Peter Michaux wrote:
mo********@gmail.com wrote:
>You can make it a lot harder by using PHP or some sort of
server side language (PHP just happens to be my language of
choice), and then including the javascript and linking to it
externally. In the PHP make sure that the refferer is your
site and if it isn't, dont print out the page.
The source has to be sent to the client. This technique does
not make it a lot harder to see the source. I am pretty darn
sure it is still visible with something like
http://getfirebug.com
There is no need get that complicated; view the files in the browser's
cache while the site is loaded and the external javascript files will be
there, regardless of whether they were dynamically greeted with
PHP/ASP/JSP or whatever, or just text files of JS source code.
The catch is always that the client-side code has to be sent the client,
and in a form that can be understood as javascript source code. As a
result the client will always have, at some point, the client-side code,
and in a form that can be understood.
For every code minimiser there is a code re-formatter or pretty printer
to turn the compacted code back into recognisably formatted/indented
code (with some of the browsers themselves being entirely adequate tools
for that job through the use of a little (publicly available and well
known) scripting). Then there is syntax highlighting to bring out the
distinctions between, for example, operators, keywords and Identifiers.
Which leaves the only potentially practical/productive aspect of
obfuscation the transformation of property names and Identifiers into
meaningless sequences of characters, which is not really a barrier to
understanding computer code. It may be true that meaningful
Identifiers/property names are an aid to (more quickly) understanding
source code but if their absence represented any real barrier the fact
that the vast bulk of example code (and all of the browser DOM property
names and language keywords) are in English must then make it near
impossible for non-English speakers to understand those examples (or the
DOM). This clearly is not the case. Obfuscation by Identifier scrambling
is of limited benefit because a word that is meaningful in a language
that the reader does not understand is no more or less meaningful to
them than any arbitrary sequence of characters that it may be replaced
with.
The pro-obfuscation position (and particularly those retailing
obfuscation software) will argue that obfuscation must make code harder
to understand. That is true, but the degree to which it is harder to
understand is so small (and so much not a real issue to the people who
could have understood the code directly if it were never obfuscated)
that the effort outweighs the benefits.
Plus, once obfuscated what are you going to do when a browser reports:-
Error: Line 1, character 5734, "I0O1I is null or not an object"
-?
Richard.
