View Full Version : Protecting Scripts and Styles

09-05-2002, 07:35 AM
The following method should prevent users of client computer to access script and style code using the following techniques:
- View (Page) Source - either through right-click, menu or shortcut key
- Save As...
- Temporary Internet Files Folder

The suggested method uses server side scripting and is implemented using ASP.

Your HTML file:

<script type="text/JavaScript">
<script type="text/JavaScript" src="ScriptLoader.js" ></script>

ScriptLoader.js listing:

scripts.src='ScriptLoader.asp?Scripts=' + scriptsString;

Action is in ScriptLoader.asp

<%@ Language=VBScript EnableSessionState=False %>
<%Option Explicit%>
<% Response.Buffer = True
Response.Expires = 0 'Prevents caching of the content
Dim strScripts
Dim ipsp, iFNum
Dim fso, file
Dim strReferer
Dim bRM = False

Dim Scripts(13)
Scripts(0) = "Script1.js"
Scripts(13) = "Script13.js"

'compare referer to the address of the page that uses the
'scripts and continue only if matches. This will allow access
'only by your file

set fso = Server.Createobject("Scripting.FileSystemObject")

While Len(strScripts) > 0
ipsp = InStr(1,strScripts,",")
If ipsp = 0 Then
strScripts = Right(strScripts, Len(strScripts) - ipsp)
End If
set file = fso.opentextfile(Server.MapPath(Scripts(iFNum)), 1)
set file = nothing


set fso = nothing


Hope this will extinguish some of the code protection debates.
If you see holes in the suggested approach let me know. It still does not protect from net traffic sniffers

09-05-2002, 11:32 AM
O.k..i've read through this page a few time and cos i'm good at this coding stuffs...can anyone tell me how to input all those codes on server side? How di go about doing it? On the HTML part is cleared that i need to paste the above mentioned codes. Please reply me if anyone knows..thanks.

07-18-2003, 10:04 AM
It has a syntax error in the line that says:

Dim bRM = False

In classic asp, you cannot declare variable with initial value.

I tested the script but I think it does not work. (after correcting the syntax error)

- the file is still cached on the client.
- the content of js can still be viewed.

The filename of the dynamic external script which is in asp (Scriptloader.asp) can be easily determined by viewing the content of ScriptLoader.js. If you got the filename, you can view its content by view-source: technique or even by just running that asp page with the correct querystring parameter.

I think my version (http://www.codingforums.com/showthread.php?s=&threadid=23293) is more secure. :)
I created it without knowing that Vladdy did it first.

07-18-2003, 12:06 PM
Yes it does not.... and nothing does. I admit the above code was a brainfart.... :o