FAQ Topic - How can I protect a webpage in javascript?

In comp.lang.javascript message <45***********************@news.sunsite.
dk>, Sun, 11 Feb 2007 00:00:02, FAQ server <ja********@dotinternet.be>
posted:

>-----------------------------------------------------------------------
FAQ Topic - How can I protect a webpage in javascript?
-----------------------------------------------------------------------

In practice you can't. While you could create a suitable
encryption system with a password in the page, the level of
support you need to do this means it's always simpler to do it
server-side. Anything that "protects" a page other
than the current one is definitely flawed.

Since some authors do not have access to server-side coding. it's not
completely helpful to put "it's always simpler to do it server-side".
The Topic is ambiguous. I think the intention may be
"How can I prevent access to a web page by using javascript?"

--
(c) John Stockton, Surrey, UK. ?@merlyn.demon.co.uk Turnpike v6.05 MIME.
Web <URL:http://www.merlyn.demon.co.uk/- FAQish topics, acronyms, & links.
Plaintext, quoting : see <URL:http://www.usenet.org.uk/ukpost.html>
Do not Mail News to me. Before a reply, quote with ">" or "" (SoRFC1036)

Dr J R Stockton said the following on 2/11/2007 4:59 PM:

In comp.lang.javascript message <45***********************@news.sunsite.
dk>, Sun, 11 Feb 2007 00:00:02, FAQ server <ja********@dotinternet.be>
posted:

>-----------------------------------------------------------------------
FAQ Topic - How can I protect a webpage in javascript?
-----------------------------------------------------------------------

In practice you can't. While you could create a suitable
encryption system with a password in the page, the level of
support you need to do this means it's always simpler to do it
server-side. Anything that "protects" a page other
than the current one is definitely flawed.

Since some authors do not have access to server-side coding. it's not
completely helpful to put "it's always simpler to do it server-side".

It's still more helpful than giving them a bogus answer and anything
security related in javascript is bogus.

The Topic is ambiguous. I think the intention may be
"How can I prevent access to a web page by using javascript?"

Agreed and changed to your proposed wording.

--
Randy
Chance Favors The Prepared Mind
comp.lang.javascript FAQ - http://jibbering.com/faq/index.html
Javascript Best Practices - http://www.JavascriptToolbox.com/bestpractices/

In comp.lang.javascript message <Ro********************@telcove.net>,
Sun, 11 Feb 2007 19:42:41, Randy Webb <Hi************@aol.composted:

>Dr J R Stockton said the following on 2/11/2007 4:59 PM:

>In comp.lang.javascript message <45***********************@news.sunsite.
dk>, Sun, 11 Feb 2007 00:00:02, FAQ server <ja********@dotinternet.be>
posted:

>>-----------------------------------------------------------------------
FAQ Topic - How can I protect a webpage in javascript?
-----------------------------------------------------------------------

In practice you can't. While you could create a suitable
encryption system with a password in the page, the level of
support you need to do this means it's always simpler to do it
server-side. Anything that "protects" a page other
than the current one is definitely flawed.

Since some authors do not have access to server-side coding. it's
not
completely helpful to put "it's always simpler to do it server-side".

It's still more helpful than giving them a bogus answer and anything
security related in javascript is bogus.

Just omit "always", and all will be well.

>The Topic is ambiguous. I think the intention may be
"How can I prevent access to a web page by using javascript?"

Agreed and changed to your proposed wording.

One can, however, protect against unauthorised viewing of the "real"
content.

<div ID=X hidden>scrambled material</div>
<div ID=Y>innocuous material</div>
<pseudojavascript>
something.onClick = function() {
Y.innerText = unscramble(X.innerText, GetKey) }
</pseudojavascript>

If Key is of a "one-time-pad" nature, used by XOR, that will be totally
secure. Then, to hide, from a casual glance at the initial page, the
existence of the secret material, start the decoding by an onClick of an
element that does not look like a control.

--
(c) John Stockton, Surrey, UK. ?@merlyn.demon.co.uk Turnpike v6.05 IE 6
news:comp.lang.javascript FAQ <URL:http://www.jibbering.com/faq/index.html>.
<URL:http://www.merlyn.demon.co.uk/js-index.htmjscr maths, dates, sources.
<URL:http://www.merlyn.demon.co.uk/TP/BP/Delphi/jscr/&c, FAQ items, links.

Dr J R Stockton said the following on 2/12/2007 9:44 AM:

In comp.lang.javascript message <Ro********************@telcove.net>,
Sun, 11 Feb 2007 19:42:41, Randy Webb <Hi************@aol.composted:

>Dr J R Stockton said the following on 2/11/2007 4:59 PM:

>>In comp.lang.javascript message <45***********************@news.sunsite.
dk>, Sun, 11 Feb 2007 00:00:02, FAQ server <ja********@dotinternet.be>
posted:
-----------------------------------------------------------------------
FAQ Topic - How can I protect a webpage in javascript?
-----------------------------------------------------------------------

In practice you can't. While you could create a suitable
encryption system with a password in the page, the level of
support you need to do this means it's always simpler to do it
server-side. Anything that "protects" a page other
than the current one is definitely flawed.
Since some authors do not have access to server-side coding. it's
not
completely helpful to put "it's always simpler to do it server-side".

It's still more helpful than giving them a bogus answer and anything
security related in javascript is bogus.

Just omit "always", and all will be well.

It is "all well" now for everyone but you. It is *always* simpler to do
it on the server. Well, except for people who choose not to employ
server side technologies and they have to suffer with the consequences
of thinking anything in client side Javascript is secure.

One can, however, protect against unauthorised viewing of the "real"
content.

<div ID=X hidden>scrambled material</div>
<div ID=Y>innocuous material</div>
<pseudojavascript>
something.onClick = function() {
Y.innerText = unscramble(X.innerText, GetKey) }
</pseudojavascript>

If Key is of a "one-time-pad" nature, used by XOR, that will be totally
secure. Then, to hide, from a casual glance at the initial page, the
existence of the secret material, start the decoding by an onClick of an
element that does not look like a control.

Do you have a demo of this concept? It wouldn't take 5 minutes to
decipher it. And, if all it takes is a "click" on an element that does
not look like a control then simply looking at the source can tell you
what to click on to see it. Trivial to bust.

--
Randy
Chance Favors The Prepared Mind
comp.lang.javascript FAQ - http://jibbering.com/faq/index.html
Javascript Best Practices - http://www.JavascriptToolbox.com/bestpractices/

In comp.lang.javascript message <h7********************@telcove.net>,
Mon, 12 Feb 2007 21:23:21, Randy Webb <Hi************@aol.composted:

>Dr J R Stockton said the following on 2/12/2007 9:44 AM:

>In comp.lang.javascript message <Ro********************@telcove.net>,
Sun, 11 Feb 2007 19:42:41, Randy Webb <Hi************@aol.composted:

>>Dr J R Stockton said the following on 2/11/2007 4:59 PM:
In comp.lang.javascript message <45***********************@news.sunsite.
dk>, Sun, 11 Feb 2007 00:00:02, FAQ server <ja********@dotinternet.be>
posted:
-----------------------------------------------------------------------
FAQ Topic - How can I protect a webpage in javascript?
-----------------------------------------------------------------------
>
In practice you can't. While you could create a suitable
encryption system with a password in the page, the level of
support you need to do this means it's always simpler to do it
server-side. Anything that "protects" a page other
than the current one is definitely flawed.
Since some authors do not have access to server-side coding. it's
not
completely helpful to put "it's always simpler to do it server-side".
It's still more helpful than giving them a bogus answer and anything
security related in javascript is bogus.

Just omit "always", and all will be well.

It is "all well" now for everyone but you. It is *always* simpler to do
it on the server. Well, except for people who choose not to employ
server side technologies

Agreed.

and they have to suffer with the consequences of thinking anything in
client side Javascript is secure.

Non sequitur.

>One can, however, protect against unauthorised viewing of the "real"
content.
<div ID=X hidden>scrambled material</div>
<div ID=Y>innocuous material</div>
<pseudojavascript>
something.onClick = function() {
Y.innerText = unscramble(X.innerText, GetKey) }
</pseudojavascript>
If Key is of a "one-time-pad" nature, used by XOR, that will be
totally
secure. Then, to hide, from a casual glance at the initial page, the
existence of the secret material, start the decoding by an onClick of an
element that does not look like a control.

Do you have a demo of this concept? It wouldn't take 5 minutes to
decipher it.

If a full one-time-pad approach is used, which means that the "password"
must be as long is the encoded text, *nothing* can break the encoding
(not counting intercepting the password; but that does not need to be
transmitted over the Net.

And, if all it takes is a "click" on an element that does not look
like a control then simply looking at the source can tell you what to
click on to see it. Trivial to bust.

Certainly. I wrote "casual glance" for a reason. Of course, one can
also put a "decode" button that will amuse the simple-minded, giving
innocuous output. Remember "The Purloined Letter"? Have you yet
noticed any quasi-hidden links on my site?

--
(c) John Stockton, Surrey, UK. REPLYyyww merlyn demon co uk Turnpike 6.05.
Web <URL:http://www.uwasa.fi/~ts/http/tsfaq.html-Timo Salmi: Usenet Q&A.
Web <URL:http://www.merlyn.demon.co.uk/news-use.htm: about usage of News.
No Encoding. Quotes precede replies. Snip well. Write clearly. Mail no News.

Dr J R Stockton said the following on 2/13/2007 7:59 AM:

<snip>

Have you yet noticed any quasi-hidden links on my site?

I think I looked at your site last in 1999 or 2000 (or somewhere there
abouts). Nothing there was interesting/important to me then and I doubt
it is now. So, to answer you question, no, as I don't care to look at
your site.

--
Randy
Chance Favors The Prepared Mind
comp.lang.javascript FAQ - http://jibbering.com/faq/index.html
Javascript Best Practices - http://www.JavascriptToolbox.com/bestpractices/

In comp.lang.javascript message <ZI********************@telcove.net>,
Wed, 14 Feb 2007 21:22:44, Randy Webb <Hi************@aol.composted:

>Dr J R Stockton said the following on 2/13/2007 7:59 AM:

<snip>

>Have you yet noticed any quasi-hidden links on my site?

I think I looked at your site last in 1999 or 2000 (or somewhere there
abouts). Nothing there was interesting/important to me then and I doubt
it is now. So, to answer you question, no, as I don't care to look at
your site.

As I rather suspected. No doubt Santayana would have been able to make
a suitable remark.

--
(c) John Stockton, Surrey, UK. ?@merlyn.demon.co.uk Turnpike v6.05 MIME.
Web <URL:http://www.merlyn.demon.co.uk/- FAQish topics, acronyms, & links.
Plaintext, quoting : see <URL:http://www.usenet.org.uk/ukpost.html>
Do not Mail News to me. Before a reply, quote with ">" or "" (SoRFC1036)

Dr J R Stockton said the following on 2/15/2007 6:19 PM:

In comp.lang.javascript message <ZI********************@telcove.net>,
Wed, 14 Feb 2007 21:22:44, Randy Webb <Hi************@aol.composted:

>Dr J R Stockton said the following on 2/13/2007 7:59 AM:

<snip>

>>Have you yet noticed any quasi-hidden links on my site?

I think I looked at your site last in 1999 or 2000 (or somewhere there
abouts). Nothing there was interesting/important to me then and I doubt
it is now. So, to answer you question, no, as I don't care to look at
your site.

As I rather suspected.

I am happy to have not disappointed you(not that it really matters a
whole lot to me *what* you think of me). But, after reading almost 10
years of your biased ignorant garbage I have no need - nor desire - to
read any more of it on a web site. Perhaps you should do some research
on Aircraft Carrier's and apply some common sense every now and then. It
might make your site worth reading.

--
Randy
Chance Favors The Prepared Mind
comp.lang.javascript FAQ - http://jibbering.com/faq/index.html
Javascript Best Practices - http://www.JavascriptToolbox.com/bestpractices/