nebie - keeping javascript code away from prying eyes

D

Dave Schwimmer

Is it possible to 'hide' javascript from a user. I am thinking of
putting some fairly proprietary logic client side (to release burden on
server) - but I dont want to make the source freely available to every
Tom, Dick and Harry. any suggestions?
 
J

Jim

Dave Schwimmer said:
Is it possible to 'hide' javascript from a user. I am thinking of putting
some fairly proprietary logic client side (to release burden on server) -
but I dont want to make the source freely available to every Tom, Dick and
Harry. any suggestions?

The short answer is....it can't be done.
 
D

Dave Schwimmer

Jim said:
The short answer is....it can't be done.

Ok. precise and to the point. Thats good. But theres always a way though
(or is there?). What if I have my libraries in *.js files on the server
in a location that the user does not have permissions to (I will
ofcourse need something server side to load the files - which defeats
the purpose of client side processing, so I shot myself in the foot
already).

Does anyone know how to get around this?.
 
Z

zeldorblat

Dave said:
Ok. precise and to the point. Thats good. But theres always a way though
(or is there?). What if I have my libraries in *.js files on the server
in a location that the user does not have permissions to (I will
ofcourse need something server side to load the files - which defeats
the purpose of client side processing, so I shot myself in the foot
already).

Does anyone know how to get around this?.

You can't have your cake and eat it, too :) What you're basically
asking for is the ability to have the client (which is out of your
control, nonetheless) read, parse, and execute some code -- without
reading that same code.

But, honestly, if your code is that proprietary and sensitive you
shouldn't even consider have some (unknown) client run it for you.
 
C

cwdjrxyz

Dave said:
Is it possible to 'hide' javascript from a user. I am thinking of
putting some fairly proprietary logic client side (to release burden on
server) - but I dont want to make the source freely available to every
Tom, Dick and Harry. any suggestions?

You can only make the script difficult to obtain. This may be enough to
keep Tom, Dick, and Harry away, but not many users of this group :).

You will find a tool at
http://www.dynamicdrive.com/dynamicindex9/encrypter.htm that has been
around for ages and that will make the script difficult to read.
However, even if a viewer does not know about this site, a person who
knows javascript well will see what has been done and likely can write
a little program to decode it quite rapidly.
 
V

Vladas Saulis

Ok. precise and to the point. Thats good. But theres always a way though
(or is there?). What if I have my libraries in *.js files on the server
in a location that the user does not have permissions to (I will
ofcourse need something server side to load the files - which defeats
the purpose of client side processing, so I shot myself in the foot
already).

Does anyone know how to get around this?.

In my projects I use AJAX-like connections through IFRAME, which loads JS
from the server (generated
on the fly), and then executes it via eval(). If I instruct a browser not
to cache this loaded page (with
no-cache header), it might be possible to hide JS source.

Vladas
ProData Ltd.
 
R

Richard Cornford

Sometimes no means 'no, not ever' .
In my projects I use AJAX-like connections through IFRAME,
which loads JS from the server (generated on the fly), and
then executes it via eval(). If I instruct a browser
not to cache this loaded page (with no-cache header), it
might be possible to hide JS source.

Web browsers often treat 'instructions' not to cache a resource as an
instruction not to hang on to a copy of that resource once they have
closed down. If you look in the cache while the site is still in the
browser all the downloaded resources (irrespective of protocol or
headers) are likely to be available (and you only need to know one
browser where that is true to get around any number of browsers that may
act in a manner that is more friendly to the prospective code hider).

And that is assuming the site is not using plain HTTP and the
prospective student of the code is not just recording all the incoming
HTTP traffic to disc.

The whole 'code hiding' notion is a dead loss; the only people against
whom it is effective are the people who would have no use for what they
found (most of whom do not know enough to even look for the code). As
soon as you are trying to defeat people with even an intermediate
understanding of javascript and web technologies the client-side code is
wide open to examination.

Richard.
 
C

cwdjrxyz

Dave said:
Is it possible to 'hide' javascript from a user. I am thinking of
putting some fairly proprietary logic client side (to release burden on
server) - but I dont want to make the source freely available to every
Tom, Dick and Harry. any suggestions?

Unless a server is badly overloaded, many serverside scripts, such as
php, take very little space and time to operate. Thus I would strongly
suggest writing as much of your code as possible in php. In general,
you can do most things with php that you can do with javascript,
provided that some operation, perhaps selecting a color, is not
required after download. However you can also use just enough
javascript to do the things that can not be done with php in this case.

If the server resources really are a problem, you could write most of
the code in javascript. However you could use php on the server for
just enough code to make it difficult to impossible to tell everything
that is being done. Javascript and php mix and match very well in many
cases. However, if use of pure php and no javascript is possible, your
code will not only be hidden, but your page will also work on the small
number of browsers that have javascript turned off.
 
R

Randy Webb

Dave Schwimmer said the following on 2/17/2006 11:10 PM:
Ok. precise and to the point. Thats good. But theres always a way though
(or is there?). What if I have my libraries in *.js files on the server
in a location that the user does not have permissions to (I will
ofcourse need something server side to load the files - which defeats
the purpose of client side processing, so I shot myself in the foot
already).

Does anyone know how to get around this?.

Open the site.
File>Save As
Save the site.

Now, I have the files.
 
T

Tim Slattery

Dave Schwimmer said:
Ok. precise and to the point. Thats good. But theres always a way though
(or is there?). What if I have my libraries in *.js files on the server
in a location that the user does not have permissions to (I will
ofcourse need something server side to load the files - which defeats
the purpose of client side processing, so I shot myself in the foot
already).

You said it. You're talking about code that will be executed on the
client. The client can't execute it if it can't get it. Once the
client gets the code, you no longer have control over it, the client
can display it, save it, parse it, whatever. You have no idea what's
being done and absolutely no control over it.

So: if you really, really, need to keep this stuff secret, then keep
it on the server. Server-side processing cannot be seen by the client,
and you have total control over it.
 
J

Julian Turner

Vladas Saulis wrote:

[snip]
In my projects I use AJAX-like connections through IFRAME, which loads JS
from the server (generated
on the fly), and then executes it via eval(). If I instruct a browser not
to cache this loaded page (with
no-cache header), it might be possible to hide JS source.
[/snip]

One simple attack to start with is to use the HTTPRequest object with
the URL of your JavaScript producing server page. You can then access
the results through the responseText property.

Regards

Julian
 
K

ken.girard

If it was possible to hide the code your computer would have already
been taken over by some script kiddie.

Ken Girard
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,743
Messages
2,569,478
Members
44,898
Latest member
BlairH7607

Latest Threads

Top