FAQ Topic - How can I protect a webpage in javascript?

[FAQ server]

-----------------------------------------------------------------------
FAQ Topic - How can I protect a webpage in javascript?
-----------------------------------------------------------------------

In practice you can't. While you could create a suitable
encryption system with a password in the page, the level of
support you need to do this means it's always simpler to do it
server-side. Anything that "protects" a page other
than the current one is definitely flawed.


===
Postings such as this are automatically sent once a day. Their
goal is to answer repeated questions, and to offer the content to
the community for continuous evaluation/improvement. The complete
comp.lang.javascript FAQ is at http://www.jibbering.com/faq/.
The FAQ workers are a group of volunteers.

 

[mistral]

"FAQ server wrote:
"

In practice you can't. While you could create a suitable
encryption system with a password in the page, the level of
support you need to do this means it's always simpler to do it
server-side. Anything that "protects" a page other
than the current one is definitely flawed.

===
Postings such as this are automatically sent once a day. Their
goal is to answer repeated questions, and to offer the content to
the community for continuous evaluation/improvement. The complete
comp.lang.javascript FAQ is at http://www.jibbering.com/faq/.
The FAQ workers are a group of volunteers.

--------------

instead of spread these information, you would better prepare the
review of existing encryption software for protecting of HTML &
javascript code. There is a good programs among them. People want to
encrypt their code and need such programs.

 

[One Dumm Hikk]

"FAQ server wrote:"

instead of spread these information, you would better prepare the
review of existing encryption software for protecting of HTML &
javascript code.

Why do you think it would be better to review programs that do not do
what is wanted rather than telling people the cold hard truth?
Reviewing such programs leads people to believe that they can actually
protect source code when you can't.

There is a good programs among them.

No there isn't.

People want to encrypt their code and need such programs.

What people want and what people need are two different things. People
may think they want encryption but what they need is an education on
how the WWW actually works.

 

[TC]

Why do you think it would be better to review programs that do not do
what is wanted rather than telling people the cold hard truth?
Reviewing such programs leads people to believe that they can actually
protect source code when you can't.

mistral has already been told this in sci.crypt; eg. here:
http://groups.google.com/group/sci.crypt/msg/b703e6587c3ebc0e

He refuses to believe it.

TC (MVP MSAccess)
http://tc2.atspace.com

 

[Mike.Duffy]

What people want and what people need are two different things. People
may think they want encryption but what they need is an education on
how the WWW actually works.

We could point out things he might adapt to use for his actual
requirements. Perhaps what he says he wants is not exactly what he needs.

For example, you can hide a web page simply by not having any hard
references to it. (Also, the MS IIS must be configured NOT to do a "dir",
but I believe this is the default if there is an "index.htm" file.) The
reference is gained by a javascript action on a given password to yield
either a clickable reference, or just perform a page replace. The
javascript code is visible, but it will not yield the hidden page without
the password.

When you get access to the hidden page, any javascript on it will also be
clearly visible. You can try obfuscating it by using a the classic
techniques. The problem with this is that people looking at what you have
done can see that you are trying to hide something. Instead, I usually take
the sly approach of making it look like something done by a neophyte, with
a liberal dose of nonsensical or misleading comments, deliberate spelling
mistakes (O/0 & 1/l), and needless exercises in complication, such as
recursion or re-loading the current page with dynamically built javascript.

But as many people have pointed out, the benefit of additional masking is
well past the point of diminishing returns based on the effort required.
You can use it to hide an Easter egg on your web-site, but don't use it to
hide your Swiss bank account numbers.

 

[One Dumm Hikk]

We could point out things he might adapt to use for his actual
requirements. Perhaps what he says he wants is not exactly what he needs.

Irony is that you just repeated what I already said. What people think
they want and what they need are two different things.

For example, you can hide a web page simply by not having any hard
references to it. (Also, the MS IIS must be configured NOT to do a "dir",
but I believe this is the default if there is an "index.htm" file.) The
reference is gained by a javascript action on a given password to yield
either a clickable reference, or just perform a page replace. The
javascript code is visible, but it will not yield the hidden page without
the password.

And that doesn't require javascript and is trivial to implement without
it.

<form action="redirectToMyPage.php">
<input type="text" name="newLocation">

And then the server issues a Location header. Where's the javascript?

When you get access to the hidden page, any javascript on it will also be
clearly visible. You can try obfuscating it by using a the classic
techniques. The problem with this is that people looking at what you have
done can see that you are trying to hide something. Instead, I usually take
the sly approach of making it look like something done by a neophyte, with
a liberal dose of nonsensical or misleading comments, deliberate spelling
mistakes (O/0 & 1/l), and needless exercises in complication, such as
recursion or re-loading the current page with dynamically built javascript.

Typically, any client side code that gets "obfuscated" generally isn't
worth copying to start with.

But as many people have pointed out, the benefit of additional masking is
well past the point of diminishing returns based on the effort required.

Any benefit of "masking" is a wasted effort.

You can use it to hide an Easter egg on your web-site, but don't use it to
hide your Swiss bank account numbers.

Precisely.