Hide a string in javascript

[trey.bason]

I know everyone who uses javascript at some point tries to think of a
way to hide it from curious users/hackers, so here goes my question.

I am trying to display an image map and keep the coords of the active
areas hidden from users. I have a page named test.htm that includes a
file get.php in a <script> tag that will dynamically generate some
javascript to write the imagemap. The get.php file will write a unique
key to a session that will identify each request. The get.php file will
make an ajax call to a file named get2.php. The get2.php file will
check the unique key in the session to make sure the request is valid.
If the request is valid get2.php will return a string which will be
javascript that creates an array for the coords of the imagemap.
Something like:

var arr = new Array(10, 10, 20, 20);

After the ajax call is successful get.php will do an eval() on the
string returned from get2.php to set the coords of the active area of
the imagemap. The get2.php request would expire, so that a user could
not simply do a request for the file in his browser and see what is
returned. Also the coords will change with each request, so figuring
out how to see the data in get2.php will be irrelevant as it will
always change.

My concern is: Is there a way to pull out what has been written to the
browser in that eval() in get.php?

 

[Randy Webb]

(e-mail address removed) said the following on 12/20/2006 10:54 PM:

I know everyone who uses javascript at some point tries to think of a
way to hide it from curious users/hackers, so here goes my question.

I am trying to display an image map and keep the coords of the active
areas hidden from users. I have a page named test.htm that includes a
file get.php in a <script> tag that will dynamically generate some
javascript to write the imagemap. The get.php file will write a unique
key to a session that will identify each request. The get.php file will
make an ajax call to a file named get2.php. The get2.php file will
check the unique key in the session to make sure the request is valid.
If the request is valid get2.php will return a string which will be
javascript that creates an array for the coords of the imagemap.
Something like:

var arr = new Array(10, 10, 20, 20);

After the ajax call is successful get.php will do an eval() on the
string returned from get2.php to set the coords of the active area of
the imagemap. The get2.php request would expire, so that a user could
not simply do a request for the file in his browser and see what is
returned. Also the coords will change with each request, so figuring
out how to see the data in get2.php will be irrelevant as it will
always change.

My concern is: Is there a way to pull out what has been written to the
browser in that eval() in get.php?

You can get get2.php from the cache while the browser is open.
If the array name is known, you can javascript:alert(arr); (or similar)
in the task bar.

Why are the coordinates of the imageMap so critically secret?

 

[Roy A.]

I know everyone who uses javascript at some point tries to think of a
way to hide it from curious users/hackers, so here goes my question.

I am trying to display an image map and keep the coords of the active
areas hidden from users. ...

Try to use a server-side image map, then the coords never shows up on
the client.

... I have a page named test.htm that includes a
file get.php in a <script> tag that will dynamically generate some
javascript to write the imagemap. The get.php file will write a unique
key to a session that will identify each request. The get.php file will
make an ajax call to a file named get2.php. The get2.php file will
check the unique key in the session to make sure the request is valid.
If the request is valid get2.php will return a string which will be
javascript that creates an array for the coords of the imagemap.
Something like:

var arr = new Array(10, 10, 20, 20);

After the ajax call is successful get.php will do an eval() on the
string returned from get2.php to set the coords of the active area of
the imagemap. The get2.php request would expire, so that a user could
not simply do a request for the file in his browser and see what is
returned. Also the coords will change with each request, so figuring
out how to see the data in get2.php will be irrelevant as it will
always change.

It would certently hide it from curious users/hackers. I can't tink of
anybody that curious.

My concern is: Is there a way to pull out what has been written to the
browser in that eval() in get.php?

Yes. Everyting sent to the browser can be pulled out. The browser may
also have a DOM inspecor tool used for debugging, that allow you to
read the coords of the active areas directly from the in-memory
DOM-tree.

 

[Trey Bason]

Randy,

I am trying to use this in a game app I am writing in ajax. The user
would not be able to do an alert in the taskbar as the arr would be out
of scope. The arr would be defiend in a function and would be out of
scope once the page loads.

How would I go about getting the get2.php from the cache? Would that be
considered a second request? The 1st request would be the actual
javascript making the ajax call and the 2nd request being made by the
cache?

 

[webEater]

Randy,

I am trying to use this in a game app I am writing in ajax. The user
would not be able to do an alert in the taskbar as the arr would be out
of scope. The arr would be defiend in a function and would be out of
scope once the page loads.

How would I go about getting the get2.php from the cache? Would that be
considered a second request? The 1st request would be the actual
javascript making the ajax call and the 2nd request being made by the
cache?

It's not possible - in the moment the browser loads the data you can
read it out, think of firebug users

 

[Randy Webb]

Trey Bason said the following on 12/21/2006 7:37 AM:

Randy,

I am trying to use this in a game app I am writing in ajax. The user
would not be able to do an alert in the taskbar as the arr would be out
of scope. The arr would be defiend in a function and would be out of
scope once the page loads.

How would I go about getting the get2.php from the cache? Would that be
considered a second request? The 1st request would be the actual
javascript making the ajax call and the 2nd request being made by the
cache?

Open the Temporary Internet Files folder, find the file, right click and
Edit it. And no, it doesn't get another copy from the server, it reads
it from the cache. And as long as the page is open, that file will
remain in the cache.

 

[Trey Bason]

Randy,

I am using the following line of code to make sure the browser does not
cache the page.

header("Cache-Control: no-cache");

Wouldn't this prevent someone from being able to view the file in the
cache?

 

[Randy Webb]

Trey Bason said the following on 12/21/2006 4:15 PM:

Answer:It destroys the order of the conversation
Question: Why?
Answer: Top-Posting.
Question: Whats the most annoying thing on Usenet?

Randy,

I am using the following line of code to make sure the browser does not
cache the page.

header("Cache-Control: no-cache");

Wouldn't this prevent someone from being able to view the file in the
cache?

After the page is closed, sure. But, while the page is open the browser
*must* have that file locally (test it).