FAQ Topic - How do I protect my javascript code?

FAQ server wrote:

-----------------------------------------------------------------------
FAQ Topic - How do I protect my javascript code?
-----------------------------------------------------------------------

With clientside Javascript you can't as your code is distributed
in source form and is easily readable. With JScript, there is the
Script Encoder (see MSDN), but this is nothing more than obfuscation.

Obfuscation is not so bad. Good obfuscator really hampers the reverse
engineering for the professionals and makes it practically impossible
for the javascript's newbies.
The problem is that the code worthy of the protection is a rarity.

Unless you want to obfuscate the weak code in order to not disgrace
yourself :)

marss said the following on 2/6/2007 3:45 AM:

FAQ server wrote:

>-----------------------------------------------------------------------
FAQ Topic - How do I protect my javascript code?
-----------------------------------------------------------------------

With clientside Javascript you can't as your code is distributed
in source form and is easily readable. With JScript, there is the
Script Encoder (see MSDN), but this is nothing more than obfuscation.

Obfuscation is not so bad.

Obfuscation of JS code is a total waste of time.

Good obfuscator really hampers the reverse engineering for the professionals

Huh? You think naming your variables different makes it any harder on a
"profession al" than leaving them alone does?

and makes it practically impossible for the javascript's newbies.

Copy the obfuscated code, use it as is, who cares about it. No newbie
does, thats for sure.

The problem is that the code worthy of the protection is a rarity.
Unless you want to obfuscate the weak code in order to not disgrace
yourself :)

That is 99% of obfuscating codes purpose, in my opinion.

--
Randy
Chance Favors The Prepared Mind
comp.lang.javas cript FAQ - http://jibbering.com/faq/index.html
Javascript Best Practices - http://www.JavascriptToolbox.com/bestpractices/

On Feb 5, 4:00 pm, "FAQ server" <javascr...@dot internet.bewrot e:

-----------------------------------------------------------------------
FAQ Topic - How do I protect my javascript code?
-----------------------------------------------------------------------

With clientside Javascript you can't as your code is distributed
in source form and is easily readable. With JScript, there is the
Script Encoder (see MSDN), but this is nothing more than obfuscation.
Disabling the right mouse button also does nothing to protect
your script in a Web browser.

Your code is likely protected under copyright laws. See:

http://www.wipo.int/about-ip/en/copyright.html

http://webdesign.about.com/msubcopyright.htm

===
Postings such as this are automatically sent once a day. Their
goal is to answer repeated questions, and to offer the content to
the community for continuous evaluation/improvement. The complete
comp.lang.javas cript FAQ is athttp://www.jibbering.c om/faq/.
The FAQ workers are a group of volunteers.

Securely protecting Javascript in the browser is not possible. What is
possible is hampering the efforts of those attempting to access your
code. In the case of competitive advantage, one company may want to at
least delay the understanding of another competing company.
Obfuscation in cobmination with Server Referrer Checks can hamper the
time to understanding for a competing company. Server Referrer Checks
track from where calls to the javascript are made. This Server
Referrer Check can then disallow calls to the script from a server
outside of the domain of ownership. This will make it more difficult
for a person to call the script for viewing directly in the browser.
Again, this is not protection but a method for making script theft
more cumbersome.

On Feb 6, 6:41 pm, Randy Webb <HikksNotAtH... @aol.comwrote:

Obfuscation of JS code is a total waste of time.
Randy

I have to disagree on that one. Obfuscation dramatically
increases the effort involved in reverse engineering. Not
only that, it can decrease the file size by 50%. I know
how difficult it can make the code just from trying to
debug my own obfuscated code in a live environment.
Yes someone can just steal it and use it, but they run
the risk of copyright issues. By figuring out how someone
is achieving something and simply replicating the concept
using your own code is far less likely to cause copyright
problems. Making it difficult to figure out can help a lot.
Here's an obfuscated function, tell me how quickly you
can see what this object is useful for:

a.a0=y;
a.a1=q;
a.a2=x;
a.a3=q*(w-l);
a.a4=x*(h-t);
a.a5=f;
a.a6=s[y];

and compare it to the unobfuscated version:

div_to_position .initial_x_posi tion = left_base_pos;
div_to_position .initial_y_posi tion = top_base_pos;
div_to_position .current_x_posi tion = left_base_pos * (width -
left_offset);
div_to_position .current_y_posi tion = top_base_pos * (height -
top_offset);
div_to_position .initial_visibi lity = base_visibility ;
div_to_position .current_visibi lity = start_visibilit y
[this_div_identi fier_name];

It's clear from the unobfuscated code that this is dealing with
some div and it's initial position and visibility, and it's current
position and invisibility using some offsets. Tell me you saw
the same thing from the obfuscated code ;-) Also, the size
of the obfuscated code above is about 75 bytes. The size of
the obfuscated one is nearer to 600 bytes.

dd wrote on 07 feb 2007 in comp.lang.javas cript:

a.a0=y;
a.a1=q;
a.a2=x;
a.a3=q*(w-l);
a.a4=x*(h-t);
a.a5=f;
a.a6=s[y];

and compare it to the unobfuscated version:

div_to_position .initial_x_posi tion = left_base_pos;
div_to_position .initial_y_posi tion = top_base_pos;
div_to_position .current_x_posi tion = left_base_pos * (width -
left_offset);
div_to_position .current_y_posi tion = top_base_pos * (height -
top_offset);
div_to_position .initial_visibi lity = base_visibility ;
div_to_position .current_visibi lity = start_visibilit y
[this_div_identi fier_name];

I think the second version is just as unreadable and a good example for
code that does not need to be obfuscated, because it's value is zero.

Not only that, it can decrease the file size by 50%.

Since when is that important in this broadband age and more so is that a
valid a reason for obfuscation?

===============

No, obfuscation is only usefull to get the simpleminded and the hasty off
your back.

And to satisfy the need of [wrongly presumed] importance of one's work.

Using clientside script programming is publishing.

Selling a book with your idea's and keeping them secret at the same time
is a contradictio in terminis.

--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)

Randy Webb wrote:

Obfuscation of JS code is a total waste of time.

Yea and nay. Even if I write my own code I prefer to set meaningful
names for the variables and functions. I add some comment in the
complicated code. It's all I do to understand the code a month(year)
later.
To say nothing of another's uncommented code with meaningless
variables(funct ions)...
It is possible to understand it but hard. At least for me. Here I have
to compare waste of time with desired effect of a new knowledge
acquisition.
That is why many commercial products are selling with obfuscated
javascript code. For example, some products of Telerik. If code is
valuable it wastes to be obfuscated.

and makes it practically impossible for the javascript's newbies.

Copy the obfuscated code, use it as is, who cares about it. No newbie
does, thats for sure.

And then post in comp.lang.javas cript a question like this:
"I have got some code here and some code there, put it together and it
did not work. Why? Help me plz!!!" :)

marss wrote:

>>If code is valuable it wastes to be obfuscated.

I mean:
If code is valuable it is worth to be obfuscated.

Sorry for the slip in speaking :) My English leaves much to be desired.

On Feb 7, 10:29 am, "Evertjan." <exjxw.hannivo. ..@interxnl.net wrote:

I think the second version is just as unreadable and a good example for
code that does not need to be obfuscated, because it's value is zero.

Well I'm not going to try and convince you. If a reduction in size of
80%
and making it more difficult to steal, isn't justification I don't
know what is.

Not only that, it can decrease the file size by 50%.

Since when is that important in this broadband age and more so is that a
valid a reason for obfuscation?

Because only 50% of people have broadband, and how can it be better to
have a .JS file that's 100KB instead of an obfuscated one at 20KB?
It's
this kind of thinking that has led to the memory hogging applications
we
see these days. People who follow your argument would say that PC's
these days have a Gig or two of memory so don't worry about it. That's
exactly why we have things like a messenger application taking up 30MB
of memory, and Outlook hogs over 50MB. Internet Explorer is not averse
to using 100MB when it feels like it.

My employers, who pay for the bandwidth my JS files use when delivered
in web pages, were very happy when I obfuscated my code and cut their
costs in half by doing so. They're similarly happy that our
intellectual
property (the time we invested in making code that does what it does)
can
not be "EASILY" copied and enable some competitor to achieve what we
do, with no effort at all.

On Feb 7, 1:29 am, "Evertjan." <exjxw.hannivo. ..@interxnl.net wrote:

dd wrote on 07 feb 2007 in comp.lang.javas cript:

a.a0=y;
a.a1=q;
a.a2=x;
a.a3=q*(w-l);
a.a4=x*(h-t);
a.a5=f;
a.a6=s[y];

and compare it to the unobfuscated version:

div_to_position .initial_x_posi tion = left_base_pos;
div_to_position .initial_y_posi tion = top_base_pos;
div_to_position .current_x_posi tion = left_base_pos * (width -
left_offset);
div_to_position .current_y_posi tion = top_base_pos * (height -
top_offset);
div_to_position .initial_visibi lity = base_visibility ;
div_to_position .current_visibi lity = start_visibilit y
[this_div_identi fier_name];

I think the second version is just as unreadable and a good example for
code that does not need to be obfuscated, because it's value is zero.

Not only that, it can decrease the file size by 50%.

Since when is that important in this broadband age and more so is that a
valid a reason for obfuscation?

===============

No, obfuscation is only usefull to get the simpleminded and the hasty off
your back.

And to satisfy the need of [wrongly presumed] importance of one's work.

Using clientside script programming is publishing.

Selling a book with your idea's and keeping them secret at the same time
is a contradictio in terminis.

--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)- Hide quoted text -

- Show quoted text -

This thread has gotten way off track. The question is 'how can a
person best protect their code?' The question is not, 'What are the
motives for code protection and do you agree that protection is
worthwhile?'

That being said. I would really love to hear more about methods for
Javascript code protection regardless of the motives or investment vs
benefit. Dialogue about methods for code protection currently
available and in the future, like Project Tamarin http://www.mozilla.org/projects/tamarin/
, could yeild invention if not innovation.