By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
429,244 Members | 1,972 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 429,244 IT Pros & Developers. It's quick & easy.

nebie - keeping javascript code away from prying eyes

P: n/a
Is it possible to 'hide' javascript from a user. I am thinking of
putting some fairly proprietary logic client side (to release burden on
server) - but I dont want to make the source freely available to every
Tom, Dick and Harry. any suggestions?

Feb 18 '06 #1
Share this Question
Share on Google+
13 Replies


P: n/a
Dave Schwimmer wrote:
Is it possible to 'hide' javascript from a user. I am thinking of
putting some fairly proprietary logic client side (to release burden on
server) - but I dont want to make the source freely available to every
Tom, Dick and Harry. any suggestions?

The only thing you can do is make it obscure.

--
Ian Collins.
Feb 18 '06 #2

P: n/a
Jim

"Dave Schwimmer" <ds*****@nospam.com> wrote in message
news:dt**********@nwrdmz02.dmz.ncs.ea.ibs-infra.bt.com...
Is it possible to 'hide' javascript from a user. I am thinking of putting
some fairly proprietary logic client side (to release burden on server) -
but I dont want to make the source freely available to every Tom, Dick and
Harry. any suggestions?


The short answer is....it can't be done.

Feb 18 '06 #3

P: n/a


Jim wrote:
"Dave Schwimmer" <ds*****@nospam.com> wrote in message
news:dt**********@nwrdmz02.dmz.ncs.ea.ibs-infra.bt.com...
Is it possible to 'hide' javascript from a user. I am thinking of putting
some fairly proprietary logic client side (to release burden on server) -
but I dont want to make the source freely available to every Tom, Dick and
Harry. any suggestions?

The short answer is....it can't be done.


Ok. precise and to the point. Thats good. But theres always a way though
(or is there?). What if I have my libraries in *.js files on the server
in a location that the user does not have permissions to (I will
ofcourse need something server side to load the files - which defeats
the purpose of client side processing, so I shot myself in the foot
already).

Does anyone know how to get around this?.

Feb 18 '06 #4

P: n/a

Dave Schwimmer wrote:
Jim wrote:
"Dave Schwimmer" <ds*****@nospam.com> wrote in message
news:dt**********@nwrdmz02.dmz.ncs.ea.ibs-infra.bt.com...
Is it possible to 'hide' javascript from a user. I am thinking of putting
some fairly proprietary logic client side (to release burden on server) -
but I dont want to make the source freely available to every Tom, Dick and
Harry. any suggestions?

The short answer is....it can't be done.


Ok. precise and to the point. Thats good. But theres always a way though
(or is there?). What if I have my libraries in *.js files on the server
in a location that the user does not have permissions to (I will
ofcourse need something server side to load the files - which defeats
the purpose of client side processing, so I shot myself in the foot
already).

Does anyone know how to get around this?.


You can't have your cake and eat it, too :) What you're basically
asking for is the ability to have the client (which is out of your
control, nonetheless) read, parse, and execute some code -- without
reading that same code.

But, honestly, if your code is that proprietary and sensitive you
shouldn't even consider have some (unknown) client run it for you.

Feb 18 '06 #5

P: n/a

Dave Schwimmer wrote:
Is it possible to 'hide' javascript from a user. I am thinking of
putting some fairly proprietary logic client side (to release burden on
server) - but I dont want to make the source freely available to every
Tom, Dick and Harry. any suggestions?


You can only make the script difficult to obtain. This may be enough to
keep Tom, Dick, and Harry away, but not many users of this group :-).

You will find a tool at
http://www.dynamicdrive.com/dynamicindex9/encrypter.htm that has been
around for ages and that will make the script difficult to read.
However, even if a viewer does not know about this site, a person who
knows javascript well will see what has been done and likely can write
a little program to decode it quite rapidly.

Feb 18 '06 #6

P: n/a
Dave Schwimmer wrote:
The short answer is....it can't be done.


Ok. precise and to the point. Thats good. But theres always a way though
(or is there?). What if I have my libraries in *.js files on the server
in a location that the user does not have permissions to (I will
ofcourse need something server side to load the files - which defeats
the purpose of client side processing, so I shot myself in the foot
already).

Does anyone know how to get around this?.

Live with it, everything the UA executes has to be downloaded. You
could obscure the algorithm by doing pars of it server side I guess.

--
Ian Collins.
Feb 18 '06 #7

P: n/a
On Sat, 18 Feb 2006 06:10:12 +0200, Dave Schwimmer <ds*****@nospam.com>
wrote:
Ok. precise and to the point. Thats good. But theres always a way though
(or is there?). What if I have my libraries in *.js files on the server
in a location that the user does not have permissions to (I will
ofcourse need something server side to load the files - which defeats
the purpose of client side processing, so I shot myself in the foot
already).

Does anyone know how to get around this?.


In my projects I use AJAX-like connections through IFRAME, which loads JS
from the server (generated
on the fly), and then executes it via eval(). If I instruct a browser not
to cache this loaded page (with
no-cache header), it might be possible to hide JS source.

Vladas
ProData Ltd.
Feb 18 '06 #8

P: n/a
Vladas Saulis wrote:
Dave Schwimmer wrote:
Ok. precise and to the point. Thats good. But theres
always a way though (or is there?).
Sometimes no means 'no, not ever' .
What if I have my
libraries in *.js files on the server in a location that
the user does not have permissions to (I will ofcourse
need something server side to load the files - which
defeats the purpose of client side processing, so I shot
myself in the foot already).

Does anyone know how to get around this?.


In my projects I use AJAX-like connections through IFRAME,
which loads JS from the server (generated on the fly), and
then executes it via eval(). If I instruct a browser
not to cache this loaded page (with no-cache header), it
might be possible to hide JS source.


Web browsers often treat 'instructions' not to cache a resource as an
instruction not to hang on to a copy of that resource once they have
closed down. If you look in the cache while the site is still in the
browser all the downloaded resources (irrespective of protocol or
headers) are likely to be available (and you only need to know one
browser where that is true to get around any number of browsers that may
act in a manner that is more friendly to the prospective code hider).

And that is assuming the site is not using plain HTTP and the
prospective student of the code is not just recording all the incoming
HTTP traffic to disc.

The whole 'code hiding' notion is a dead loss; the only people against
whom it is effective are the people who would have no use for what they
found (most of whom do not know enough to even look for the code). As
soon as you are trying to defeat people with even an intermediate
understanding of javascript and web technologies the client-side code is
wide open to examination.

Richard.

Feb 18 '06 #9

P: n/a

Dave Schwimmer wrote:
Is it possible to 'hide' javascript from a user. I am thinking of
putting some fairly proprietary logic client side (to release burden on
server) - but I dont want to make the source freely available to every
Tom, Dick and Harry. any suggestions?


Unless a server is badly overloaded, many serverside scripts, such as
php, take very little space and time to operate. Thus I would strongly
suggest writing as much of your code as possible in php. In general,
you can do most things with php that you can do with javascript,
provided that some operation, perhaps selecting a color, is not
required after download. However you can also use just enough
javascript to do the things that can not be done with php in this case.

If the server resources really are a problem, you could write most of
the code in javascript. However you could use php on the server for
just enough code to make it difficult to impossible to tell everything
that is being done. Javascript and php mix and match very well in many
cases. However, if use of pure php and no javascript is possible, your
code will not only be hidden, but your page will also work on the small
number of browsers that have javascript turned off.

Feb 18 '06 #10

P: n/a
Dave Schwimmer said the following on 2/17/2006 11:10 PM:


Jim wrote:
"Dave Schwimmer" <ds*****@nospam.com> wrote in message
news:dt**********@nwrdmz02.dmz.ncs.ea.ibs-infra.bt.com...
Is it possible to 'hide' javascript from a user. I am thinking of
putting some fairly proprietary logic client side (to release burden
on server) - but I dont want to make the source freely available to
every Tom, Dick and Harry. any suggestions?

The short answer is....it can't be done.


Ok. precise and to the point. Thats good. But theres always a way though
(or is there?). What if I have my libraries in *.js files on the server
in a location that the user does not have permissions to (I will
ofcourse need something server side to load the files - which defeats
the purpose of client side processing, so I shot myself in the foot
already).

Does anyone know how to get around this?.


Open the site.
File>Save As
Save the site.

Now, I have the files.

--
Randy
comp.lang.javascript FAQ - http://jibbering.com/faq & newsgroup weekly
Javascript Best Practices - http://www.JavascriptToolbox.com/bestpractices/
Feb 19 '06 #11

P: n/a
Dave Schwimmer <ds*****@nospam.com> wrote:
Ok. precise and to the point. Thats good. But theres always a way though
(or is there?). What if I have my libraries in *.js files on the server
in a location that the user does not have permissions to (I will
ofcourse need something server side to load the files - which defeats
the purpose of client side processing, so I shot myself in the foot
already).


You said it. You're talking about code that will be executed on the
client. The client can't execute it if it can't get it. Once the
client gets the code, you no longer have control over it, the client
can display it, save it, parse it, whatever. You have no idea what's
being done and absolutely no control over it.

So: if you really, really, need to keep this stuff secret, then keep
it on the server. Server-side processing cannot be seen by the client,
and you have total control over it.

--
Tim Slattery
Sl********@bls.gov
Feb 21 '06 #12

P: n/a

Vladas Saulis wrote:

[snip]
In my projects I use AJAX-like connections through IFRAME, which loads JS
from the server (generated
on the fly), and then executes it via eval(). If I instruct a browser not
to cache this loaded page (with
no-cache header), it might be possible to hide JS source.

[/snip]

One simple attack to start with is to use the HTTPRequest object with
the URL of your JavaScript producing server page. You can then access
the results through the responseText property.

Regards

Julian

Feb 21 '06 #13

P: n/a
If it was possible to hide the code your computer would have already
been taken over by some script kiddie.

Ken Girard

Feb 21 '06 #14

This discussion thread is closed

Replies have been disabled for this discussion.