...

View Full Version : hiding javascript



rhodopsin
11-11-2004, 12:24 PM
I really want to hide my javascript code such that no one can read it. I know that I should implement my code in server side language, such as PHP, if I really want to hide code. But for various reasons (primarily that my code checks the time zone of the visitor - this can only be done in javascript (or other client side language) from what I have researched. Please correct me if I am wrong) I want to use javascript.

I have read quite a bit about hiding HTML source code and lots of people say that this is a bit of a red herring. Gold at the end of the rainbow kind of thing - it is not possible. But how about hiding the code of a javascript.js file. Is this possbile? One method that seems pretty good to me can be found at

http://www.devpapers.com/article/52

I would like you guys to look at this and see what weaknesses may be associated with it. Is there anyway someone could get around it to see my javascript code? Thanks guys.

In case the moderator pulls the url - I have cut and paste the webpage here:

Don't want your JavaScript copied? Here's a very simple script that will hide it!



On the page where the JavaScript is placed, add:

<?
session_start();
if(!session_is_registered('allow_script'))
{
session_register('allow_script');
$allow_script = true;
}
?>
<html>
<head>
<script language="JavaScript" src="script.php"></script>
</head>
<body>
Body goes here...
</body>
</html>


And now create a new file called script.php and place your JavaScript there:

<?
session_start();
if($allow_script)
{
header("Content-type: text/javascript");
?>

alert("Woohoo! My JavaScript Works!");

<?
$allow_script = false;
}
?>



As you can see it uses a session. When you open the page where the JavaScript is placed it creates a session which allows the JavaScript to be viewed. But if you open script.php by its self, no session is created!

Try opening script.php in your browser window and you'll notice you can't view the code!

glenngv
11-11-2004, 12:58 PM
http://www.vortex-webdesign.com/help/hidesource.htm

Kor
11-12-2004, 01:02 PM
src="url" will always copy that file at url address (as well as the whole HTML page and all the src files) into the browser's cache folder, where it can be open with notepad... :D

This is why people are still seeking for the perpetum mobile :p

Nice link glenngv :D

jbot
11-12-2004, 03:36 PM
rhodopsin: don't listen to them. you can hide your JS. use this tag and your clothes will be whiter than white:


<script hide="true" src="url.js"/> ;)

Roy Sinclair
11-12-2004, 04:52 PM
Try opening script.php in your browser window and you'll notice you can't view the code!

Don't have to open script.php, the tools in the Firefox browser allow me to look at that code straight from the page where it's already loaded.

The guy who came up with this idea has less than half an understanding of how browsers work and from the comments on that site others don't think too much about his PHP coding skills either. About the only thing he's got going for him is a good last name ;) .

rhodopsin
11-12-2004, 05:13 PM
Hi guys, thanks for all your posts. This thread seems to be going a storm.

As far as the cache thing - I have been working on this and recken that adding an HTTP header to the .php file can stop this being cached. Will go some way to helping the security of our javascript code.

Header

<?php
header("Cache-Control: no-store, no-cache");

The firefox thing - can you please take me through this in a bit more detail. I would really like to know how to crack this defence - just so I can use it whilst fully understanding its weaknessses.

By the way - if you guys know of a better way of protecting javascript then please let me know - i would be very, very grateful. I really want to protect my code - unfortunatley it has to be javascript so there is always going to be a limit to how secure it can be.

rhodopsin
11-12-2004, 05:15 PM
jbot - just to clarify

<script hide="true" src="url.js"/>

hide="true" - does this code act to stop "url.js" being saved in the browser cache?

Thanks mate.

rhodopsin
11-12-2004, 05:23 PM
soz,

i forgot to say that i did follow up the url

http://www.vortex-webdesign.com/help/hidesource.htm

but that this method of hiding javascript did seem to stand up to the methods of uncovering code detailed on that web page. I may be wrong as i did skim a bit through some of the methods - but am fairly sure that these cannot crack this

Would be great if someone could come up with a method of cracking this. Would also appreciate peoples ideas on other methods of protecting javascript.

Roy Sinclair
11-12-2004, 05:25 PM
This is a topic much discussed before on this forum and the bottom line has never changed.

The bottom line is that there is absolutely no way to protect or completely hide your javascript code from an end user, the best you can do is to make it harder.

jbot's post was sarcasm, sorry you didn't catch that. There is no "hide=true" property you can set.

Cache controls aren't going to hide your code either and definitely don't waste you money trying to buy one of the "snake oil" solutions you'll find offered by some of the lower life denizens of the internet, they'll just take your money.

In Firefox: Tools > Javascript Debugger. That'll bring up the javascript debugger and with it I can look at any javascript on the page, including the one your original post claims to hide.

Kor
11-12-2004, 05:36 PM
here's another way to avoid your "hidding" method. Save the HTML page, remove the php instructions, launch locally or on your server, and this is it.

jbot
11-12-2004, 05:51 PM
jbot - just to clarify

<script hide="true" src="url.js"/>

hide="true" - does this code act to stop "url.js" being saved in the browser cache?

that's coz you need to update your browser to Foxcub 1.1

you also need to add this to the start of each page:


<?xml-stylesheet href="chrome://caffeine/too/much.of.css” type="text/css"?>
<window xmlns="http://www.mozilla.org/keymaster/gatekeeper/ this.is.pure.wishful.thinking.xul”
xmlns:nc="http://home.nowhere.com/">

<sarcasm intention="true">this post and the last one</sarcasm> ;)

jbot
11-12-2004, 05:52 PM
rhodo: give up there really is nothing you can do. we're not keeping anything from you. just leave it alone. :)

rhodopsin
11-12-2004, 07:07 PM
thanks guys - i will let it go now - this thread has been very useful for me. I realise the futility of it ultimately - it is just a Q of slowing rather than stopping. I am still going to use this - as something of a detterent. I have to use javascript for this and so will always be vulnerable.

At the danger of enraging you guys further - can I ask what in your opinion is the best source code obfusication script out there? I realise the limits of these and would never pay for one. But it will slow down the majority of people looking into my code. U guys are experts and so can easily see past these things - most guys out there that may start snooping around wont see it through - to go through all the time surfing the web tryinfg to get around these things. I am thinking of obfusicating my source code and then using the script discussed in this thread to "hide" my javascript .js file. Two weak methods of protection - together making a slightly less weak wall of protection. But protection nonetheless.

Thinking of going with this one at the moment:

http://www.ezine-writer.com/hidesource.html

I hope that this one of the better ones out there.

P.S Pretty funny. Yep the sarcasm went straight past me. Didn;t twig it at all.

P>S Would obfusication of my source code (including the text presented on the web page) - would this affect google searching my site and my google ranking??

Roy Sinclair
11-12-2004, 07:52 PM
I think that obscufating the text on your web page would definitely drop your Google rating since you'd have to use Javascript to fix it and Google's bots aren't going to run your javascript.

To make your code ugly enough that no one would want to copy it you just need to remove all the CRLF characters (make it all one line) and then replace all the meaningful variable and function names with short random nonmeaningful names. To be honest though, unless you're a true wizard of Javascript I doubt your code would have much appeal to me in the first place, I've seen a lot of pretty crummy code that people wanted to protect (even code they copied from somewhere else themselves as incredible as that sounds). Unless your code is really something special it probably doesn't need protection.

7stud
11-12-2004, 08:59 PM
Unless your code is really something special it probably doesn't need protection.


But for various reasons (primarily that my code checks the time zone of the visitor - this can only be done in javascript (or other client side language) from what I have researched.

ttttt :eek:

Why not get the time, and then send it back to a php script?

codegoboom
11-13-2004, 12:58 AM
CodingForums.com > :: Client side development
JavaScript programming

Before you post, read our: Rules & Posting Guidelines

------------------------------------------------------
Totally Protect your HTML
Stop Web page thieves with 1
click New software. Seen on
CNN. $14.95
------------------------------------------------------
Ads by Goooooogle
------------------------------------------------------



:thumbsup:

glenngv
11-13-2004, 12:15 PM
But for various reasons (primarily that my code checks the time zone of the visitor - this can only be done in javascript (or other client side language) from what I have researched.
What's so so precious about that code that you want to hide it? :eek:

Kor
11-13-2004, 01:23 PM
But for various reasons (primarily that my code checks the time zone of the visitor - this can only be done in javascript (or other client side language) from what I have researched.


I'll join the 7studs' club. ;) The secure way for anything on web is a server-side solution. (Unless a wise hacker finds out your pass to the server... :D )

rhodopsin
11-13-2004, 03:47 PM
It is not my code per se that i wish to protect - it is just that i do not want persons to know that i am redirecting on the basis of time zone if they ever take the time to look. So, in this way I can provide different content to different time zones - without anyone knowing. This is important to my current aims and the information service that I want to provide.

"Why not get the time, and then send it back to a php script?"

That is an excellent idea. It definitely reduces the amount of code on the client side. But - they could still guess that I am using time zone as they can see that the time zone javascript variable is being sent to my server. Is there anyway that i can implement the javascript with perhaps altered variable names - so that they would not know that it is time information that I am plucking from their computer?

For instance - here is some javascript that returns the time zone of the visitor. I could adapt this to send time zone variables back to my server - but in such code they would see getTimezoneOffset - would guess that I had some code server side that was perhaps redirecting on the basis of time zone. Is there anyway that I can change javascript variables to different names? So, that they cannot guess what I am sending server side?

<SCRIPT Language="JavaScript">
var curDateTime = new Date()
document.write("GMT Offset for your time zone is ")
document.write(-(curDateTime.getTimezoneOffset()/60))
</SCRIPT>

Once again - many thanks for all your help. I really hope that you dont find this thread tiresome. You really are being a great help to me. I really am very grateful.

rhodopsin
11-13-2004, 03:59 PM
"replace all the meaningful variable and function names with short random nonmeaningful names."

How can i do this with my javascript and then for it to still work? That is chage the code enough that the variable names don;t give away that I am pulling time or time zone information from their computer.

rhodopsin
11-13-2004, 04:04 PM
By the way - one workaround - to get the time zone of the visitor by IP to country to time zone conversion. I dont wish to do it like this - i do just want to get the time zone off the visitors computer. May well be wrong on the computer - but still want to get the time zone this way. Thanks guys for putting up with me.

Philip M
11-13-2004, 05:20 PM
"So, in this way I can provide different content to different time zones - without anyone knowing. This is important to my current aims and the information service that I want to provide."

Hum, why should it be such a secret that different content is provided to different time zones, and why is it so vital that the user is unaware of this?
And what is so incredibly clever about your code that no-one must be allowed to see it?

codegoboom
11-13-2004, 05:29 PM
------------------------------
Protect JavaScript code
Prevent reverse engineering
scripts Works with HTML, XML,
ASP and PHP
------------------------------
Ads by Goooooogle
------------------------------


:thumbsup:

Roy Sinclair
11-16-2004, 07:59 PM
Why not set a session cookie to contain the timezone offset from GMT when the user first hits your site, then every page after that first page will be able to use that cookie to provide the appropriate content for the user. When the user first hits your web site without a cookie you may have to provide a short version of the page without the regional content and then refresh the page to get the rest of the content once the cookie has been set.

If you don't name the cookie in an obvious fashion then it should be less obvious what it contains. Be aware that the clever are always going to figure it out though, there really isn't anything you can do to keep them in the dark.

Willy Duitt
11-16-2004, 08:01 PM
I do not allow session cookies :eek:

glenngv
11-17-2004, 04:44 AM
Hum, why should it be such a secret that different content is provided to different time zones, and why is it so vital that the user is unaware of this?
I'm also baffled with that. :confused:

jbot
11-17-2004, 11:18 AM
the user should be able to change their timezone. after all, they may be somewhere where the difference between timezones is only a meter, and having a laptop, they move from one timezone to another quite freely. not being able to change timezones would therefore corrupt any time-dependent data.

so, how come you need to hide the script?

liorean
11-27-2004, 12:02 PM
Added an entry in the FAQ about hiding JavaScript source code...

jbot
11-27-2004, 12:30 PM
Added an entry in the FAQ about hiding JavaScript source code...

maybe need a sticky on its own, too :)

24-ba
11-27-2004, 05:44 PM
Don't have to open script.php, the tools in the Firefox browser allow me to look at that code straight from the page where it's already loaded.

The guy who came up with this idea has less than half an understanding of how browsers work and from the comments on that site others don't think too much about his PHP coding skills either. About the only thing he's got going for him is a good last name ;) .

How do you do that with Firefox? I know the browser has a lot of neat tricks it can do but I just use it for browsing.

Danne
11-27-2004, 11:17 PM
I know that hiding source code is impossible. However my boss found this page:
http://www.microsoft.com/office/solutions/default.mspx

He wanted me to have a look at how they did the mouseover effect, since it seemed faster than a onmouseover="this.className='hoverName'" onmouseout="this.className='name'" .

When I couldn't find the code, he claimed that hiding the source isn't impossible.

The page contains 3 scripts, and I believe the first one contains the menu functions. The hover effect only works in ie, btw.

How can I see the code?

Willy Duitt
11-27-2004, 11:27 PM
It's not hidden nor in an external file... It's right there on the page...



function mhHover(tbl,idx,cls){var t,d;if(document.getElementById)t=document.getElementById(tbl);else t=document.all(tbl);if(t==null)return;if(t.getElementsByTagName)d=t.getElementsByTagName("TD");else d=t.all.tags("TD");if(d==null)return;if(d.length<=idx)return;d[idx].className=cls;}

<td class="gt0" nowrap="nowrap" onmouseover="mhHover('msviGlobalToolbar', 2, 'gt1')" onmouseout="mhHover('msviGlobalToolbar', 2, 'gt0')">


.....Willy

Danne
11-27-2004, 11:43 PM
It's not hidden nor in an external file... It's right there on the page...



function mhHover(tbl,idx,cls){var t,d;if(document.getElementById)t=document.getElementById(tbl);else t=document.all(tbl);if(t==null)return;if(t.getElementsByTagName)d=t.getElementsByTagName("TD");else d=t.all.tags("TD");if(d==null)return;if(d.length<=idx)return;d[idx].className=cls;}

<td class="gt0" nowrap="nowrap" onmouseover="mhHover('msviGlobalToolbar', 2, 'gt1')" onmouseout="mhHover('msviGlobalToolbar', 2, 'gt0')">


.....Willy


I wasn't so clear. I meant the menu to the left. The html contains this:



<td nowrap="nowrap" id="msviHomePageLink"><a href="http://office.microsoft.com/home/default.aspx" LinkArea="LocalToolbar" LinkID="LT_Drop1" onclick="trackInfo(this)">Office Home</a></td>


And I think the code is in this script:


<script type='text/javascript' language='Javascript' src='/library/mnp/2/aspx/js.aspx?&amp;name=Pagetools&amp;name=Menu'></script>

Willy Duitt
11-27-2004, 11:48 PM
And what did you find when you looked into that external file?

Besides, the code you posted does not show any mouse events...
What makes you think it is using javascript and not css using hover, active, ect....

Basscyst
11-27-2004, 11:51 PM
So, look in the script? I'm not real sure what you are asking here. . .The code is there, if it's javascript you can't hide it. Bottom line!!! I will say though you could create that same \ similar effect using purely css.

LMAO - Willy, great minds. . . .

Basscyst

Danne
11-28-2004, 12:01 AM
And what did you find when you looked into that external file?

Besides, the code you posted does not show any mouse events...
What makes you think it is using javascript and not css using hover, active, ect....

I downloaded the files to make it work locally. And then I removed piece by piece of the code to see when the menu hover stop working. It did so after removing that scripttag.

Here's what I tried (I might have forgotten something):
The file is not stored in the browser cache (documents & settings).
I have written a script to view the innerHTML of this and the other scripttag.
DOMInspector in Firefox doesn't show its content.

Danne
11-28-2004, 12:02 AM
So, look in the script? I'm not real sure what you are asking here. . .The code is there, if it's javascript you can't hide it. Bottom line!!! I will say though you could create that same \ similar effect using purely css.

LMAO - Willy, great minds. . . .

Basscyst


What I'm asking is, how can I see this script?

joh6nn
11-28-2004, 12:24 AM
Danne, if you think you know where the script in question is, why don't you tell your boss so?

javascript remains impossible to hide. as such, and as this thread doesn't seem to be going anywhere, i'm closing it.

liorean
11-28-2004, 12:27 AM
Well, you have a number of methods:
- View source
- DOM Inspector (in the Tool menu)
- Venkman (the JavaScript Debugger, in Tools menu, if installed)
- By the Live HTTP Headers extension.

There are also several bookmarklets, by Jesse Ruderman, by me and probably by others as well.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum