hiding javascript!

glenngv · 07-16-2003, 08:30 AM

Yes, it's possible!

...at least in IE, using external javascript and server-side language.
In my code below, I used VBScript/ASP. You can convert it to any server-side language.

js.asp

Code:

/*****************************
JavaScript Code Hider/Blocker
Created by: Glenn G. Vergara
July, 2003
glenngv@yahoo.com
Philippines
******************************/
<%
'don't cache the js file
Response.Buffer = True
Response.Expires = -1
Response.AddHeader "Pragma", "no-cache"
Response.AddHeader "cache-control", "no-store"
Response.ContentType = "text/javascript"

Dim strReferer, bAccessOK, strRefererHost, intStart, intFirstSlash, bViewJS, strMyHost, strProtocol

bAccessOK = false
bViewJS = true
strReferer = request.servervariables("HTTP_REFERER")

if strReferer <> "" then
	intStart = instr(1,strReferer,"://")
	intFirstSlash = instr(intStart+3,strReferer,"/") 
	strRefererHost = mid(strReferer,intStart+3,intFirstSlash-intStart-3)
	strMyHost = request.servervariables("HTTP_HOST")
	if strRefererHost = strMyHost then bAccessOK = true
	bViewJS = false
end if

if not bAccessOK then
	if bViewJS then
%>
alert("Sorry, you are not allowed to view my JavaScript codes!!!");
<%
	else 'other site has linked this js file
		if request.servervariables("HTTPS")="on" then strProtocol = "https" else strProtocol = "http"
%>
alert("Sorry, this site is NOT allowed to link the JavaScript file, <%=strProtocol & "://" & strMyHost & request.servervariables("URL")%> !!!");
<%
	end if
	Response.End
end if
%>
/********************************
End JavaScript Code Hider/Blocker
*********************************/

//your javascript codes start here
alert('You can execute my JavaScript codes!');//test

just use it in any page like this:
<script type="text/javascript" src="js.asp"></script>

The code above doesn't only hide the js file, it also prevents other sites to link the file.

With this code, the js file is not cached on the client's temporary internet files, so you can't view its source. Typing view-source:url of js file in the address bar will just generate the "You are not allowed..." message. You can't even download the file.
But unfortunately, that "view-source" behavior is in IE only, though in other browsers, the js file is also not cached. In NS6+ or Mozilla, using view-source:url of js file will display the actual generated source code of the js. In NS4, the server variable that holds the url of the referring document returns empty. It can be concluded that when NS4 accesses the external js file in a page, the referer is always empty. Maybe it can also be said for accessing images, css files in a page. So, it's totally unusable in NS4.

I posted it even though it has limited browser support. I just want to point out that it is still possible to hide javascript codes from the client. We all know that we have never-ending questions of that nature here in CodingForums.

Your comments are welcome.

Roy Sinclair · 07-16-2003, 03:16 PM

The directive to not cache can be altered by firewall software and despite that directive I think IE will put it into the cache and then delete the file as you leave the page so as long as the user has the page open they can still find the JS file in the cache.

brothercake · 07-16-2003, 03:36 PM

I agree - it will have no effect because the file will be cached, even if only temporarily. All one would have to do is open the cache folder; or of course, not use IE to view it.

Roy Sinclair · 07-16-2003, 04:52 PM

I guess I should have added that while it's an interesting thought and a nice effort it's still a not worth bothering to use since it's still easily bypasses.

Fortunately or unfortunately (depending on your point of view) the very nature of how the web works makes these efforts into exercises in futility.

whackaxe · 07-16-2003, 05:20 PM

yeah people can rip you, but why make it easy for them?

Roy Sinclair · 07-16-2003, 08:40 PM

Those who don't know how to go around a few simple barriers probably aren't smart enough to be able to make much if any use of code worth the effort of putting barriers around. Those who are smart enough to make use of the code will also be smart enough to be able to find their way around your barriers.

glenngv · 07-17-2003, 02:37 AM

I'm not saying that it's a fool-proof solution. And I'm not really a "hide javascript" advocate either. As I said in the last part of my post, I just pointed out that it is possible to hide the code in a specific browser such as IE. I just toyed with this solution because of all those countless "hide javascript" posts here in CF and other forums.
I have tested it in our intranet and it works, the js file is not cached. I guess it may be useful in an intranet where the environment is controlled and the only browser is IE. And even then, you have to know where and when to use it or not (at all). I'm not in any way encouraging users to hide all their javascript codes in their applications. Only in justifiable situations such as simple online quizzes, games, etc...

Drakain Zeil · 08-07-2003, 08:05 PM

You could always try to chipper it, thou, I don't think that would go over too well.