Decoding html pages

[Guest]

Spamless wrote:
just one method for javascript:
http://code.google.com/p/turbojs/wiki/ClosedSourceJS

(I am not fully understand how it works and it requires a few dummy js files
for few javascripts)
That isn't a javascript trick, but php blocking of access to the file.
It is a server side trick to prevent one from simply accessing the
*.js file - it has to be loaded by a "proper" page. [...]
Nonsense. You are making the false assumption that accessing the generated
source code requires another request. It doesn't. One does not even need
Firebug to see it, although it helps.

That is why the dummy.js file is at the end to unset the session state
allowing one to get the "protected Javascript" (it would be pointless to
block it for everything for then it could not be gotten the first time) when
the page is started then unsetting the server side session variable. [...]

The state of the server-side session does not matter at all when (*not* if)
no further request is necessary to get at the code.

Send a request for index.html and you do NOT get the (client side) included
Javascript modules. Another GET request is required. If, somehow, when your
browser sets a
GET /index.php HTTP/1.1
Host: somesite.com
back comes the index.php *and* the (client side) included Javascript file,
then you have a magic browser.

On the other hand, with HTTP 1.1 and "Keep-alive" one does not need a new
TCP stream, that is true, on the other hand a GET request for a new page
will cause another call to the PHP engine to parse the new file.

On the fourth hand, a site could be set up so that the index.php file has
a server side, PHP inclusion of the code so that the PHP engine puts the
actual Javascript code on the index.php page rather than a client side
inclusion
[script type="text/javascript" src="js/closedsource.js"][/script]
as is used here (requiring a new GET request).

The page does not include the code on the server side (it could have
used PHP code to write the contents of some javascript file to the
page itself before sending out the HTML page, with the Javascript on
it rather than write out a [script src=...] tag).

It doesn't. It sends HTML code to have the browser load the *js file
separately. That requires another GET request.

Look ... I didn't write it. Send a note to google telling them that their
programmers are incompetent. Go to
http://code.google.com/p/turbojs/wiki/ClosedSourceJS
and use the link on the bottom to add a comment on how wrong their code is.

 

[Guest]

That isn't a javascript trick, but php blocking of access to the file.
It is a server side trick to prevent one from simply accessing the
*.js file - it has to be loaded by a "proper" page.

Let me write up something in a bit more detail (as this is not Javascript
but PHP) to indicate what the google example shows.

It is *not* Javascript one can use on one's pages. It is a PHP method one
can use on a server with support for embedded PHP code.

To get around the stateless nature of HTML one can associate a web session
with a server side state saved in some variable, an array, say $_SESSION. To
recognize that a visitor is getting a new page in this same web session one
may set a cookie, say PHPSESSID, to a random variable with short TTL (or set
as a session cookie) (reset and update the TTL as other pages are loaded).
The session variable, an associative array (hash) or object may have
readable and writeable values associated to keys or properties.

Using PHP, one can set the web server NOT to send off the file index.html
when a request for index.html arrives, but instead send the index.html page
to the PHP engine along with the session data/variable/object/array and let
that programme return data to the web server which passes it along to the
visitor's browser as the content returned for the request for "index.html."
In that case, the index.html file need not be pure HTML but has to be
something the PHP engine understands and can use to create valid HTML to
pass along to the web server to pass along to the visitor.

For example, the PHP engine might check for a variable named image_count in
the session data. If not there, set it to zero and add it to the session
data. Next, return as the first part of the HTML code it generates an
tag to display the first banner if image_count is 0, the
second banner if image_count is 1, ... the fifth banner if image_count is 4.
Have it check image_count and if it is zero write out the HTML content for
the first advertisement, if it is one write out the HTML content for the
second ad, etc. and finally increase image_count by 1 mod 5.

If you visit the site you see the first banner and ad. Reload the same page
and see the second. Reload the same page and see the third, etc. You get
different results sending the exact same request data to the same server for
the same page/URL (but never see the original, unchanging "raw" file).

You never see the raw index.html *file* with its embedded PHP code but only
the HTML code that the PHP engine produces *from* the raw html code and that
returned HTML code depends on the current state/session data. This is all
done server side and the visitor does not see the server-side state data
which determines which page he/she gets.

Since this is no longer a stateless connection, one can use the state data
in the session variables/session array/session object to change responses or
access depending upon the state. The use of PHP and tracking the
session/state to allow or block access to a (in this case Javascript) file
is what the example at google provides.

The page at [URL]http://code.google.com/p/turbojs/wiki/ClosedSourceJS[/URL] shows a way
to block access to a Javascript file depending on the state and how to set
and unset state on a page.

To block access to a Javascript file except when a page using it is loading
one can set a session variable to allow loading the Javascript page at the
top of the page and have it reset after the page has loaded. One cannot
simply reset it at the end using PHP code embedded in the (PHP parsed) raw
HTML page itself because it would be reset when the HTML page is first
parsed by the PHP engine, before it is even sent out and before the
Javascript has had a chance to load, not after it has loaded, so one has to
have something accessed after the Javascript has been loaded and have the
PHP engine reset the accessibility variable when that item is accessed.

These are PHP session variables and not Javascript. They enable stateful
data to be used for a web session. They can and are used for lots of things.

The code at [URL]http://code.google.com/p/turbojs/wiki/ClosedSourceJS[/URL] uses a PHP
session variable (the key or property of the $_SESSION associative
array/object, 'js_turbo01') as the Javascript accessibility variable. The
first thing the sample shows is the command to have the webserver *not*
simply send a visitor's browser a *.js file but instead pass it along to the
PHP engine to parse it and return the results presented by the php engine
AddType application/x-httpd-php .js

At the start of the "proper page" which uses the Javascript, the
accessibility variable is set ("show" is the value used to indicate it is
set to allow access) and at the end of the page an item to unset the
accessibility variable (when it is accessed and parsed by the PHP engine) is
added (the "dummy.js" file in the sample at
[URL]http://code.google.com/p/turbojs/wiki/ClosedSourceJS[/URL]).

When one tries to access the "protected" code, closedsource.js, in the
example, the raw original file is not returned but it is passed along to the
PHP engine which checks the state (is access allowed?) and if so it returns
the real code and if not it may return something else (in the sample shown,
it just returns text indicating an error but the PROTIP at the bottom
suggests returning code different from the "real" code when accessed without
the accessibility variable properly set).

 

[Thomas 'PointedEars' Lahn]

Thomas 'PointedEars' Lahn wrote:
Spamless wrote:
just one method for javascript:
http://code.google.com/p/turbojs/wiki/ClosedSourceJS

(I am not fully understand how it works and it requires a few dummy js files
for few javascripts)
That isn't a javascript trick, but php blocking of access to the file.
It is a server side trick to prevent one from simply accessing the
*.js file - it has to be loaded by a "proper" page. [...]
Nonsense. You are making the false assumption that accessing the generated
source code requires another request. It doesn't. One does not even need
Firebug to see it, although it helps.
That is why the dummy.js file is at the end to unset the session state
allowing one to get the "protected Javascript" (it would be pointless to
block it for everything for then it could not be gotten the first time) when
the page is started then unsetting the server side session variable. [...]

The state of the server-side session does not matter at all when (*not* if)
no further request is necessary to get at the code.

Send a request for index.html and you do NOT get the (client side) included
Javascript modules.

What part of "no *further* request" did you not get?

A script-capable Web browser will have to request the "modules" and download
them in order to compile and execute them, and so the source code in
question can be retrieved at least from the browser's cache.

[...]
Look ... I didn't write it.

But you are promoting it here, cluelessly.

Send a note to google telling them that their programmers are incompetent.

That much would largely appear to be self-evident, but what you also did not
get is that this code was _not_ written by Google programmers. Google Code
is a public software repository. Incidentally, you can find Firebug, which
among other things allows you to get the source code without further request
in Firefox, there, too:

<http://code.google.com/p/fbug/>


PointedEars

 

[Guest]

A script-capable Web browser will have to request the "modules" and download

^^^^
Oh, it will require a second request?

them in order to compile and execute them, and so the source code in
question can be retrieved at least from the browser's cache.

In the browser's cache? That sounds familiar. I believe that was one of the
ways I suggested to recover the javascript after loading the page (along
with wget with recursion while getting the "proper page" to have the session
value set when getting the closedsource.js file, though setting it not to
accept cookies may fail - well, the same with a browser). The method does
not prevent one from getting the *.js file. However, it requires that it be
gotten while the session data is set by getting the "proper" starting page
and not after it has been reset after that page has loaded. That's all it
does. It can be effective if one knows that mycode.js is up and tries to get
it directly (without getting the "proper page") and, as the PROTIP at the
bottom of the page suggests, one gets valid Javascript but totally different
from the real code. If one knows that this trick is being used and the URL
of the starting page, it is not difficult to get the Javascript. If one does
not know that just trying to get the *.js file will return the wrong data
(e.g. malware exploits in Javascript to load a binary) and tries just to get
the exploit javascript ... oh ... an innocent site! The reports of malware
installations must be wrong!

 

[Guest]

Incidentally, you can find Firebug, which among other things allows you to
get the source code without further request in Firefox, there, too:

<http://code.google.com/p/fbug/>

How well does it work? Have you seen (I have) javascript which deletes
itself from the page (or other Javascript)? It runs some code then looks
for script elements and ... uses the DOM to remove them. I've seen that a
time or two in exploit scripts (whose authors really don't want you to see
what is going on). Will firebug show the code which was on the page?

 

[Guest]

Yes.
http://groups.google.com/group/comp.lang.javascript/msg/7b5f059ad2b00e20

I think no.

It leaves a reference but does not show the code.

With an HTML page,

<html><head></head><body onload="goaway()">
<script src=go.js></script>
All gone!
</body></html>

and a javascript file, go.js

function goaway() {
alert("Be GONE!");
}


loading the page and then running firebug to examine it shows the
source and even the code from the loaded Javascript file
(there is a "+" sign next to the
<body onload="goaway()">
section which can be used to expand it and find the
the <script src=go.js></script> inclusion which can
be expanded to show the source creating the alert box).


Changing go.js to

function goaway() {
alert("Be GONE!");
togo=document.body.childNodes[1];
document.body.removeChild(togo);
}


and reloading the page removes
<script src=go.js></script>
from the DOM (as one can see by using the DOM tool
(TOOLS|DOM_INSPECTOR).

That is now gone (the + sign next to the <body> tag
is gone - no expansion to find the source file or
the code creating the alert box).

Actually, opening firebug FIRST and loading the page
apparently shows the code (while the alert box is on
screen and before the javascript section is removed from
the page) (the plus sign next to the body tag is there
for me to expand to show the code - if I could, but the
alert box is modal and I can't expand it to see the code
until I close the alert box) but as soon as I close the
alert box, the plus sign indicating that I can get to
the javascript code disappears and the code is not
available. Perhaps you get a different result and firebug
does show you the javascript for the alert box for
the second version of go.js.

 

[Gregor Kofler]

Spamless meinte:

[lenghty explanation snipped]

You never see the raw index.html *file* with its embedded PHP code but only
the HTML code that the PHP engine produces *from* the raw html code and that
returned HTML code depends on the current state/session data. This is all
done server side and the visitor does not see the server-side state data
which determines which page he/she gets.

So what? That's the case with practically any PHP "page" (or any by a
server-side script generated page for that matter).

[snip]

It's all very simple and "standard": One can prevent to get direct
access to the ressources on the server (dynamically generating images -
think CAPTCHA, PDFs in "hidden" directories, etc.). However, once it is
delivered to the client, it's there. Fully inspectable. So what's this
whole discussion about?

Gregor

 

[Gregor Kofler]

Spamless meinte:

With an HTML page,

<html><head></head><body onload="goaway()">
<script src=go.js></script>
All gone!
</body></html>

function goaway() {
alert("Be GONE!");
togo=document.body.childNodes[1];
document.body.removeChild(togo);
}

Actually, opening firebug FIRST and loading the page
apparently shows the code (while the alert box is on
screen and before the javascript section is removed from
the page) (the plus sign next to the body tag is there
for me to expand to show the code - if I could, but the
alert box is modal and I can't expand it to see the code
until I close the alert box) but as soon as I close the
alert box, the plus sign indicating that I can get to
the javascript code disappears and the code is not
available. Perhaps you get a different result and firebug
does show you the javascript for the alert box for
the second version of go.js.

Have a breakpoint at the first line of goaway() and reload the page. Doh!

Gregor

 

[Guest]

Spamless meinte:

[lenghty explanation snipped]

You never see the raw index.html *file* with its embedded PHP code but only
the HTML code that the PHP engine produces *from* the raw html code and that
returned HTML code depends on the current state/session data. This is all
done server side and the visitor does not see the server-side state data
which determines which page he/she gets.

So what? That's the case with practically any PHP "page" (or any by a
server-side script generated page for that matter).

True, but this is a Javascript group and at least the person who saw the
original file knew some Javascript but apparently did not recognize how the
embedded PHP code works. It was intended to be an elementary explanation.

The closedsource code presented at
http://code.google.com/p/turbojs/wiki/ClosedSourceJS
was simply to prevent one from getting the *.js file except when the "proper
page" is loaded, to prevent someone from just harvesting *.js files (and if
they try, to be able to give them bogus script and they may not realize that
it isn't the real code used).

Of course the script does load, when you load the proper page (else it would
be pointless) and you do have it - somewhere - in your browser's cache, for
example though the "[script src ...]" might have been removed from the page
using the DOM and does not appear in firebug so you don't have the file name
- but ... in firefox, View|Page_Source still shows that inclusion and the
file name for searching the cache.

Tell someone that the ineteresting script is at
http://someplace.com/interesting.js
and they attempt to get it without knowing a page URL which can/must be used
actually to get the code and they may find a totally different script.

If you know that you have to load a particular HTML page to get a particular
script, you can load the HTML page to get the script (or have to load a
particular image or have seen a particular ad or ...) you can do it. It does
put limits (of which the remove visitor is unaware) on how/when a particular
script can be accessed.

 

[Guest]

Spamless meinte:

With an HTML page,

<html><head></head><body onload="goaway()">
<script src=go.js></script>
All gone!
</body></html>

function goaway() {
alert("Be GONE!");
togo=document.body.childNodes[1];
document.body.removeChild(togo);
}

Actually, opening firebug FIRST and loading the page
apparently shows the code (while the alert box is on
screen and before the javascript section is removed from
the page) (the plus sign next to the body tag is there
for me to expand to show the code - if I could, but the
alert box is modal and I can't expand it to see the code
until I close the alert box) but as soon as I close the
alert box, the plus sign indicating that I can get to
the javascript code disappears and the code is not
available. Perhaps you get a different result and firebug
does show you the javascript for the alert box for
the second version of go.js.

Have a breakpoint at the first line of goaway() and reload the page. Doh!

Ahem ... if this is on a remote server where you cannot modify the script
then it seems to vanish. Of course, one could find the script name, not in
firebug, but using View|Page_Source and go get the script go.js directly,
unless something like the code at
http://code.google.com/p/turbojs/wiki/ClosedSourceJS
is used to force you to get the including page in order to get the actual
script ... or check your browser's cache for the script and modify it
to pause or stop before removing itself. If you have the script and want to
examine it, however, you could just load it into notepad instead of loading
the page after modifying the script so it would be seen in firebug after
loading the page which includes it. Of course, if the script is obfuscated
and you don't notice that when loaded it checks the current URL and if it is
a "file:" protocol (used for local pages) redirects to about:_blank (that
has been done) you may wonder why the local copy does not work though you
could set up a local web server and access that at 127.0.0.1 (locally) so
you can use an http: protocol through the local web server or ...

Nothing can prevent your access to code that your browser gets (after all, it
gets it - I usually use tcpdump, a packet capture, and tcpflow to extract
the data from the TCP streams rather than later check my cache [I use linux]
but a port, windump I think, is available - open source/free) but various
tricks can be used to limit it or misdirect you if you are unaware of them.

They are tricks and if you know their secrets, they can be gotten around.
Blocking access except when loading a certain page, removing references and
code from a page, blocking the use of local copies - they are all just
tricks and the original question (well, after the decoding of the original
encoded page that started it all - the question as to what the
ClosedSourceJS material at google did and how it worked) just pointed to
another trick that can be used (and of which one should be aware if one is
getting script which doesn't appear to be what it should be).

 

[Santander]

So it possible to delete javascript code from page after script has been
executed? That's very intersting, so it possible hide code all the same.
Could you show html page example that use this approach?

Santander

 

[Gregor Kofler]

Santander meinte:

So it possible to delete javascript code from page after script has been
executed?

Yes. "Jorge" started a thread in this NG 7 days ago.

That's very intersting, so it possible hide code all the same.

No. Not if somebody is determined to get the code. Hasn't this become
clear, yet?

Gregor

 

[Guest]

So it possible to delete javascript code from page after script has been
executed? That's very intersting, so it possible hide code all the same.
Could you show html page example that use this approach?

Santander

It is easy to "hide" it. One can even hide it very well from the majority of
site visitors. You can obfuscate it. But ... it has to be sent to the
visitor's browser at least once if it is going to be useful and the
Javascript engine has to be able to de-obfuscate/decode it with the material
provided. The visitor will have a copy and the tools to understand it but
.... it can be hidden but not effectively from those with the skills and
interest to discover and understand it.


It is easy to remove it from the HTML page (the DOM function, removeChild(.)
which can remove a node from a page). It is harder to hide it from firebug
which shows (in its DOM panel) user defined (Javascript) functions and
variables - contents still in the Javascript engine besides the HTML page.
It is not HTML but firebug can still show it. One cannot "undefine" things
in Javascript which uses its own garbage collector to remove items.

So, yes ... use the DOM model (as below) and you can remove it from the
page. It is a bit more of a challenge also to foil firebug's ability to show
Javascript variables and functions.


Here is what I have come up with to hide it from firebug.

My first attempt:

A web page:
[a.html]
--------
<html><head></head><body onload="goaway()">
<script src=go.js></script>
All gone!
</body></html>

loading a script (go.js)
[go.js]
-------
function goaway() {
alert("Be GONE!");
togo=document.body.childNodes[1]; // <-- BAD GLOBAL VARIABLE!!
document.body.removeChild(togo);
}

which pops up an alert box. When you close the alert box, use the DOM tool
or firebug's HTML panel or other tools to see that there is no indication of
how the alert box was created other than the reference to goaway() as the
onload function - it has been removed from the page. Easy.

That was my first attempt ...

HOWEVER ...

In firebug the HTML view (when the alert box is on screen) shows a "+"
indicating that one can expand a tree element and see the script. That
disappears when the element is removed (after you close the alert box).

The HTML panel in firebug is foiled. But ... it has other tools.


HOWEVER ...

In firebug, in the DOM view (the default is also to show user defined
functions and Javascript variables) of the document one finds a reference to
go.js (why? because of "togo" - see below) and one can right click that and
choose to inspect it in the HTML window to find it and see the code BUT
apparently[*] it goes and reloads it to display it (as it is gone from the
document). Part of this thread shows a PHP block which prevents one from
getting a script except when loading the page it is on. I found it strange
that firebug shows the reference to the script) when the [script src ...]
node has been removed until I realized that what it was showing was the
"togo" variable which was used. It shows that reference but seems to need a
reload to display the script.

*: After loading the page, I renamed go.js and then tried to use firebug to
show it in the HTML panel and this time it failed. So it seems that
firebug can partly automate sending a new, separate request for the
script which is gone from the page and access to which can be blocked
except when the page is loaded (or once per day, or once from each IP
address or whatever). I also tried changing go.js to simply say
alert("DUMMY") before opening the firebug window and THAT is what
using the DOM tool, choosing to view the go.js file in the html panel.
Again, the prior discussion in the thread showed a way to send different
Javascript except when the page is loading so if that trick is being
used, using the DOM tool in firebug to view the included script code
may mislead one.


HERE IS A BETTER VERSION:

[go.js]
-------
function goaway() {
alert("Be GONE!");
var togo=document.body.childNodes[1];
document.body.removeChild(togo);
}

See the difference? "var". A local variable!

Why better? FIREBUG, in its DOM view shows information about the page. the
togo variable was defined as a global variable and remained in the
Javascript engine and forces the reference to the Javascript to remain.

In the second version with a local variable, the DOM tool shows NO reference
to the go.js file. It is all apparently gone except if one enables the
SCRIPT panel (which forces a reload) for that shows the reference to go.js
(but not its contents).

All gone? No. The DOM's view (by default) shows user defined functions and
so we still have a reference to goaway and one can choose to show its code
in the HTML panel and THAT (apparently) does not require a reload of the
go.js file. One can remove the onload attribute

function goaway() {
alert("Be GONE!");
var togo=document.body.childNodes[1];
document.body.removeChild(togo);
document.body.removeAttribute("onload");
}

but goaway was still defined as a global variable (a function)
and still appears in the DOM panel of firebug. What to do?

function goaway() {
alert("Be GONE!");
var togo=document.body.childNodes[1];
document.body.removeChild(togo);
document.body.removeAttribute("onload");
goaway=null;
}

There is still a reference to goaway in the DOM view but ... it is null
(one could also use undefined).

HOWEVER, the onload(event) function has been (and is still) defined
but is no longer an attribute of the body. The DOM module shows the
onload() function defined but, again, getting it seems to require a
reload of the go.js file (which can be blocked).


So ... let's make the onload function reference useless.

[go.js]
-------
function goaway() {
alert("Be GONE!");
var togo=document.body.childNodes[1];
document.body.removeChild(togo);
document.body.removeAttribute("onload");
goaway=null;
onload=null;
}

There are (in firebug's DOM panel) still two appearances of functions
defined in Javascript, onload and goaway. Both, however are null.

Finally I think that may foil firebug but leave references to (now null)
functions.

So, you can remove the Javascript node from the HTML page (and HTML only
tools will show it gone) but global variables remain in the Javascript
object (until garbage collection removes them). Use local variables but the
reference to a global function remains.


If you are willing to modify the DOM as the page is loading (which may
not work in all browsers and may not be a good idea) the following
may work.


I wanted to avoid trying to remove a node in the DOM while the page was
loading which is why I did not use an anonymous function.

On the other hand,

[a.html]
--------
<html><head></head><body>
<script src=go.js></script>
</body></html>

[go.js]
-------
(function () {
document.write("Go away.");
alert("Be GONE!");
var togo=document.body.childNodes[1];
document.body.removeChild(togo);
document.body.removeAttribute("onload");}) ()

does work in firefox 2.0.0.16 in Linux and there are no global variables
(even functions) defined to be presented in firebug's DOM panel. The
function used is used anonymously.


BUT in firefox, using VIEW|PAGE_SOURCE shows the original source code with
the [script src=go.js][/script]. I don't think one will be able to get rid
of that and again, earlier messages showed a server side way to block access
to such a file except when loading a particular page. One can also block it
more permanently, blocking all but one load from every IP address, for
example. You may also see the reference to go.js in firebug's SCRIPT panel.

Of course, if you see the source code and the load of go.js, it is in your
browser's cache and can still be found.


(By the way, I tried setting onload="..." to run an anonymous function which
used XMLHttpRequest to get code from a file and then eval that result
without defining any functions or non-local variables of my own - but that
defined the "onload" function which firebug showed in the DOM panel - again,
that showed the location of the source file from which I loaded the code,
but not the code itself - and that is apparently going to be available via
Firefox's VIEW_SOURCE tool.)

 

[Santander]

I've read about this method also here:
http://www.javascriptkit.com/javatutors/loadjavascriptcss2.shtml

Their code example not working for me though. Since there is no way to make
javascript available for a browser and also keep it from getting to the
client machine, probably the way is just to make it a more difficult to see
for the casual users via obfuscating javascript.

also php method:
http://bytes.com/forum/thread749685.html

--------------------

So it possible to delete javascript code from page after script has been
executed? That's very intersting, so it possible hide code all the same.
Could you show html page example that use this approach?

Santander

It is easy to "hide" it. One can even hide it very well from the majority of
site visitors. You can obfuscate it. But ... it has to be sent to the
visitor's browser at least once if it is going to be useful and the
Javascript engine has to be able to de-obfuscate/decode it with the material
provided. The visitor will have a copy and the tools to understand it but
... it can be hidden but not effectively from those with the skills and
interest to discover and understand it.


It is easy to remove it from the HTML page (the DOM function, removeChild(.)
which can remove a node from a page). It is harder to hide it from firebug
which shows (in its DOM panel) user defined (Javascript) functions and
variables - contents still in the Javascript engine besides the HTML page.
It is not HTML but firebug can still show it. One cannot "undefine" things
in Javascript which uses its own garbage collector to remove items.

So, yes ... use the DOM model (as below) and you can remove it from the
page. It is a bit more of a challenge also to foil firebug's ability to show
Javascript variables and functions.


Here is what I have come up with to hide it from firebug.

My first attempt:

A web page:
[a.html]
--------
<html><head></head><body onload="goaway()">
<script src=go.js></script>
All gone!
</body></html>

loading a script (go.js)
[go.js]
-------
function goaway() {
alert("Be GONE!");
togo=document.body.childNodes[1]; // <-- BAD GLOBAL VARIABLE!!
document.body.removeChild(togo);
}

which pops up an alert box. When you close the alert box, use the DOM tool
or firebug's HTML panel or other tools to see that there is no indication of
how the alert box was created other than the reference to goaway() as the
onload function - it has been removed from the page. Easy.

That was my first attempt ...

HOWEVER ...

In firebug the HTML view (when the alert box is on screen) shows a "+"
indicating that one can expand a tree element and see the script. That
disappears when the element is removed (after you close the alert box).

The HTML panel in firebug is foiled. But ... it has other tools.


HOWEVER ...

In firebug, in the DOM view (the default is also to show user defined
functions and Javascript variables) of the document one finds a reference to
go.js (why? because of "togo" - see below) and one can right click that and
choose to inspect it in the HTML window to find it and see the code BUT
apparently[*] it goes and reloads it to display it (as it is gone from the
document). Part of this thread shows a PHP block which prevents one from
getting a script except when loading the page it is on. I found it strange
that firebug shows the reference to the script) when the [script src ...]
node has been removed until I realized that what it was showing was the
"togo" variable which was used. It shows that reference but seems to need a
reload to display the script.

*: After loading the page, I renamed go.js and then tried to use firebug to
show it in the HTML panel and this time it failed. So it seems that
firebug can partly automate sending a new, separate request for the
script which is gone from the page and access to which can be blocked
except when the page is loaded (or once per day, or once from each IP
address or whatever). I also tried changing go.js to simply say
alert("DUMMY") before opening the firebug window and THAT is what
using the DOM tool, choosing to view the go.js file in the html panel.
Again, the prior discussion in the thread showed a way to send different
Javascript except when the page is loading so if that trick is being
used, using the DOM tool in firebug to view the included script code
may mislead one.


HERE IS A BETTER VERSION:

[go.js]
-------
function goaway() {
alert("Be GONE!");
var togo=document.body.childNodes[1];
document.body.removeChild(togo);
}

See the difference? "var". A local variable!

Why better? FIREBUG, in its DOM view shows information about the page. the
togo variable was defined as a global variable and remained in the
Javascript engine and forces the reference to the Javascript to remain.

In the second version with a local variable, the DOM tool shows NO reference
to the go.js file. It is all apparently gone except if one enables the
SCRIPT panel (which forces a reload) for that shows the reference to go.js
(but not its contents).

All gone? No. The DOM's view (by default) shows user defined functions and
so we still have a reference to goaway and one can choose to show its code
in the HTML panel and THAT (apparently) does not require a reload of the
go.js file. One can remove the onload attribute

function goaway() {
alert("Be GONE!");
var togo=document.body.childNodes[1];
document.body.removeChild(togo);
document.body.removeAttribute("onload");
}

but goaway was still defined as a global variable (a function)
and still appears in the DOM panel of firebug. What to do?

function goaway() {
alert("Be GONE!");
var togo=document.body.childNodes[1];
document.body.removeChild(togo);
document.body.removeAttribute("onload");
goaway=null;
}

There is still a reference to goaway in the DOM view but ... it is null
(one could also use undefined).

HOWEVER, the onload(event) function has been (and is still) defined
but is no longer an attribute of the body. The DOM module shows the
onload() function defined but, again, getting it seems to require a
reload of the go.js file (which can be blocked).


So ... let's make the onload function reference useless.

[go.js]
-------
function goaway() {
alert("Be GONE!");
var togo=document.body.childNodes[1];
document.body.removeChild(togo);
document.body.removeAttribute("onload");
goaway=null;
onload=null;
}

There are (in firebug's DOM panel) still two appearances of functions
defined in Javascript, onload and goaway. Both, however are null.

Finally I think that may foil firebug but leave references to (now null)
functions.

So, you can remove the Javascript node from the HTML page (and HTML only
tools will show it gone) but global variables remain in the Javascript
object (until garbage collection removes them). Use local variables but the
reference to a global function remains.


If you are willing to modify the DOM as the page is loading (which may
not work in all browsers and may not be a good idea) the following
may work.


I wanted to avoid trying to remove a node in the DOM while the page was
loading which is why I did not use an anonymous function.

On the other hand,

[a.html]
--------
<html><head></head><body>
<script src=go.js></script>
</body></html>

[go.js]
-------
(function () {
document.write("Go away.");
alert("Be GONE!");
var togo=document.body.childNodes[1];
document.body.removeChild(togo);
document.body.removeAttribute("onload");}) ()

does work in firefox 2.0.0.16 in Linux and there are no global variables
(even functions) defined to be presented in firebug's DOM panel. The
function used is used anonymously.


BUT in firefox, using VIEW|PAGE_SOURCE shows the original source code with
the [script src=go.js][/script]. I don't think one will be able to get rid
of that and again, earlier messages showed a server side way to block access
to such a file except when loading a particular page. One can also block it
more permanently, blocking all but one load from every IP address, for
example. You may also see the reference to go.js in firebug's SCRIPT panel.

Of course, if you see the source code and the load of go.js, it is in your
browser's cache and can still be found.


(By the way, I tried setting onload="..." to run an anonymous function which
used XMLHttpRequest to get code from a file and then eval that result
without defining any functions or non-local variables of my own - but that
defined the "onload" function which firebug showed in the DOM panel - again,
that showed the location of the source file from which I loaded the code,
but not the code itself - and that is apparently going to be available via
Firefox's VIEW_SOURCE tool.)

 

[David Mark]

I think no.

You don't have to think as several posters have told you why you are
wrong.

It leaves a reference but does not show the code.
Meaningless.


With an HTML page,

<html><head></head><body onload="goaway()">
<script src=go.js></script>
All gone!
</body></html>

and a javascript file, go.js

function goaway() {
  alert("Be GONE!");

}

loading the page and then running firebug to examine it shows the
source and even the code from the loaded Javascript file
(there is a "+" sign next to the
   <body onload="goaway()">
section which can be used to expand it and find the
the <script src=go.js></script> inclusion which can
be expanded to show the source creating the alert box).
And?


Changing go.js to

function goaway() {
  alert("Be GONE!");
  togo=document.body.childNodes[1];
  document.body.removeChild(togo);

}

and reloading the page removes
  <script src=go.js></script>
from the DOM (as one can see by using the DOM tool
(TOOLS|DOM_INSPECTOR).

You don't even have a glimpse of a clue here. Go back and re-read the
previous posts in this thread (excluding the ones you wrote.)

[snip]

 

[Guest]

You don't even have a glimpse of a clue here. Go back and re-read the
previous posts in this thread (excluding the ones you wrote.)

I don't have a glimpse of a clue there? It is not removed?
Oh, but it is removed from the HTML. The use of local variables
wrapped in an anonyous function and the removal of the material from
the HTML page removes all references from firebug's DOM panel.
Those are details of which I am sure you are aware (or should be).
But of course that is nonsense and I am clueless. They could not
be removed, for you say so.


However, I did err due to an apparent difference in the handling
of local vs. remote files in firebug's SCRIPTS panel. By the way,
in rereading all the prior messages I have seen no one comment
on this. Alas.


With an HTML page,

[a.html]
--------
<html><head></head><body onload="goaway()">
<script src=go.js></script>
All gone!
</body></html>

loading

[go.js]
-------
function goaway() {
alert("Be GONE!");
var togo=document.body.childNodes[1];
document.body.removeChild(togo);
document.body.removeAttribute("onload");
goaway=null;
onload=null;
}


The HTML panel of firebug surely shows the script gone.
The DOM tool shows the global Javascript functions
onload and goaway, but they are null and not clickable.

I am sure you are aware of this having tested it so
thoroughly.


The SCRIPT panel of firebug shows the page source and
has a drop down list allowing one to see the contents
of go.js. Before using that, I changed (on my local
copy) "Be GONE!" to "Be GENE!" and used it. The script
panel, in showing go.js apparently loaded it again directly
(it showed "Be GENE!") (and of course, that is what the code
at google is designed to foil - another separate load of
the script file). Of course, that google posted code cannot
work - for you said so. After all it only requires, as you
said, but ONE connection to the web server to get the
material, not one to set the accessibility and another to
get the script file (and then access is blocked).


I am sure you are aware of all this having tested it so
thoroughly.


HOWEVER, putting the files on a REMOTE server and using
the SCRIPT panel (and its drop down list) shows the go.js
file, but running a packet capture shows that it did NOT
reload the file (and did not send a query to see if it
had changed). I short, the SCRIPT tab apparently shows
the javascript as obtained in its first download.

By the way, what packet capture programme did you run when
you tested this?


Since you surely were aware of the differences in handling
local and remote files and the fact that, for example,
using anonymous global functions (with no name to be used)
wrapping all local variables and removing the material from
the HTML of the page would definitely remove all references
to all the Javascript both from the HTML panel and the DOM
panel but would leave access to the material in the SCRIPTS
panel which treats local and remote files differently, it
appears.


Surely you did check before saying "NONSENSE" and "CLUELESS"
but I wish you had given some details about your results
instead of simply saying "NONSENSE" and "CLUELESS" sufficiently
many times to make them true.


What *were* the results of your tests and what code did you use?

 

[Guest]

The SCRIPT panel of firebug shows the page source and
has a drop down list allowing one to see the contents
of go.js. Before using that, I changed (on my local
copy) "Be GONE!" to "Be GENE!" and used it. The script
panel, in showing go.js apparently loaded it again directly
(it showed "Be GENE!")

HOWEVER, putting the files on a REMOTE server and using
the SCRIPT panel (and its drop down list) shows the go.js
file, but running a packet capture shows that it did NOT
reload the file (and did not send a query to see if it
had changed). I short, the SCRIPT tab apparently shows
the javascript as obtained in its first download.

Let me check your expertise. The above is true. Why?
And have you tested your explanation?

 

[Guest]

Rats. Firebug makes it easy to search the cache for the original
download of the script.

In firebug, in the DOM view (the default is also to show user defined
functions and Javascript variables) of the document one finds a reference to
go.js (why? because of "togo" - see below) and one can right click that and
choose to inspect it in the HTML window to find it and see the code BUT
apparently[*] it goes and reloads it to display it (as it is gone from the
document). Part of this thread shows a PHP block which prevents one from
getting a script except when loading the page it is on.

*: After loading the page, I renamed go.js and then tried to use firebug to
show it in the HTML panel and this time it failed. ...
....

Of course, if you see the source code and the load of go.js, it is in your
browser's cache and can still be found.

But firebug makes it easy to find the file in cache.


All the above is true, since I used "apparently."

For remote files, firebug does not go get it again.


Why the difference between my first test (when it first tested
it I was using local files) and for remote files?

Firefox does not cache loads of local files. Why should it? The files
are right there, easily loaded again.

The SCRIPTs panel in firebug has a drop down list of files loaded
for the current page. It is a search tool to locate the data in
firefox's cache. For local files, not saved in cache, firebug had
to reload the local file. For remote files, it finds them in the
browser's cache and loads from there (so you see original downloaded
versions). Loaded from cache and not from the browser's memory?
Loading a file from a remote server, checking the access time of the
copy in firefox's cache, waiting a minute or so and then using the
SCRIPT's panel's drop down list to show the contents of go.js and
checking the access time again of the cached copy showed that it had
just been read/accessed.).


So, the above is true (you can remove and block references in firebug's
HTML and DOM panels by removing the javascript node and using local
variables wrapped in an anonymous function) but you have the copies
in the brower's cache. Firebug has a cache access tool to find and
display those cached copies and makes them easily accessible (both
the original HTML page and javascript code it loaded).

 

[Lasse Reichstein Nielsen]

I've only ever found _one_ reliable way to keep
people from copying scripts: write crappy scripts

Looking at the web today, I'd say that strategy is doomed to fail too
/L

 

[Gregor Kofler]

Conrad Lender meinte:

Some things just can't be done. There's no shame in admitting defeat
against the impossible. I've only ever found _one_ reliable way to keep
people from copying scripts: write crappy scripts

Doesn't work, too. In fact, the crappier the script, the more it will
spread...

Gregor