Hide Java Script

[kpg]

Hello all,

I have an asp.net web application with tons of Java script files.

I would like to protect the Java Script somehow so it can't be
seen by a remote user.

I found several 3rd party solutions, but I thought I remember that
there was a way to 'compile' java script and use that instead of
the actual script?

The problem I have with 3rd party solutions is two-fold:

1) I'm cheap

2) I'm going to install the app on a customer's server for use by
their customers. I don't want them (my customer) or their customers
to have access to the java script files.

I think a 3rd party solution would work fine for me on my server, but I
can't really give the customer the app and the 3rd party protection thingy
and say: install this so you can't see my code (because they might not!).

Anyway, I'm open to any solution.

Thanks
kpg

 

[Kevin Spencer]

Hi kpg,

If the browser can read it, so can you. So can anyone. It is not possible.

Hey, it's just JavaScript. Nothing worth protecting.

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
What You Seek Is What You Get.

 

[Josh]

you cant stop anyone whos determined however if you use a frameset you can
put all of your code into the _top object they'll have a jolly hard time
getting to it

 

[Guest]

You're thinking of the Windows Script Encoder
http://www.microsoft.com/downloads/...67-C447-4873-B1B0-21F0626A6329&displaylang=en

It doesn't encrypt the javascript, but it will "keep honest people honest"
if such a thing can be said.

 

[Mythran]

you cant stop anyone whos determined however if you use a frameset you can
put all of your code into the _top object they'll have a jolly hard time
getting to it

Right-click the frame and go to view-source to view a specific frame. To
view the top frame, goto View->Source on the file menu to see it...if it's
disabled, use Mozilla.

Point is, there is always a way to view the source

Mythran

 

[David Young]

First of all, you're not crazy. Back in the day, I did some development for
the Netscape Enterprise Server. It used "Compiled" javascript and came with
it's own compiler.

Now, I'm not as closed minded as some of the others here, so, I'm betting
there's a way to approach this. You know you can set your javascript source
to a file right? So, what's to prevent us from making that file and aspx
file that sends content to the browser? Just make sure you set the content
type before you output it. Next, I would think about how we can prevent the
aspx file from being rendered by itself. You know, make sure it outputs
nothing if you typed it directly into the url. Should be easy enough to
accomplish.

Perhaps that's a good idea for my next project at home.

Dave

 

[David Young]

That's interesting! I posted a reply, but when I went to check on it, my
reader stated that the message was no longer on the server. Then, I
reloaded the headers and the message was gone alltogether. Anyway, here it
is again.

1) Compiled javascript is something that Netscape used in it's Enterprise
Servers. It came with it's own compiler and, from what I remember, was
pretty cool to use.

2) I'm not a quick to dismiss this option as some of my counterparts seem to
be. Why won't this work? First, you know you can keep you javascript in a
js file and reference it remotely right? Now just thinking off the top of
my head, here's two possibilities.
a) using encryption, encrypt the source file and have your page decrypt it
when you pull it up. Would be some overhead involved in this, but it will
work.

b) Instead of linking to a .js file, link to a .aspx file that sends your js
source to the output buffer. Just make sure you set the content type. Then
I would look for a way to make sure that the page renders nothing when you
pull it up in the browser.

In other words, there always a way.

Sounds like an interesting project to work on in my spare time at home.

Dave

 

[kpg]

Well I got both your messages!

Thanks for the input. You gave me something to think about.

 

[Kevin Spencer]

Do honest people NEED to be kept honest?

Do well people need a doctor?

Does a PHD need a high school education?

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
What You Seek Is What You Get.

 

[Kevin Spencer]

Now, I'm not as closed minded as some of the others here

Anyone who is open-minded about what they do know knows nothing. For
example, solve the following arithmentic problem:

1 + 2 = ?

Now, when I was 3 years old I was entitled to be open-minded about the
answer to that question. If I were open-minded about it now, I would be a
fool.

IOW, just because you don't know something doesn't make your open-mindedness
a virtue.

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
What You Seek Is What You Get.

 

[kpg]

Do honest people NEED to be kept honest?
Yes.

Do well people need a doctor?

Only if you have an HMO.

Does a PHD need a high school education?

From schools today? Probably No.

Does my Java Script NEED protecting?
No. But my boss wants it protected.

Am I going to tell him it can't be done?
I haven't decided on that yet.

kpg

 

[David Young]

I shudder to think what this world would be like if we all had the same
opinion as you did.

Keeping an open mind is what gives birth to invention and discovery. I
doesn't matter what you know or know not, all that matters is that there are
people out there who look at a problem and say. You know, I bet there's a
way to get around that. You go ahead and say it can't be done while I find
a way to do it. And as for the why? Because I Can!

So, you continue to be closed minded and I'll continue to be an open-minded
"fool".

cheers.

 

[Kevin Spencer]

Hi David,

I was afraid you would misunderstand me. I wasn't calling YOU a fool. I was
saying that if I know something, and act like I don't then I am a fool. I
don't blame you at all for being open-minded. When you don't know something,
that is the right way to be. When one DOES know something, such as whether
you can hide or obfuscate JavaScript succesfully (and I do know that), one
would be a fool to say that one does not.

IOW, you are right to be open-minded about this, and I am right to be
close-minded about it.

Old saying (can't attribute the author):

"He who knows not, and knows not that he knows not is a fool. Shun him.
He who knows not, and knows that he knows not, is a student. Teach him.
He who knows, and knows not that he knows, is asleep. Wake him.
He who knows, and knows that he knows, is wise. Follow him."

Friends?

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
What You Seek Is What You Get.

 

[David Young]

Ok, here's your solution:

Create an aspx page. Call it "JSSource.aspx"
Open the HTML view and delete everything except the contents of the <@ Page>
directive.
Open the Code Behind for this page.
Add two using statements:
using System.Text;
using System.IO;
Add the following to the Page_Load handler:
private void Page_Load(object sender, System.EventArgs e)
{
// Put user code to initialize the page here
string script;
StringBuilder b = new StringBuilder();
b.Append("function doOnLoad(){");
b.Append("alert('hello there');}");

if(Request.UrlReferrer==null||Request.UrlReferrer.Host!="localhost")
script = "var youbite = 'eat me';";
else
script = b.ToString();

ASCIIEncoding encoder = new ASCIIEncoding();
byte[] buffer = encoder.GetBytes(script);
Response.ContentType = "text/javascript";
Response.OutputStream.Write(buffer,0,buffer.Length);
}

Then create a new aspx page. Call it JSClient.aspx
Open the HTML View and add the following betweent the </HEAD> and <BODY>
tags.
<script Language="javascript" type="text/css" src="JSSource.aspx"></script>
in the Body tag, add the following onLoad="doOnLoad();"

Then create a third page. Call it "Launch.aspx" add a hyperlink control, or
a simple <A href> tag. the NavigateUrl = "JSClient.aspx"

Build and launch the "Launch.aspx" page. When you click on the link, it'll
load the JSClient.aspx page and you should get a nice little Hello World
popup.

Enhance as you see fit. Another think you may want to think about is
caching. You may want to make sure to add directives to prevent the browser
from caching the JSSource.aspx page. Also, if it's being deployed on a
client site, they could open the site's dll with something lik Reflector and
see your source, so you might want to obfuscate that.

It's a little simple I agree, but it's the best I could come up with on such
short notice.

BTW - Never accept never as an answer. When they say it can't be done, be
like me and say why not. Sometimes ignorance is bliss.

Dave

 

[David Young]

Oh, I understand perfectly. You are saying that since I don't know any
better, it's ok to be "open-minded".

You also said that since you already know that it is not possible to do what
he asked, then in your case, it's ok to be "closed-minded", because you know
it can't be done (and you do know that).

I really appreciate you clearing all that up for me. Next time, I guess
I'll know better.

Friends?

 

[Kevin Spencer]

Your solution has been tried before. Many times.

Don't forget, Columbus only discovered America for those that didn't already
know it was there (like the Indians).

I don't cliam to know everything. I simply claim to know what I do know of
what is already known.

Ignorance may be bliss, but knowledge is power. I'll settle for bliss when
I'm sleeping, and when I die. Until then, I have too many responsibilities
that require knowledge to fulfill. And I take my responsiblities seriously.

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
What You Seek Is What You Get.

 

[David Young]

I guess I just don't understand you then. You told KPG that what he wanted
to do was not possible. You ridicule me for saying that we should keep an
open mind about it. I post a solution that WORKS and you say it's been
tried that way before.

If you knew of the solution, why didn't you just post it in the first place
instead of telling him it couldn't be done?

 

[Kevin Spencer]

Hi David,

First, I didn't ridicule you.

Second, your solution doesn't "work." It can be circumvented just like all
the others.

Third, I said it had been tried. I didn't say succesfully. If it had been
tried successfully, I would not have said that there is no solution. There
is no solution. I could go into details (there are excellent technical
reasons why it can't be done), but this is all old history. Only interesting
to someone that hasn't heard it all before. And most of the rest of us have
heard it all before. We're Indians. You're Columbus. Welcome to the New
World.

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
What You Seek Is What You Get.

 

[David Young]

Second, your solution doesn't "work." It can be circumvented just like all
the others.

Ok, aside from packet sniffing and decompiling the source, how can it be
circumvented. Not being a smartass here, just the ignorant student asking a
question of the master.

 

[Kevin Spencer]

Hi David,

I'm no master. I'm not sure what a "master" is. I am faced every day with
problems that I must learn something new in order to solve. Lately, for
example, I've been struggling with modelling a small aircraft in a 3D
terrain scene based on GPS data that comes in at about 1 data point per
second. To do the interpolation/extrapolation requires some trigonometry
(not a problem) and some calculus (a problem). So, I've been getting help
with the calculus, and kicking myself for not knowing it, and costing my
employer money as a result. I've bought a couple of books on calculus, and
hopefully will get better at it as I go. I plan to study it at home in my
free time.

I couldn't begin to write an operating system. There are programmers out
there who seem like gods to me. Most of them work for Microsoft or some
Gaming software company.

I only know one thing that you do not, that I know of. And I'm sure you know
a thing or 2 that I do not. That's what we're here for, to help each other
out along the way.

I may come across as a "master" because I tend to keep my mouth shut about
the things I do not know, and speak with authority about the things I DO
know. Occasionally I will make a guess, but not often, and then I will
qualify my remarks by saying that I am guessing. But the perception would be
merely on the part of the perceiver.

So relax, we're all in the same leaky boat together. It's not about people
and personalities, it's about knowledge. I'll share mine with you, and
hopefully, when I'm stuck, you'll share yours with me.

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
What You Seek Is What You Get.