I'm open to any solution.
Thanks kpg
you cant stop anyone whos determined however if you use a frameset you can
put all of your code into the _top object they'll have a jolly hard time
getting to it
"kpg" <ip***@thereforeiam.com> wrote in message
news:%2****************@TK2MSFTNGP10.phx.gbl... Hello all,
I have an asp.net web application with tons of Java script files.
I would like to protect the Java Script somehow so it can't be seen by a remote user.
I found several 3rd party solutions, but I thought I remember that there was a way to 'compile' java script and use that instead of the actual script?
The problem I have with 3rd party solutions is two-fold:
1) I'm cheap
2) I'm going to install the app on a customer's server for use by their customers. I don't want them (my customer) or their customers to have access to the java script files.
I think a 3rd party solution would work fine for me on my server, but I can't really give the customer the app and the 3rd party protection thingy and say: install this so you can't see my code (because they might not!).
Anyway, I'm open to any solution.
Thanks kpg
"Josh" <s@a.com> wrote in message
news:Oh**************@TK2MSFTNGP14.phx.gbl... you cant stop anyone whos determined however if you use a frameset you can put all of your code into the _top object they'll have a jolly hard time getting to it
Right-click the frame and go to view-source to view a specific frame. To
view the top frame, goto View->Source on the file menu to see it...if it's
disabled, use Mozilla.
Point is, there is always a way to view the source :)
Mythran
First of all, you're not crazy. Back in the day, I did some development for
the Netscape Enterprise Server. It used "Compiled" javascript and came with
it's own compiler.
Now, I'm not as closed minded as some of the others here, so, I'm betting
there's a way to approach this. You know you can set your javascript source
to a file right? So, what's to prevent us from making that file and aspx
file that sends content to the browser? Just make sure you set the content
type before you output it. Next, I would think about how we can prevent the
aspx file from being rendered by itself. You know, make sure it outputs
nothing if you typed it directly into the url. Should be easy enough to
accomplish.
Perhaps that's a good idea for my next project at home.
Dave
"kpg" <ip***@thereforeiam.com> wrote in message
news:%2****************@TK2MSFTNGP10.phx.gbl... Hello all,
I have an asp.net web application with tons of Java script files.
I would like to protect the Java Script somehow so it can't be seen by a remote user.
I found several 3rd party solutions, but I thought I remember that there was a way to 'compile' java script and use that instead of the actual script?
The problem I have with 3rd party solutions is two-fold:
1) I'm cheap
2) I'm going to install the app on a customer's server for use by their customers. I don't want them (my customer) or their customers to have access to the java script files.
I think a 3rd party solution would work fine for me on my server, but I can't really give the customer the app and the 3rd party protection thingy and say: install this so you can't see my code (because they might not!).
Anyway, I'm open to any solution.
Thanks kpg
That's interesting! I posted a reply, but when I went to check on it, my
reader stated that the message was no longer on the server. Then, I
reloaded the headers and the message was gone alltogether. Anyway, here it
is again.
1) Compiled javascript is something that Netscape used in it's Enterprise
Servers. It came with it's own compiler and, from what I remember, was
pretty cool to use.
2) I'm not a quick to dismiss this option as some of my counterparts seem to
be. Why won't this work? First, you know you can keep you javascript in a
js file and reference it remotely right? Now just thinking off the top of
my head, here's two possibilities.
a) using encryption, encrypt the source file and have your page decrypt it
when you pull it up. Would be some overhead involved in this, but it will
work.
b) Instead of linking to a .js file, link to a .aspx file that sends your js
source to the output buffer. Just make sure you set the content type. Then
I would look for a way to make sure that the page renders nothing when you
pull it up in the browser.
In other words, there always a way.
Sounds like an interesting project to work on in my spare time at home.
Dave
"kpg" <ip***@thereforeiam.com> wrote in message
news:%2****************@TK2MSFTNGP10.phx.gbl... Hello all,
I have an asp.net web application with tons of Java script files.
I would like to protect the Java Script somehow so it can't be seen by a remote user.
I found several 3rd party solutions, but I thought I remember that there was a way to 'compile' java script and use that instead of the actual script?
The problem I have with 3rd party solutions is two-fold:
1) I'm cheap
2) I'm going to install the app on a customer's server for use by their customers. I don't want them (my customer) or their customers to have access to the java script files.
I think a 3rd party solution would work fine for me on my server, but I can't really give the customer the app and the 3rd party protection thingy and say: install this so you can't see my code (because they might not!).
Anyway, I'm open to any solution.
Thanks kpg
Well I got both your messages!
Thanks for the input. You gave me something to think about.
--
kpg
Do honest people NEED to be kept honest?
Do well people need a doctor?
Does a PHD need a high school education?
--
HTH,
Kevin Spencer
Microsoft MVP
..Net Developer
What You Seek Is What You Get.
"Brad Quinn" <Br*******@discussions.microsoft.com> wrote in message
news:9D**********************************@microsof t.com... You're thinking of the Windows Script Encoder. http://www.microsoft.com/downloads/d...displaylang=en
It doesn't encrypt the javascript, but it will "keep honest people honest" if such a thing can be said.
"kpg" wrote:
Hello all,
I have an asp.net web application with tons of Java script files.
I would like to protect the Java Script somehow so it can't be seen by a remote user.
I found several 3rd party solutions, but I thought I remember that there was a way to 'compile' java script and use that instead of the actual script?
The problem I have with 3rd party solutions is two-fold:
1) I'm cheap
2) I'm going to install the app on a customer's server for use by their customers. I don't want them (my customer) or their customers to have access to the java script files.
I think a 3rd party solution would work fine for me on my server, but I can't really give the customer the app and the 3rd party protection thingy and say: install this so you can't see my code (because they might not!).
Anyway, I'm open to any solution.
Thanks kpg
> Now, I'm not as closed minded as some of the others here
Anyone who is open-minded about what they do know knows nothing. For
example, solve the following arithmentic problem:
1 + 2 = ?
Now, when I was 3 years old I was entitled to be open-minded about the
answer to that question. If I were open-minded about it now, I would be a
fool.
IOW, just because you don't know something doesn't make your open-mindedness
a virtue.
--
HTH,
Kevin Spencer
Microsoft MVP
..Net Developer
What You Seek Is What You Get.
"David Young" <RE******************@yahoo.com> wrote in message
news:Og**************@TK2MSFTNGP15.phx.gbl... First of all, you're not crazy. Back in the day, I did some development for the Netscape Enterprise Server. It used "Compiled" javascript and came with it's own compiler.
Now, I'm not as closed minded as some of the others here, so, I'm betting there's a way to approach this. You know you can set your javascript source to a file right? So, what's to prevent us from making that file and aspx file that sends content to the browser? Just make sure you set the content type before you output it. Next, I would think about how we can prevent the aspx file from being rendered by itself. You know, make sure it outputs nothing if you typed it directly into the url. Should be easy enough to accomplish.
Perhaps that's a good idea for my next project at home.
Dave
"kpg" <ip***@thereforeiam.com> wrote in message news:%2****************@TK2MSFTNGP10.phx.gbl... Hello all,
I have an asp.net web application with tons of Java script files.
I would like to protect the Java Script somehow so it can't be seen by a remote user.
I found several 3rd party solutions, but I thought I remember that there was a way to 'compile' java script and use that instead of the actual script?
The problem I have with 3rd party solutions is two-fold:
1) I'm cheap
2) I'm going to install the app on a customer's server for use by their customers. I don't want them (my customer) or their customers to have access to the java script files.
I think a 3rd party solution would work fine for me on my server, but I can't really give the customer the app and the 3rd party protection thingy and say: install this so you can't see my code (because they might not!).
Anyway, I'm open to any solution.
Thanks kpg
> Do honest people NEED to be kept honest?
Yes. Do well people need a doctor?
Only if you have an HMO.
Does a PHD need a high school education?
From schools today? Probably No.
Does my Java Script NEED protecting?
No. But my boss wants it protected.
Am I going to tell him it can't be done?
I haven't decided on that yet.
kpg
I shudder to think what this world would be like if we all had the same
opinion as you did.
Keeping an open mind is what gives birth to invention and discovery. I
doesn't matter what you know or know not, all that matters is that there are
people out there who look at a problem and say. You know, I bet there's a
way to get around that. You go ahead and say it can't be done while I find
a way to do it. And as for the why? Because I Can!
So, you continue to be closed minded and I'll continue to be an open-minded
"fool".
cheers.
"Kevin Spencer" <ke***@DIESPAMMERSDIEtakempis.com> wrote in message
news:%2****************@TK2MSFTNGP15.phx.gbl... Now, I'm not as closed minded as some of the others here Anyone who is open-minded about what they do know knows nothing. For example, solve the following arithmentic problem:
1 + 2 = ?
Now, when I was 3 years old I was entitled to be open-minded about the answer to that question. If I were open-minded about it now, I would be a fool.
IOW, just because you don't know something doesn't make your
open-mindedness a virtue.
-- HTH,
Kevin Spencer Microsoft MVP .Net Developer What You Seek Is What You Get.
"David Young" <RE******************@yahoo.com> wrote in message news:Og**************@TK2MSFTNGP15.phx.gbl... First of all, you're not crazy. Back in the day, I did some development for the Netscape Enterprise Server. It used "Compiled" javascript and came with it's own compiler.
Now, I'm not as closed minded as some of the others here, so, I'm
betting there's a way to approach this. You know you can set your javascript source to a file right? So, what's to prevent us from making that file and
aspx file that sends content to the browser? Just make sure you set the content type before you output it. Next, I would think about how we can prevent the aspx file from being rendered by itself. You know, make sure it outputs nothing if you typed it directly into the url. Should be easy enough to accomplish.
Perhaps that's a good idea for my next project at home.
Dave
"kpg" <ip***@thereforeiam.com> wrote in message news:%2****************@TK2MSFTNGP10.phx.gbl... Hello all,
I have an asp.net web application with tons of Java script files.
I would like to protect the Java Script somehow so it can't be seen by a remote user.
I found several 3rd party solutions, but I thought I remember that there was a way to 'compile' java script and use that instead of the actual script?
The problem I have with 3rd party solutions is two-fold:
1) I'm cheap
2) I'm going to install the app on a customer's server for use by their customers. I don't want them (my customer) or their customers to have access to the java script files.
I think a 3rd party solution would work fine for me on my server, but I can't really give the customer the app and the 3rd party protection thingy and say: install this so you can't see my code (because they might
not!). Anyway, I'm open to any solution.
Thanks kpg
Hi David,
I was afraid you would misunderstand me. I wasn't calling YOU a fool. I was
saying that if I know something, and act like I don't then I am a fool. I
don't blame you at all for being open-minded. When you don't know something,
that is the right way to be. When one DOES know something, such as whether
you can hide or obfuscate JavaScript succesfully (and I do know that), one
would be a fool to say that one does not.
IOW, you are right to be open-minded about this, and I am right to be
close-minded about it.
Old saying (can't attribute the author):
"He who knows not, and knows not that he knows not is a fool. Shun him.
He who knows not, and knows that he knows not, is a student. Teach him.
He who knows, and knows not that he knows, is asleep. Wake him.
He who knows, and knows that he knows, is wise. Follow him."
Friends? :)
--
HTH,
Kevin Spencer
Microsoft MVP
..Net Developer
What You Seek Is What You Get.
"David Young" <RE******************@yahoo.com> wrote in message
news:OP**************@tk2msftngp13.phx.gbl... I shudder to think what this world would be like if we all had the same opinion as you did.
Keeping an open mind is what gives birth to invention and discovery. I doesn't matter what you know or know not, all that matters is that there are people out there who look at a problem and say. You know, I bet there's a way to get around that. You go ahead and say it can't be done while I find a way to do it. And as for the why? Because I Can!
So, you continue to be closed minded and I'll continue to be an open-minded "fool".
cheers.
"Kevin Spencer" <ke***@DIESPAMMERSDIEtakempis.com> wrote in message news:%2****************@TK2MSFTNGP15.phx.gbl... > Now, I'm not as closed minded as some of the others here
Anyone who is open-minded about what they do know knows nothing. For example, solve the following arithmentic problem:
1 + 2 = ?
Now, when I was 3 years old I was entitled to be open-minded about the answer to that question. If I were open-minded about it now, I would be a fool.
IOW, just because you don't know something doesn't make your
open-mindedness a virtue.
-- HTH,
Kevin Spencer Microsoft MVP .Net Developer What You Seek Is What You Get.
"David Young" <RE******************@yahoo.com> wrote in message news:Og**************@TK2MSFTNGP15.phx.gbl... > First of all, you're not crazy. Back in the day, I did some > development > for > the Netscape Enterprise Server. It used "Compiled" javascript and came > with > it's own compiler. > > Now, I'm not as closed minded as some of the others here, so, I'm betting > there's a way to approach this. You know you can set your javascript > source > to a file right? So, what's to prevent us from making that file and aspx > file that sends content to the browser? Just make sure you set the > content > type before you output it. Next, I would think about how we can > prevent > the > aspx file from being rendered by itself. You know, make sure it > outputs > nothing if you typed it directly into the url. Should be easy enough > to > accomplish. > > Perhaps that's a good idea for my next project at home. > > Dave > > "kpg" <ip***@thereforeiam.com> wrote in message > news:%2****************@TK2MSFTNGP10.phx.gbl... >> Hello all, >> >> I have an asp.net web application with tons of Java script files. >> >> I would like to protect the Java Script somehow so it can't be >> seen by a remote user. >> >> I found several 3rd party solutions, but I thought I remember that >> there was a way to 'compile' java script and use that instead of >> the actual script? >> >> The problem I have with 3rd party solutions is two-fold: >> >> 1) I'm cheap >> >> 2) I'm going to install the app on a customer's server for use by >> their customers. I don't want them (my customer) or their customers >> to have access to the java script files. >> >> I think a 3rd party solution would work fine for me on my server, but >> I >> can't really give the customer the app and the 3rd party protection >> thingy >> and say: install this so you can't see my code (because they might not!). >> >> Anyway, I'm open to any solution. >> >> Thanks >> kpg >> > >
Ok, here's your solution:
Create an aspx page. Call it "JSSource.aspx"
Open the HTML view and delete everything except the contents of the <@ Page>
directive.
Open the Code Behind for this page.
Add two using statements:
using System.Text;
using System.IO;
Add the following to the Page_Load handler:
private void Page_Load(object sender, System.EventArgs e)
{
// Put user code to initialize the page here
string script;
StringBuilder b = new StringBuilder();
b.Append("function doOnLoad(){");
b.Append("alert('hello there');}");
if(Request.UrlReferrer==null||Request.UrlReferrer. Host!="localhost")
script = "var youbite = 'eat me';";
else
script = b.ToString();
ASCIIEncoding encoder = new ASCIIEncoding();
byte[] buffer = encoder.GetBytes(script);
Response.ContentType = "text/javascript";
Response.OutputStream.Write(buffer,0,buffer.Length );
}
Then create a new aspx page. Call it JSClient.aspx
Open the HTML View and add the following betweent the </HEAD> and <BODY>
tags.
<script Language="javascript" type="text/css" src="JSSource.aspx"></script>
in the Body tag, add the following onLoad="doOnLoad();"
Then create a third page. Call it "Launch.aspx" add a hyperlink control, or
a simple <A href> tag. the NavigateUrl = "JSClient.aspx"
Build and launch the "Launch.aspx" page. When you click on the link, it'll
load the JSClient.aspx page and you should get a nice little Hello World
popup.
Enhance as you see fit. Another think you may want to think about is
caching. You may want to make sure to add directives to prevent the browser
from caching the JSSource.aspx page. Also, if it's being deployed on a
client site, they could open the site's dll with something lik Reflector and
see your source, so you might want to obfuscate that.
It's a little simple I agree, but it's the best I could come up with on such
short notice.
BTW - Never accept never as an answer. When they say it can't be done, be
like me and say why not. Sometimes ignorance is bliss.
Dave
"kpg" <ip***@thereforeiam.com> wrote in message
news:%2****************@TK2MSFTNGP10.phx.gbl... Hello all,
I have an asp.net web application with tons of Java script files.
I would like to protect the Java Script somehow so it can't be seen by a remote user.
I found several 3rd party solutions, but I thought I remember that there was a way to 'compile' java script and use that instead of the actual script?
The problem I have with 3rd party solutions is two-fold:
1) I'm cheap
2) I'm going to install the app on a customer's server for use by their customers. I don't want them (my customer) or their customers to have access to the java script files.
I think a 3rd party solution would work fine for me on my server, but I can't really give the customer the app and the 3rd party protection thingy and say: install this so you can't see my code (because they might not!).
Anyway, I'm open to any solution.
Thanks kpg
Oh, I understand perfectly. You are saying that since I don't know any
better, it's ok to be "open-minded".
You also said that since you already know that it is not possible to do what
he asked, then in your case, it's ok to be "closed-minded", because you know
it can't be done (and you do know that).
I really appreciate you clearing all that up for me. Next time, I guess
I'll know better.
Friends?;)
"Kevin Spencer" <ke***@DIESPAMMERSDIEtakempis.com> wrote in message
news:%2***************@TK2MSFTNGP12.phx.gbl... Hi David,
I was afraid you would misunderstand me. I wasn't calling YOU a fool. I
was saying that if I know something, and act like I don't then I am a fool. I don't blame you at all for being open-minded. When you don't know
something, that is the right way to be. When one DOES know something, such as whether you can hide or obfuscate JavaScript succesfully (and I do know that), one would be a fool to say that one does not.
IOW, you are right to be open-minded about this, and I am right to be close-minded about it.
Old saying (can't attribute the author):
"He who knows not, and knows not that he knows not is a fool. Shun him. He who knows not, and knows that he knows not, is a student. Teach him. He who knows, and knows not that he knows, is asleep. Wake him. He who knows, and knows that he knows, is wise. Follow him."
Friends? :)
-- HTH,
Kevin Spencer Microsoft MVP .Net Developer What You Seek Is What You Get.
"David Young" <RE******************@yahoo.com> wrote in message news:OP**************@tk2msftngp13.phx.gbl...I shudder to think what this world would be like if we all had the same opinion as you did.
Keeping an open mind is what gives birth to invention and discovery. I doesn't matter what you know or know not, all that matters is that there are people out there who look at a problem and say. You know, I bet there's
a way to get around that. You go ahead and say it can't be done while I find a way to do it. And as for the why? Because I Can!
So, you continue to be closed minded and I'll continue to be an open-minded "fool".
cheers.
"Kevin Spencer" <ke***@DIESPAMMERSDIEtakempis.com> wrote in message news:%2****************@TK2MSFTNGP15.phx.gbl... > Now, I'm not as closed minded as some of the others here
Anyone who is open-minded about what they do know knows nothing. For example, solve the following arithmentic problem:
1 + 2 = ?
Now, when I was 3 years old I was entitled to be open-minded about the answer to that question. If I were open-minded about it now, I would be
a fool.
IOW, just because you don't know something doesn't make your open-mindedness a virtue.
-- HTH,
Kevin Spencer Microsoft MVP .Net Developer What You Seek Is What You Get.
"David Young" <RE******************@yahoo.com> wrote in message news:Og**************@TK2MSFTNGP15.phx.gbl... > First of all, you're not crazy. Back in the day, I did some > development > for > the Netscape Enterprise Server. It used "Compiled" javascript and
came > with > it's own compiler. > > Now, I'm not as closed minded as some of the others here, so, I'm betting > there's a way to approach this. You know you can set your javascript > source > to a file right? So, what's to prevent us from making that file and aspx > file that sends content to the browser? Just make sure you set the > content > type before you output it. Next, I would think about how we can > prevent > the > aspx file from being rendered by itself. You know, make sure it > outputs > nothing if you typed it directly into the url. Should be easy enough > to > accomplish. > > Perhaps that's a good idea for my next project at home. > > Dave > > "kpg" <ip***@thereforeiam.com> wrote in message > news:%2****************@TK2MSFTNGP10.phx.gbl... >> Hello all, >> >> I have an asp.net web application with tons of Java script files. >> >> I would like to protect the Java Script somehow so it can't be >> seen by a remote user. >> >> I found several 3rd party solutions, but I thought I remember that >> there was a way to 'compile' java script and use that instead of >> the actual script? >> >> The problem I have with 3rd party solutions is two-fold: >> >> 1) I'm cheap >> >> 2) I'm going to install the app on a customer's server for use by >> their customers. I don't want them (my customer) or their customers >> to have access to the java script files. >> >> I think a 3rd party solution would work fine for me on my server,
but >> I >> can't really give the customer the app and the 3rd party protection >> thingy >> and say: install this so you can't see my code (because they might not!). >> >> Anyway, I'm open to any solution. >> >> Thanks >> kpg >> > >
Your solution has been tried before. Many times.
Don't forget, Columbus only discovered America for those that didn't already
know it was there (like the Indians).
I don't cliam to know everything. I simply claim to know what I do know of
what is already known.
Ignorance may be bliss, but knowledge is power. I'll settle for bliss when
I'm sleeping, and when I die. Until then, I have too many responsibilities
that require knowledge to fulfill. And I take my responsiblities seriously.
--
HTH,
Kevin Spencer
Microsoft MVP
..Net Developer
What You Seek Is What You Get.
"David Young" <RE******************@yahoo.com> wrote in message
news:u5**************@TK2MSFTNGP10.phx.gbl... Oh, I understand perfectly. You are saying that since I don't know any better, it's ok to be "open-minded".
You also said that since you already know that it is not possible to do what he asked, then in your case, it's ok to be "closed-minded", because you know it can't be done (and you do know that).
I really appreciate you clearing all that up for me. Next time, I guess I'll know better.
Friends?;) "Kevin Spencer" <ke***@DIESPAMMERSDIEtakempis.com> wrote in message news:%2***************@TK2MSFTNGP12.phx.gbl... Hi David,
I was afraid you would misunderstand me. I wasn't calling YOU a fool. I was saying that if I know something, and act like I don't then I am a fool. I don't blame you at all for being open-minded. When you don't know something, that is the right way to be. When one DOES know something, such as whether you can hide or obfuscate JavaScript succesfully (and I do know that), one would be a fool to say that one does not.
IOW, you are right to be open-minded about this, and I am right to be close-minded about it.
Old saying (can't attribute the author):
"He who knows not, and knows not that he knows not is a fool. Shun him. He who knows not, and knows that he knows not, is a student. Teach him. He who knows, and knows not that he knows, is asleep. Wake him. He who knows, and knows that he knows, is wise. Follow him."
Friends? :)
-- HTH,
Kevin Spencer Microsoft MVP .Net Developer What You Seek Is What You Get.
"David Young" <RE******************@yahoo.com> wrote in message news:OP**************@tk2msftngp13.phx.gbl... >I shudder to think what this world would be like if we all had the same > opinion as you did. > > Keeping an open mind is what gives birth to invention and discovery. I > doesn't matter what you know or know not, all that matters is that > there > are > people out there who look at a problem and say. You know, I bet > there's a > way to get around that. You go ahead and say it can't be done while I > find > a way to do it. And as for the why? Because I Can! > > So, you continue to be closed minded and I'll continue to be an > open-minded > "fool". > > cheers. > > "Kevin Spencer" <ke***@DIESPAMMERSDIEtakempis.com> wrote in message > news:%2****************@TK2MSFTNGP15.phx.gbl... >> > Now, I'm not as closed minded as some of the others here >> >> Anyone who is open-minded about what they do know knows nothing. For >> example, solve the following arithmentic problem: >> >> 1 + 2 = ? >> >> Now, when I was 3 years old I was entitled to be open-minded about the >> answer to that question. If I were open-minded about it now, I would >> be a >> fool. >> >> IOW, just because you don't know something doesn't make your > open-mindedness >> a virtue. >> >> -- >> HTH, >> >> Kevin Spencer >> Microsoft MVP >> .Net Developer >> What You Seek Is What You Get. >> >> "David Young" <RE******************@yahoo.com> wrote in message >> news:Og**************@TK2MSFTNGP15.phx.gbl... >> > First of all, you're not crazy. Back in the day, I did some >> > development >> > for >> > the Netscape Enterprise Server. It used "Compiled" javascript and came >> > with >> > it's own compiler. >> > >> > Now, I'm not as closed minded as some of the others here, so, I'm > betting >> > there's a way to approach this. You know you can set your >> > javascript >> > source >> > to a file right? So, what's to prevent us from making that file and > aspx >> > file that sends content to the browser? Just make sure you set the >> > content >> > type before you output it. Next, I would think about how we can >> > prevent >> > the >> > aspx file from being rendered by itself. You know, make sure it >> > outputs >> > nothing if you typed it directly into the url. Should be easy >> > enough >> > to >> > accomplish. >> > >> > Perhaps that's a good idea for my next project at home. >> > >> > Dave >> > >> > "kpg" <ip***@thereforeiam.com> wrote in message >> > news:%2****************@TK2MSFTNGP10.phx.gbl... >> >> Hello all, >> >> >> >> I have an asp.net web application with tons of Java script files. >> >> >> >> I would like to protect the Java Script somehow so it can't be >> >> seen by a remote user. >> >> >> >> I found several 3rd party solutions, but I thought I remember that >> >> there was a way to 'compile' java script and use that instead of >> >> the actual script? >> >> >> >> The problem I have with 3rd party solutions is two-fold: >> >> >> >> 1) I'm cheap >> >> >> >> 2) I'm going to install the app on a customer's server for use by >> >> their customers. I don't want them (my customer) or their >> >> customers >> >> to have access to the java script files. >> >> >> >> I think a 3rd party solution would work fine for me on my server, but >> >> I >> >> can't really give the customer the app and the 3rd party protection >> >> thingy >> >> and say: install this so you can't see my code (because they might > not!). >> >> >> >> Anyway, I'm open to any solution. >> >> >> >> Thanks >> >> kpg >> >> >> > >> > >> >> > >
I guess I just don't understand you then. You told KPG that what he wanted
to do was not possible. You ridicule me for saying that we should keep an
open mind about it. I post a solution that WORKS and you say it's been
tried that way before.
If you knew of the solution, why didn't you just post it in the first place
instead of telling him it couldn't be done?
"Kevin Spencer" <ke***@DIESPAMMERSDIEtakempis.com> wrote in message
news:OA****************@TK2MSFTNGP14.phx.gbl... Your solution has been tried before. Many times.
Don't forget, Columbus only discovered America for those that didn't
already know it was there (like the Indians).
I don't cliam to know everything. I simply claim to know what I do know of what is already known.
Ignorance may be bliss, but knowledge is power. I'll settle for bliss when I'm sleeping, and when I die. Until then, I have too many responsibilities that require knowledge to fulfill. And I take my responsiblities
seriously. -- HTH,
Kevin Spencer Microsoft MVP .Net Developer What You Seek Is What You Get.
"David Young" <RE******************@yahoo.com> wrote in message news:u5**************@TK2MSFTNGP10.phx.gbl... Oh, I understand perfectly. You are saying that since I don't know any better, it's ok to be "open-minded".
You also said that since you already know that it is not possible to do what he asked, then in your case, it's ok to be "closed-minded", because you know it can't be done (and you do know that).
I really appreciate you clearing all that up for me. Next time, I guess I'll know better.
Friends?;) "Kevin Spencer" <ke***@DIESPAMMERSDIEtakempis.com> wrote in message news:%2***************@TK2MSFTNGP12.phx.gbl... Hi David,
I was afraid you would misunderstand me. I wasn't calling YOU a fool. I was saying that if I know something, and act like I don't then I am a fool.
I don't blame you at all for being open-minded. When you don't know something, that is the right way to be. When one DOES know something, such as whether you can hide or obfuscate JavaScript succesfully (and I do know that), one would be a fool to say that one does not.
IOW, you are right to be open-minded about this, and I am right to be close-minded about it.
Old saying (can't attribute the author):
"He who knows not, and knows not that he knows not is a fool. Shun him. He who knows not, and knows that he knows not, is a student. Teach him. He who knows, and knows not that he knows, is asleep. Wake him. He who knows, and knows that he knows, is wise. Follow him."
Friends? :)
-- HTH,
Kevin Spencer Microsoft MVP .Net Developer What You Seek Is What You Get.
"David Young" <RE******************@yahoo.com> wrote in message news:OP**************@tk2msftngp13.phx.gbl... >I shudder to think what this world would be like if we all had the
same > opinion as you did. > > Keeping an open mind is what gives birth to invention and discovery.
I > doesn't matter what you know or know not, all that matters is that > there > are > people out there who look at a problem and say. You know, I bet > there's a > way to get around that. You go ahead and say it can't be done while
I > find > a way to do it. And as for the why? Because I Can! > > So, you continue to be closed minded and I'll continue to be an > open-minded > "fool". > > cheers. > > "Kevin Spencer" <ke***@DIESPAMMERSDIEtakempis.com> wrote in message > news:%2****************@TK2MSFTNGP15.phx.gbl... >> > Now, I'm not as closed minded as some of the others here >> >> Anyone who is open-minded about what they do know knows nothing. For
>> example, solve the following arithmentic problem: >> >> 1 + 2 = ? >> >> Now, when I was 3 years old I was entitled to be open-minded about
the >> answer to that question. If I were open-minded about it now, I would >> be a >> fool. >> >> IOW, just because you don't know something doesn't make your > open-mindedness >> a virtue. >> >> -- >> HTH, >> >> Kevin Spencer >> Microsoft MVP >> .Net Developer >> What You Seek Is What You Get. >> >> "David Young" <RE******************@yahoo.com> wrote in message >> news:Og**************@TK2MSFTNGP15.phx.gbl... >> > First of all, you're not crazy. Back in the day, I did some >> > development >> > for >> > the Netscape Enterprise Server. It used "Compiled" javascript and came >> > with >> > it's own compiler. >> > >> > Now, I'm not as closed minded as some of the others here, so, I'm > betting >> > there's a way to approach this. You know you can set your >> > javascript >> > source >> > to a file right? So, what's to prevent us from making that file
and > aspx >> > file that sends content to the browser? Just make sure you set
the >> > content >> > type before you output it. Next, I would think about how we can >> > prevent >> > the >> > aspx file from being rendered by itself. You know, make sure it >> > outputs >> > nothing if you typed it directly into the url. Should be easy >> > enough >> > to >> > accomplish. >> > >> > Perhaps that's a good idea for my next project at home. >> > >> > Dave >> > >> > "kpg" <ip***@thereforeiam.com> wrote in message >> > news:%2****************@TK2MSFTNGP10.phx.gbl... >> >> Hello all, >> >> >> >> I have an asp.net web application with tons of Java script files. >> >> >> >> I would like to protect the Java Script somehow so it can't be >> >> seen by a remote user. >> >> >> >> I found several 3rd party solutions, but I thought I remember
that >> >> there was a way to 'compile' java script and use that instead of >> >> the actual script? >> >> >> >> The problem I have with 3rd party solutions is two-fold: >> >> >> >> 1) I'm cheap >> >> >> >> 2) I'm going to install the app on a customer's server for use by >> >> their customers. I don't want them (my customer) or their >> >> customers >> >> to have access to the java script files. >> >> >> >> I think a 3rd party solution would work fine for me on my server, but >> >> I >> >> can't really give the customer the app and the 3rd party
protection >> >> thingy >> >> and say: install this so you can't see my code (because they
might > not!). >> >> >> >> Anyway, I'm open to any solution. >> >> >> >> Thanks >> >> kpg >> >> >> > >> > >> >> > >
Hi David,
First, I didn't ridicule you.
Second, your solution doesn't "work." It can be circumvented just like all
the others.
Third, I said it had been tried. I didn't say succesfully. If it had been
tried successfully, I would not have said that there is no solution. There
is no solution. I could go into details (there are excellent technical
reasons why it can't be done), but this is all old history. Only interesting
to someone that hasn't heard it all before. And most of the rest of us have
heard it all before. We're Indians. You're Columbus. Welcome to the New
World.
--
HTH,
Kevin Spencer
Microsoft MVP
..Net Developer
What You Seek Is What You Get.
"David Young" <RE******************@yahoo.com> wrote in message
news:uE**************@TK2MSFTNGP14.phx.gbl... I guess I just don't understand you then. You told KPG that what he wanted to do was not possible. You ridicule me for saying that we should keep an open mind about it. I post a solution that WORKS and you say it's been tried that way before.
If you knew of the solution, why didn't you just post it in the first place instead of telling him it couldn't be done?
"Kevin Spencer" <ke***@DIESPAMMERSDIEtakempis.com> wrote in message news:OA****************@TK2MSFTNGP14.phx.gbl... Your solution has been tried before. Many times.
Don't forget, Columbus only discovered America for those that didn't already know it was there (like the Indians).
I don't cliam to know everything. I simply claim to know what I do know of what is already known.
Ignorance may be bliss, but knowledge is power. I'll settle for bliss when I'm sleeping, and when I die. Until then, I have too many responsibilities that require knowledge to fulfill. And I take my responsiblities seriously. -- HTH,
Kevin Spencer Microsoft MVP .Net Developer What You Seek Is What You Get.
"David Young" <RE******************@yahoo.com> wrote in message news:u5**************@TK2MSFTNGP10.phx.gbl... > Oh, I understand perfectly. You are saying that since I don't know any > better, it's ok to be "open-minded". > > You also said that since you already know that it is not possible to do > what > he asked, then in your case, it's ok to be "closed-minded", because you > know > it can't be done (and you do know that). > > I really appreciate you clearing all that up for me. Next time, I > guess > I'll know better. > > Friends?;) > > > > "Kevin Spencer" <ke***@DIESPAMMERSDIEtakempis.com> wrote in message > news:%2***************@TK2MSFTNGP12.phx.gbl... >> Hi David, >> >> I was afraid you would misunderstand me. I wasn't calling YOU a fool. >> I > was >> saying that if I know something, and act like I don't then I am a >> fool. I >> don't blame you at all for being open-minded. When you don't know > something, >> that is the right way to be. When one DOES know something, such as >> whether >> you can hide or obfuscate JavaScript succesfully (and I do know that), >> one >> would be a fool to say that one does not. >> >> IOW, you are right to be open-minded about this, and I am right to be >> close-minded about it. >> >> Old saying (can't attribute the author): >> >> "He who knows not, and knows not that he knows not is a fool. Shun >> him. >> He who knows not, and knows that he knows not, is a student. Teach >> him. >> He who knows, and knows not that he knows, is asleep. Wake him. >> He who knows, and knows that he knows, is wise. Follow him." >> >> Friends? :) >> >> -- >> HTH, >> >> Kevin Spencer >> Microsoft MVP >> .Net Developer >> What You Seek Is What You Get. >> >> >> "David Young" <RE******************@yahoo.com> wrote in message >> news:OP**************@tk2msftngp13.phx.gbl... >> >I shudder to think what this world would be like if we all had the same >> > opinion as you did. >> > >> > Keeping an open mind is what gives birth to invention and discovery. I >> > doesn't matter what you know or know not, all that matters is that >> > there >> > are >> > people out there who look at a problem and say. You know, I bet >> > there's > a >> > way to get around that. You go ahead and say it can't be done while I >> > find >> > a way to do it. And as for the why? Because I Can! >> > >> > So, you continue to be closed minded and I'll continue to be an >> > open-minded >> > "fool". >> > >> > cheers. >> > >> > "Kevin Spencer" <ke***@DIESPAMMERSDIEtakempis.com> wrote in message >> > news:%2****************@TK2MSFTNGP15.phx.gbl... >> >> > Now, I'm not as closed minded as some of the others here >> >> >> >> Anyone who is open-minded about what they do know knows nothing. >> >> For >> >> example, solve the following arithmentic problem: >> >> >> >> 1 + 2 = ? >> >> >> >> Now, when I was 3 years old I was entitled to be open-minded about the >> >> answer to that question. If I were open-minded about it now, I >> >> would >> >> be > a >> >> fool. >> >> >> >> IOW, just because you don't know something doesn't make your >> > open-mindedness >> >> a virtue. >> >> >> >> -- >> >> HTH, >> >> >> >> Kevin Spencer >> >> Microsoft MVP >> >> .Net Developer >> >> What You Seek Is What You Get. >> >> >> >> "David Young" <RE******************@yahoo.com> wrote in message >> >> news:Og**************@TK2MSFTNGP15.phx.gbl... >> >> > First of all, you're not crazy. Back in the day, I did some >> >> > development >> >> > for >> >> > the Netscape Enterprise Server. It used "Compiled" javascript >> >> > and > came >> >> > with >> >> > it's own compiler. >> >> > >> >> > Now, I'm not as closed minded as some of the others here, so, I'm >> > betting >> >> > there's a way to approach this. You know you can set your >> >> > javascript >> >> > source >> >> > to a file right? So, what's to prevent us from making that file and >> > aspx >> >> > file that sends content to the browser? Just make sure you set the >> >> > content >> >> > type before you output it. Next, I would think about how we can >> >> > prevent >> >> > the >> >> > aspx file from being rendered by itself. You know, make sure it >> >> > outputs >> >> > nothing if you typed it directly into the url. Should be easy >> >> > enough >> >> > to >> >> > accomplish. >> >> > >> >> > Perhaps that's a good idea for my next project at home. >> >> > >> >> > Dave >> >> > >> >> > "kpg" <ip***@thereforeiam.com> wrote in message >> >> > news:%2****************@TK2MSFTNGP10.phx.gbl... >> >> >> Hello all, >> >> >> >> >> >> I have an asp.net web application with tons of Java script >> >> >> files. >> >> >> >> >> >> I would like to protect the Java Script somehow so it can't be >> >> >> seen by a remote user. >> >> >> >> >> >> I found several 3rd party solutions, but I thought I remember that >> >> >> there was a way to 'compile' java script and use that instead of >> >> >> the actual script? >> >> >> >> >> >> The problem I have with 3rd party solutions is two-fold: >> >> >> >> >> >> 1) I'm cheap >> >> >> >> >> >> 2) I'm going to install the app on a customer's server for use >> >> >> by >> >> >> their customers. I don't want them (my customer) or their >> >> >> customers >> >> >> to have access to the java script files. >> >> >> >> >> >> I think a 3rd party solution would work fine for me on my >> >> >> server, > but >> >> >> I >> >> >> can't really give the customer the app and the 3rd party protection >> >> >> thingy >> >> >> and say: install this so you can't see my code (because they might >> > not!). >> >> >> >> >> >> Anyway, I'm open to any solution. >> >> >> >> >> >> Thanks >> >> >> kpg >> >> >> >> >> > >> >> > >> >> >> >> >> > >> > >> >> > >
"Kevin Spencer" <ke***@DIESPAMMERSDIEtakempis.com> wrote in message
news:%2****************@TK2MSFTNGP12.phx.gbl... Second, your solution doesn't "work." It can be circumvented just like all the others.
Ok, aside from packet sniffing and decompiling the source, how can it be
circumvented. Not being a smartass here, just the ignorant student asking a
question of the master.
We're Indians. You're Columbus. Welcome to the New World.
Whatever.
-- HTH,
Kevin Spencer Microsoft MVP .Net Developer What You Seek Is What You Get.
Hi David,
I'm no master. I'm not sure what a "master" is. I am faced every day with
problems that I must learn something new in order to solve. Lately, for
example, I've been struggling with modelling a small aircraft in a 3D
terrain scene based on GPS data that comes in at about 1 data point per
second. To do the interpolation/extrapolation requires some trigonometry
(not a problem) and some calculus (a problem). So, I've been getting help
with the calculus, and kicking myself for not knowing it, and costing my
employer money as a result. I've bought a couple of books on calculus, and
hopefully will get better at it as I go. I plan to study it at home in my
free time.
I couldn't begin to write an operating system. There are programmers out
there who seem like gods to me. Most of them work for Microsoft or some
Gaming software company.
I only know one thing that you do not, that I know of. And I'm sure you know
a thing or 2 that I do not. That's what we're here for, to help each other
out along the way.
I may come across as a "master" because I tend to keep my mouth shut about
the things I do not know, and speak with authority about the things I DO
know. Occasionally I will make a guess, but not often, and then I will
qualify my remarks by saying that I am guessing. But the perception would be
merely on the part of the perceiver.
So relax, we're all in the same leaky boat together. It's not about people
and personalities, it's about knowledge. I'll share mine with you, and
hopefully, when I'm stuck, you'll share yours with me.
--
HTH,
Kevin Spencer
Microsoft MVP
..Net Developer
What You Seek Is What You Get.
"David Young" <RE******************@yahoo.com> wrote in message
news:uj**************@TK2MSFTNGP14.phx.gbl... "Kevin Spencer" <ke***@DIESPAMMERSDIEtakempis.com> wrote in message news:%2****************@TK2MSFTNGP12.phx.gbl... Second, your solution doesn't "work." It can be circumvented just like all the others.
Ok, aside from packet sniffing and decompiling the source, how can it be circumvented. Not being a smartass here, just the ignorant student asking a question of the master.
We're Indians. You're Columbus. Welcome to the New World.
Whatever.
-- HTH,
Kevin Spencer Microsoft MVP .Net Developer What You Seek Is What You Get.
So, I guess that means you're not going to share with me how my solution can
be circumvented? Again, outside packet sniffing and decompiling (both of
which can be addressed).
Google it. It's old news.
--
HTH,
Kevin Spencer
Microsoft MVP
..Net Developer
What You Seek Is What You Get.
"David Young" <RE******************@yahoo.com> wrote in message
news:%2****************@TK2MSFTNGP10.phx.gbl... So, I guess that means you're not going to share with me how my solution can be circumvented? Again, outside packet sniffing and decompiling (both of which can be addressed).
Really?
I'm guessing one of the two apply here:
a) You didn't take time to review and try the solution that I posted,
because you are a pompus, self-righteous, arrogant
cotton-headed-ninny-muggin who scoff's at anyone who dares to question you.
Or;
b) You have looked at my solution, applied it, and discoved that it does
indeed work, but are too arrogant and hard-headed to admit you were wrong.
In light of all that. If you can show me where I'm wrong, I'll gladly admit
my error and apologise for the ranting. Otherwise...I'm done here.
"Kevin Spencer" <ke***@DIESPAMMERSDIEtakempis.com> wrote in message
news:O2**************@TK2MSFTNGP12.phx.gbl... Google it. It's old news.
-- HTH,
Kevin Spencer Microsoft MVP .Net Developer What You Seek Is What You Get.
"David Young" <RE******************@yahoo.com> wrote in message news:%2****************@TK2MSFTNGP10.phx.gbl... So, I guess that means you're not going to share with me how my solution can be circumvented? Again, outside packet sniffing and decompiling (both
of which can be addressed).
Hi David:
At best though, this is security through obfuscation. Someone
determined to see the underlying javascript will get to it.
System.Net.WebClient client = new WebClient();
client.Header.Add("Referer", "http://AUrlToSpoofOnYourSite.com");
byte[] buffer = client.DownloadData ("http://TheUrl/JSScript.aspx");
Console.WriteLine(Encoding.ASCII.GetString(buffer) );
--
Scott http://www.OdeToCode.com/blogs/scott/
On Wed, 27 Apr 2005 16:09:39 -0500, "David Young"
<RE******************@yahoo.com> wrote: Ok, here's your solution:
Create an aspx page. Call it "JSSource.aspx" Open the HTML view and delete everything except the contents of the <@ Page> directive. Open the Code Behind for this page. Add two using statements: using System.Text; using System.IO; Add the following to the Page_Load handler: private void Page_Load(object sender, System.EventArgs e) { // Put user code to initialize the page here string script; StringBuilder b = new StringBuilder(); b.Append("function doOnLoad(){"); b.Append("alert('hello there');}");
if(Request.UrlReferrer==null||Request.UrlReferrer. Host!="localhost") script = "var youbite = 'eat me';"; else script = b.ToString();
ASCIIEncoding encoder = new ASCIIEncoding(); byte[] buffer = encoder.GetBytes(script); Response.ContentType = "text/javascript"; Response.OutputStream.Write(buffer,0,buffer.Length ); }
Then create a new aspx page. Call it JSClient.aspx Open the HTML View and add the following betweent the </HEAD> and <BODY> tags. <script Language="javascript" type="text/css" src="JSSource.aspx"></script> in the Body tag, add the following onLoad="doOnLoad();"
Then create a third page. Call it "Launch.aspx" add a hyperlink control, or a simple <A href> tag. the NavigateUrl = "JSClient.aspx"
Build and launch the "Launch.aspx" page. When you click on the link, it'll load the JSClient.aspx page and you should get a nice little Hello World popup.
Enhance as you see fit. Another think you may want to think about is caching. You may want to make sure to add directives to prevent the browser from caching the JSSource.aspx page. Also, if it's being deployed on a client site, they could open the site's dll with something lik Reflector and see your source, so you might want to obfuscate that.
It's a little simple I agree, but it's the best I could come up with on such short notice.
BTW - Never accept never as an answer. When they say it can't be done, be like me and say why not. Sometimes ignorance is bliss.
Dave
"kpg" <ip***@thereforeiam.com> wrote in message news:%2****************@TK2MSFTNGP10.phx.gbl... Hello all,
I have an asp.net web application with tons of Java script files.
I would like to protect the Java Script somehow so it can't be seen by a remote user.
I found several 3rd party solutions, but I thought I remember that there was a way to 'compile' java script and use that instead of the actual script?
The problem I have with 3rd party solutions is two-fold:
1) I'm cheap
2) I'm going to install the app on a customer's server for use by their customers. I don't want them (my customer) or their customers to have access to the java script files.
I think a 3rd party solution would work fine for me on my server, but I can't really give the customer the app and the 3rd party protection thingy and say: install this so you can't see my code (because they might not!).
Anyway, I'm open to any solution.
Thanks kpg
Scott,
Correct. I believe I stated "aside from packet sniffing and decompiling the
dll" (or looking at it in .NetReflector). I fully understand that, however,
the comment was made that:
"If the browser can read it, so can you. So can anyone. It is not
possible.".
I just disagreed with that philosophy and posted a solution that discounts
that. To get at it, they would have to get the dll or capture the packets
as they came across the wire.
I also agree that packet sniffing and decompiling are both issues that have
to be overcome. However, I also know that there are ways to address both
those issues as well.
For instance:
a) Build a COM object in C++ that contains the JS code and build a callable
wrapper to make it accesible to your ASP.net code. (haven't actually done
this so I'm not sure what you'll see in reflector) And yes, I know if you
have Borlands old decompiler :) ....
b) Use web services to have the client app contact you're app to get the JS
code. (that keeps them from getting your dll).
I'll probably come up with more.
I do have to agree with Kevin on one point. Why? But then, that's not for
me to question.
Thanks for your response though.
"Scott Allen" <sc***@nospam.odetocode.com> wrote in message
news:s1********************************@4ax.com... Hi David:
At best though, this is security through obfuscation. Someone determined to see the underlying javascript will get to it.
System.Net.WebClient client = new WebClient(); client.Header.Add("Referer", "http://AUrlToSpoofOnYourSite.com"); byte[] buffer = client.DownloadData ("http://TheUrl/JSScript.aspx"); Console.WriteLine(Encoding.ASCII.GetString(buffer) );
-- Scott http://www.OdeToCode.com/blogs/scott/
On Wed, 27 Apr 2005 16:09:39 -0500, "David Young" <RE******************@yahoo.com> wrote:
Ok, here's your solution:
Create an aspx page. Call it "JSSource.aspx" Open the HTML view and delete everything except the contents of the <@
Page>directive. Open the Code Behind for this page. Add two using statements: using System.Text; using System.IO; Add the following to the Page_Load handler: private void Page_Load(object sender, System.EventArgs e) { // Put user code to initialize the page here string script; StringBuilder b = new StringBuilder(); b.Append("function doOnLoad(){"); b.Append("alert('hello there');}");
if(Request.UrlReferrer==null||Request.UrlReferrer. Host!="localhost") script = "var youbite = 'eat me';"; else script = b.ToString();
ASCIIEncoding encoder = new ASCIIEncoding(); byte[] buffer = encoder.GetBytes(script); Response.ContentType = "text/javascript"; Response.OutputStream.Write(buffer,0,buffer.Length ); }
Then create a new aspx page. Call it JSClient.aspx Open the HTML View and add the following betweent the </HEAD> and <BODY> tags. <script Language="javascript" type="text/css"
src="JSSource.aspx"></script>in the Body tag, add the following onLoad="doOnLoad();"
Then create a third page. Call it "Launch.aspx" add a hyperlink control,
ora simple <A href> tag. the NavigateUrl = "JSClient.aspx"
Build and launch the "Launch.aspx" page. When you click on the link,
it'llload the JSClient.aspx page and you should get a nice little Hello World popup.
Enhance as you see fit. Another think you may want to think about is caching. You may want to make sure to add directives to prevent the
browserfrom caching the JSSource.aspx page. Also, if it's being deployed on a client site, they could open the site's dll with something lik Reflector
andsee your source, so you might want to obfuscate that.
It's a little simple I agree, but it's the best I could come up with on
suchshort notice.
BTW - Never accept never as an answer. When they say it can't be done,
belike me and say why not. Sometimes ignorance is bliss.
Dave
"kpg" <ip***@thereforeiam.com> wrote in message news:%2****************@TK2MSFTNGP10.phx.gbl... Hello all,
I have an asp.net web application with tons of Java script files.
I would like to protect the Java Script somehow so it can't be seen by a remote user.
I found several 3rd party solutions, but I thought I remember that there was a way to 'compile' java script and use that instead of the actual script?
The problem I have with 3rd party solutions is two-fold:
1) I'm cheap
2) I'm going to install the app on a customer's server for use by their customers. I don't want them (my customer) or their customers to have access to the java script files.
I think a 3rd party solution would work fine for me on my server, but I can't really give the customer the app and the 3rd party protection
thingy and say: install this so you can't see my code (because they might
not!). Anyway, I'm open to any solution.
Thanks kpg
> In light of all that. If you can show me where I'm wrong, I'll gladly admit my error and apologise for the ranting. Otherwise...I'm done here.
In that case... you're done here.
I don't care if you apologize or not. My feelings aren't hurt. I have the
skin of a rhinocerous.
By not admitting your mistakes, you only hurt yourself.
--
HTH,
Kevin Spencer
Microsoft MVP
..Net Developer
What You Seek Is What You Get.
"David Young" <RE******************@yahoo.com> wrote in message
news:ua*************@TK2MSFTNGP12.phx.gbl... Really?
I'm guessing one of the two apply here: a) You didn't take time to review and try the solution that I posted, because you are a pompus, self-righteous, arrogant cotton-headed-ninny-muggin who scoff's at anyone who dares to question you. Or;
b) You have looked at my solution, applied it, and discoved that it does indeed work, but are too arrogant and hard-headed to admit you were wrong.
In light of all that. If you can show me where I'm wrong, I'll gladly admit my error and apologise for the ranting. Otherwise...I'm done here.
"Kevin Spencer" <ke***@DIESPAMMERSDIEtakempis.com> wrote in message news:O2**************@TK2MSFTNGP12.phx.gbl... Google it. It's old news.
-- HTH,
Kevin Spencer Microsoft MVP .Net Developer What You Seek Is What You Get.
"David Young" <RE******************@yahoo.com> wrote in message news:%2****************@TK2MSFTNGP10.phx.gbl... > So, I guess that means you're not going to share with me how my > solution > can > be circumvented? Again, outside packet sniffing and decompiling (both of > which can be addressed). > >
Show me where I'm wrong and I'll gladly admit it.
And "Because I said so" just won't cut it.
"Kevin Spencer" <ke***@DIESPAMMERSDIEtakempis.com> wrote in message
news:%2****************@TK2MSFTNGP15.phx.gbl... By not admitting your mistakes, you only hurt yourself.
-- HTH,
Kevin Spencer Microsoft MVP .Net Developer What You Seek Is What You Get.
I wanted to chime in on the invective between David Young & Kevin Spencer by
suggesting that Shakespeare probably best summed it up here guys:
"Light seeking light doth light of light beguile."
It's one of my favs and probably best characterizes your exchanges regarding
this issue.
Brice
True.
Would have been almost comical had it not been such a sad display.
Dave :)
"Brice Richard" <Br**********@discussions.microsoft.com> wrote in message
news:93**********************************@microsof t.com... I wanted to chime in on the invective between David Young & Kevin Spencer
by suggesting that Shakespeare probably best summed it up here guys:
"Light seeking light doth light of light beguile."
It's one of my favs and probably best characterizes your exchanges
regarding this issue.
Brice
Thanks for your input and example.
Another programmer here discovered a simple and effective solution
to the problem. It won't prevent the 'determined' hacker either but it
does accomplish my main objective - to prevent the java script from
being viewed when the page is saved. (that just makes it too easy).
Here it is:
The javascript is in a seperate .js file, and the include line that normally
looks something like:
<script language="javascript" src="/file.js"></script>
is encoded to look like:
<script language=javascript>document.write(unescape(%3F%22 ...))</script>
where unescape is a javascript function that decodes the text (not a simple
hex encoding)
Suprisingly (to me) this prevents the actual javascript file from being
saved
and prevents the end users from veiwing the name of the jacascript source
file.
I'm a little unclear at this time where the unescape function is declared
but I
could not find it locally when veiwing a page downloaded with this
technique.
If anyone is interested in more details I will acquire them, just ask.
PS
Although not everything is possible, there are always options. ;-)
kpg
kpg wrote: Here it is:
The javascript is in a seperate .js file, and the include line that normally looks something like:
<script language="javascript" src="/file.js"></script>
is encoded to look like:
<script language=javascript> document.write(unescape(%3F%22...)) </script>
where unescape is a javascript function that decodes the text (not a simple hex encoding)
Suprisingly (to me) this prevents the actual javascript file from being saved and prevents the end users from veiwing the name of the jacascript source file.
Just to chime in here real quick!
If I understand what you are doing above, you are basically unescaping
a serialzed, escaped version of all your javascript functions, which
would normally go it file.js?
Using document.write doesn't work, atleast for me. I had to use eval
to change it back into javascript that the browser would recognize, for
example:
<script type="text/javascript">
// mystring contains the escaped version of my javascript function.
//
mystring = escape("function sayHi(){alert(\"hello\");");
eval(unescape(mystring));
</script>
I'm a little unclear at this time where the unescape function is declared but I could not find it locally when veiwing a page downloaded with this technique.
unescape() is the converse of escape(), which are both functions built
into javascript core. If the person is knowledgable enough to need a
reason to steal your javascript, they are sure as hell going to know
how to to unescape the escaped string to retrieve the clean javascript,
but I am not touching why or why you shouldn't obfustication your code
with a 10' pole.
-- brian
Brian Munroe wrote:
[snip]
sorry, a little typo..here is the corrected version:
<html>
<body>
<script type="text/javascript">
// url encode sayHi()
//
mystring = escape("function sayHi() { alert(\"hello\");}");
eval(unescape(mystring));
</script>
<script type="text/javascript">
// This is what the encoded javascript looks like
//
document.write(mystring);
// here is the function in action, available to the browser
//
sayHi();
</script>
</body>
</html>
This does work and I've been using it for a while
Just put a response.end in sever tags at the top of the file in case someone
wants to serve it directly, something like:
<html>
<title>Bad request method</title>
<body>
Error - You are attempting inappropriate access to files on this server!<br>
Your IP address has been logged, and a reverse lookup has been done. The
results have been emailed to the webmaster.
</body>
</html>
<%
response.end
End If
%>
Dan
"David Young" <RE******************@yahoo.com> wrote in message
news:Og**************@TK2MSFTNGP15.phx.gbl... First of all, you're not crazy. Back in the day, I did some development
for the Netscape Enterprise Server. It used "Compiled" javascript and came
with it's own compiler.
Now, I'm not as closed minded as some of the others here, so, I'm betting there's a way to approach this. You know you can set your javascript
source to a file right? So, what's to prevent us from making that file and aspx file that sends content to the browser? Just make sure you set the
content type before you output it. Next, I would think about how we can prevent
the aspx file from being rendered by itself. You know, make sure it outputs nothing if you typed it directly into the url. Should be easy enough to accomplish.
Perhaps that's a good idea for my next project at home.
Dave
"kpg" <ip***@thereforeiam.com> wrote in message news:%2****************@TK2MSFTNGP10.phx.gbl... Hello all,
I have an asp.net web application with tons of Java script files.
I would like to protect the Java Script somehow so it can't be seen by a remote user.
I found several 3rd party solutions, but I thought I remember that there was a way to 'compile' java script and use that instead of the actual script?
The problem I have with 3rd party solutions is two-fold:
1) I'm cheap
2) I'm going to install the app on a customer's server for use by their customers. I don't want them (my customer) or their customers to have access to the java script files.
I think a 3rd party solution would work fine for me on my server, but I can't really give the customer the app and the 3rd party protection
thingy and say: install this so you can't see my code (because they might
not!). Anyway, I'm open to any solution.
Thanks kpg
Problem: Jscript provided to client in discernable form.
Asset/Threat Analysis
0) View Source : UI/DHTML block
1) Js file link reference : prevent direct access via isapi filter|dynamic
rendering with check (asp/aspx/web svc)
2) Js content pulled from browser cache or intercepted with non SSL : SSL
for interception, "encode" for obfuscation
3) Decode encoded jscript C/O $29.99 utility available via internet : ...
Solution:
Strongly Encrypt js file content (VS encode) as function of "session"
(do misc AES homework for the background)
Generate AES Cipher Key and Ini Vector for "session" with "time" info
Call encrypted JS text via script (xmlhttp, web svc, etc)
Decrypt in client
Dynamically insert script element
(wink wink) Kill/Overwrite cookie with IV info
....google javascrypt and check out (msdn) AES resources for the details; or
check the academic publishing and (carefully!) roll your own implementation
of AES in jscript
Hi David
I don't quite understand what you are saying here.
First of all, doesn't Javascript have to be downloaded to the browser in
plain format for it to be executed? Will the browser execute "compiled" code?
Secondly, if the code is set to to a file, will the file not be in the local
cache where it can be viewed?
Regards
Manjit Dosanjh
"David Young" wrote: First of all, you're not crazy. Back in the day, I did some development for the Netscape Enterprise Server. It used "Compiled" javascript and came with it's own compiler.
Now, I'm not as closed minded as some of the others here, so, I'm betting there's a way to approach this. You know you can set your javascript source to a file right? So, what's to prevent us from making that file and aspx file that sends content to the browser? Just make sure you set the content type before you output it. Next, I would think about how we can prevent the aspx file from being rendered by itself. You know, make sure it outputs nothing if you typed it directly into the url. Should be easy enough to accomplish.
Perhaps that's a good idea for my next project at home.
Dave
"kpg" <ip***@thereforeiam.com> wrote in message news:%2****************@TK2MSFTNGP10.phx.gbl... Hello all,
I have an asp.net web application with tons of Java script files.
I would like to protect the Java Script somehow so it can't be seen by a remote user.
I found several 3rd party solutions, but I thought I remember that there was a way to 'compile' java script and use that instead of the actual script?
The problem I have with 3rd party solutions is two-fold:
1) I'm cheap
2) I'm going to install the app on a customer's server for use by their customers. I don't want them (my customer) or their customers to have access to the java script files.
I think a 3rd party solution would work fine for me on my server, but I can't really give the customer the app and the 3rd party protection thingy and say: install this so you can't see my code (because they might not!).
Anyway, I'm open to any solution.
Thanks kpg This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Ray |
last post by:
Hi,
I was wondering if anyone has any idea how this can be done. I am
trying to show/hide navigation links based on server names or ip
addresses. So if, someone visits a particular url/ip address...
|
by: Srinu |
last post by:
How do i hide status bar in firefox using java script only Plz help me
iam new to this group.
|
by: FP |
last post by:
I'm new to Java Script.
I'm displaying comments people have made. Below each persons' comment
I want to add 2 buttons "Reply" and "Amend". Clicking "Reply" would
display an empty text field...
|
by: Gavin |
last post by:
Hi everyone,
I have found and addapted a script that displays or hides a div tag
based on it's current class tag, but i can't seem to get it to work. I
am new to Java, and i know that everything...
|
by: karthickkuchanur |
last post by:
I want to hide the following value to hide when i call the url
<script>
function callEmployeeEducationalHistory()
{
...
|
by: shapper |
last post by:
Hello,
In a simple HTML page, index.html, I have:
- 3 anchors: A, B and C;
- 3 divs: dA, dB and dC;
Each anchor should load, when clicked, index.html but anchor A should
make dA visible and...
|
by: timplx |
last post by:
Hello all,
New to javascript and have never worked with programming languages like c++, so my logic in some of these statements might be incorrect or redundant
Got a problem with my page......
|
by: Debadatta Mishra |
last post by:
Introduction
In this article I will provide you an approach to manipulate an image file. This article gives you an insight into some tricks in java so that you can conceal sensitive information...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new...
| |