...

View Full Version : Protecting Scripts and Styles



Vladdy
09-05-2002, 07:35 AM
The following method should prevent users of client computer to access script and style code using the following techniques:
- View (Page) Source - either through right-click, menu or shortcut key
- Save As...
- Temporary Internet Files Folder

The suggested method uses server side scripting and is implemented using ASP.

Your HTML file:


<html>
<head>
...
<script type="text/JavaScript">
scriptsString='2,6,5';
</script>
<script type="text/JavaScript" src="ScriptLoader.js" ></script>
....


ScriptLoader.js listing:


scripts=document.createElement('script');
scripts.src='ScriptLoader.asp?Scripts=' + scriptsString;
document.getElementsByTagName('head')[0].appendChild(scripts);


Action is in ScriptLoader.asp


<%@ Language=VBScript EnableSessionState=False %>
<%Option Explicit%>
<% Response.Buffer = True
Response.Expires = 0 'Prevents caching of the content
%>
<%
Dim strScripts
Dim ipsp, iFNum
Dim fso, file
Dim strReferer
Dim bRM = False

Dim Scripts(13)
Scripts(0) = "Script1.js"
...
Scripts(13) = "Script13.js"


strReferer=Request.ServerVariables("HTTP_REFERER")
'compare referer to the address of the page that uses the
'scripts and continue only if matches. This will allow access
'only by your file

strScripts=Request.QueryString("Scripts")
set fso = Server.Createobject("Scripting.FileSystemObject")

While Len(strScripts) > 0
ipsp = InStr(1,strScripts,",")
If ipsp = 0 Then
iFNum=CInt(strScripts)
strScripts=""
Else
iFNum=CInt(Left(strScripts,ipsp-1))
strScripts = Right(strScripts, Len(strScripts) - ipsp)
End If
set file = fso.opentextfile(Server.MapPath(Scripts(iFNum)), 1)
Response.Write(file.ReadAll)
file.close
set file = nothing

Wend

set fso = nothing

%>


Hope this will extinguish some of the code protection debates.
If you see holes in the suggested approach let me know. It still does not protect from net traffic sniffers

sn00py
09-05-2002, 11:32 AM
O.k..i've read through this page a few time and cos i'm good at this coding stuffs...can anyone tell me how to input all those codes on server side? How di go about doing it? On the HTML part is cleared that i need to paste the above mentioned codes. Please reply me if anyone knows..thanks.

glenngv
07-18-2003, 10:04 AM
It has a syntax error in the line that says:

Dim bRM = False

In classic asp, you cannot declare variable with initial value.

I tested the script but I think it does not work. (after correcting the syntax error)

- the file is still cached on the client.
- the content of js can still be viewed.

The filename of the dynamic external script which is in asp (Scriptloader.asp) can be easily determined by viewing the content of ScriptLoader.js. If you got the filename, you can view its content by view-source: technique or even by just running that asp page with the correct querystring parameter.

I think my version (http://www.codingforums.com/showthread.php?s=&threadid=23293) is more secure. :)
I created it without knowing that Vladdy did it first.

Vladdy
07-18-2003, 12:06 PM
Yes it does not.... and nothing does. I admit the above code was a brainfart.... :o



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum