I have an external JavaScript in my HTML page. Is there a way to disable linking to or viewing this js file?
No, there is not a way to do this. It's a client-side scripted language...you cannot in any way hide the a script that's running...not from the people you are probably wanting to hide it from (people who would go after your script are smarter than the average user most likely).
There are a number of tools available to inspect javascript, Chrome's tools, Firebug, any traffic sniffer, javascript unpackers (though debate-ably packing/minifying makes the code less "out of the box" usable).
You can deter people with the packing/minification, but you cannot prevent them from seeing/figuring out the code.
No, you cannot. If the browser is executing it, users can find a way to view it.
You might consider a Javascript minifier/obfuscator, like YUI Compressor, to make the reverse-engineer's job harder.
Nick Craver is correct (vote it), never the less, usually when having such problems with protected code, I use php to do some of it, this way the JavaScript file will be available, but not "human-readable" since it doesn't do all the necessary work...
Just a tip, despite I'm much more a share share king of guy!
Related
Kindly looking to hide code from view code / inspect element is this safe to use ? I saw this anser here How to hide form code from view code/inspect element browser?
eval(function(p,a,c,k,e,d){e=function(c){return
c.toString(36)};if(!''.replace(/^/,String)){while(c--)
{d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return
d[e]}];e=function(){return'\\w+'};c=1};while(c--)
{if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),
k[c])}}return p}('(3(){(3 a(){8{(3 b(2)
{7((\'\'+(2/2)).6!==1||2%5===0){(3(){}).9(\'4\')()}
c{4}b(++2)})(0)}d(e){g(a,f)}})()})();',17,17,'
||i|function|debugger|20|length|if|try|constructor
|||else|catch||5000|setTimeout'.split('|'),0,{}))
In an answer about as useful as the question,
"No".
Most of us can't read the code because it is packed/obfuscated, and won't invest the time to try to read it.
If you're asking if it will prevent the user from opening the Developer Tools, then I don't know, because that would require me trying to run the code, which I'm not going to do, since I can't read the code and it could be malicious.
If you're asking if it will prevent someone from obtaining the rest of the code on your website, then no, it will not. A determined user could use curl or one of several other tools to retrieve the raw HTML or Javascript.
If you're asking if the code pasted above is secure because it is packed, then no, it is not. A determined user could quite easily analyze the code by hand and, once analyzed, write something to reverse engineer the packed code (that's assuming it uses an unknown packer -- if it uses a well-known packer, then someone has probably already written something to reverse it).
Is there a way to prevent the theft of a website's code?
One can never fully block a determined user from analyzing your code, only make things more annoying from them.
Simply using a minifier/uglifier on Javascript is usually enough to make the code mostly worthless to try to steal, since the cost of trying to analyze, rewrite it and further develop it is usually comparable to the cost of writing the same code from scratch.
What is the difference between obtrusive and unobtrusive javascript - in plain english. Brevity is appreciated. Short examples are also appreciated.
No javascript in the markup is unobtrusive:
Obtrusive:
<div onclick="alert('obstrusive')">Information</div>
Unobtrusive:
<div id="informationHeader">Information</div>
window.informationHeader.addEventListener('click', (e) => alert('unobstrusive'))
I don't endorse this anymore as it was valid in 2011 but perhaps not in 2018 and beyond.
Separation of concerns. Your HTML and CSS aren't tied into your JS code. Your JS code isn't inline to some HTML element. Your code doesn't have one big function (or non-function) for everything. You have short, succinct functions.
Modular.
This happens when you correctly separate concerns. Eg, Your awesome canvas animation doesn't need to know how vectors work in order to draw a box.
Don't kill the experience if they don't have JavaScript installed, or aren't running the most recent browsers-- do what you can to gracefully degrade experience.
Don't build mountains of useless code when you only need to do something small. People endlessly complicate their code by re-selecting DOM elements, goofing up semantic HTML and tossing numbered IDs in there, and other strange things that happen because they don't understand the document model or some other bit of technology-- so they rely on "magic" abstraction layers that slow everything down to garbage-speed and bring in mountains of overhead.
Separation of HTML and JavaScript (define your JavaScript in external JavaScript files)
Graceful degradation (important parts of the page still work with JavaScript disabled).
For a long-winded explanation, checkout the Wikipedia page on the subject.
To expand on Mike's answer: using UJS behavior is added "later".
<div id="info">Information</div>
... etc ...
// In an included JS file etc, jQueryish.
$(function() {
$("#info").click(function() { alert("unobtrusive!"); }
});
UJS may also imply gentle degradation (my favorite kind), for example, another means to get to the #info click functionality, perhaps by providing an equivalent link. In other words, what happens if there's no JavaScript, or I'm using a screen reader, etc.
unobtrusive - "not obtrusive; inconspicuous, unassertive, or reticent."
obtrusive - "having or showing a disposition to obtrude, as by imposing oneself or one's opinions on others."
obtrude - "to thrust (something) forward or upon a person, especially without warrant or invitation"
So, speaking of imposing one's opinions, in my opinion the most important part of unobtrusive JavaScript is that from the user's point of view it doesn't get in the way. That is, the site will still work if JavaScript is turned off by browser settings. With or without JavaScript turned on the site will still be accessible to people using screen readers, a keyboard and no mouse, and other accessibility tools. Maybe (probably) the site won't be as "fancy" for such users, but it will still work.
If you think in term's of "progressive enhancement" your site's core functionality will work for everybody no matter how they access it. Then for users with JavaScript and CSS enabled (most users) you enhance it with more interactive elements.
The other key "unobtrusive" factor is "separation of concerns" - something programmers care about, not users, but it can help stop the JavaScript side of things from obtruding on the users' experience. From the programmer's point of view avoiding inline script does tend to make the markup a lot prettier and easier to maintain. It's generally a lot easier to debug script that isn't scattered across a bunch of inline event handlers.
Even if you don't do ruby on rails, these first few paragraphs still offer a great explanation of the benefits of unobtrusive javascript.
Here's a summary:
Organisation: the bulk of your javascript code will be separate from your HTML and CSS, hence you know exactly where to find it
DRY/Efficiency: since javascript is stored outside of any particular page on your site, it's easy to reuse it in many pages. In other words, you don't have to copy/paste the same code into many different places (at least nowhere near as much as you would otherwise)
User Experience: since your code can is moved out into other files, those can be stored in the client side cache and only downloaded once (on the first page of your site), rather than needing to fetch javascript on every page load on your site
Ease of minimization, concatenation: since your javascript will not be scattered inside HTML, it will be very easy to make its file size smaller through tools that minimise and concatenate your javascript. Smaller javascript files means faster page loads.
Obfuscation: you may not care about this, but typically minifying and concatenating javascript will make it much more difficult to read, so if you didn't want people snooping through your javascript and figuring out what it does, and seeing the names of your functions and variables, that will help.
Serviceability: if you're using a framework, it will probably have established conventions around where to store javascript files, so if someone else works on your app, or if you work on someone else's, you'll be able to make educated guesses as to where certain javascript code is located
I know that anything that is downloaded and is in the user's possession is going to be pretty hard to protect, but I'm just wanting to hear opinions. I'm thinking of selling a script (made with Greasemonkey...), and I want to be able to prevent the user from easily viewing the source code, or sending it to others. Thanks in advance.
As with any javascript, complete protection is impossible due to the nature of the language, see:
Javascript library: to obfuscate or not to obfuscate - that is the question
and
How can I obfuscate (protect) JavaScript?
However, you can obfuscate your javascript code or minify it, neither of which will completely protect it, but they will make it less human-readable.
Really the only thing you could try would be obfuscation but that is no guaranty that nobody will be able to read your code.
Try - http://www.javascriptobfuscator.com/
With Greasemonkey, there is another option beyond JavaScript obfuscation.
You can compile your GM script into a Firefox extension instead.
Greasemonkey install makes it easy to see/get a GM's script code. But almost no civilians even know where to look for extension source files.
(Of course, nothing will stop a determined programmer from getting and analyzing your code.)
One such compiler is at: http://arantius.com/misc/greasemonkey/script-compiler .
I'm working on a mvc application (applies to any website though) and was wondering is it ok to leave exposed jquery and javascript in a view? In other words when i run the program and right click and view source I can see all my jquery and javascript. Is that safe and ok? Is there a way to hide all of that so users can't see that? Thanks for any tips.
There is no way of hiding javascript completely from the user. JavaScript is a client side technology. It executes in the browser. If the browser can execute the script, it can also show it to the user.
You can use JavaScript obfuscator software to make the code harder to read, but you can never hide it completely. See http://www.javascriptobfuscator.com/default.aspx for an online example of this.
JQuery and other libraries are also publicy available so there is no harm in the user being able to access it. There is nothing secret about them.
If you have secrets in the code that you want to protect, you should think about putting the affected code on the server if possible instead of doing the processing on the client.
To make it harder for the interested spy to read you can put your scripts inside .js files and obfuscate them. See How can I obfuscate (protect) JavaScript? for more information.
Javascript is is executed on the client, so no there's not really anything you can do to hide it from the client. All you can really do is make it more difficult for a user to read through your code via obfuscation.
What your are looking for is Obfuscation.
There are very different opinions on why you should or shouldn't use it with Javascript.
See How can I obfuscate (protect) JavaScript?
Nope, you cannot hide your JS - remember that the JS is client side scripting and has to be executable at the client which implies that the browser must have access to it. And when the browser has access to it - the user can see it as well :)
Hiding isn't possible, all your JavaScript is needed client side to make your website functional. However you can obfuscate you JavaScript, in other words make in more ugly so nobody can really understand your code, but the browser will.
To obfuscate you javascript code take a look at:
UglifyJS JavaScript minification
hey you can do one thing onload call an action of server side through Ajax call into by returning javascript it will never show in your view source but it can be visible by firebug but its a way to sequre your javascript protuct from others to use it in a easy way i have done it one of my project even by this method you can hide your html too
There's no way to hide it. Anyway there's no reason to do it. If you want to obfuscate Javascript code, you can find software (obfuscators) that make your code more difficult to understand (for a human) and so called minifiers that make your code smaller.
This is a live example of such tools :
http://closure-compiler.appspot.com/home
I understand that client side code must be readable from the browser but I wonder (since there are too many things that I ignore) if there are ways to obfuscate to code to the end user and, if not what is the best practice to "pack" the javascript code.
It is good practice to minify your JS with a tool such as YUI Compressor. I would not obfuscate it unless you have a specific need to do this. There are plenty of online obfuscators such as this one
See this article: http://developer.yahoo.net/blog/archives/2007/07/high_performanc_8.html
Check this out.
Other than min'ing it, I don't think you can really hide js. It all goes the user's browser and there are plenty of ways of seeing it once its there.
See here for a Free Javascript Obfuscator.
Given that it is in fact possible, if the reason you intend to obfuscate is to protect intellectual property, you are probably trying to derive value from your work the wrong way. It's fairly easy to reverse the obfuscation, and you would probably be wasting time maintaining your code.
Focus more on what services you intend to provide to those who visit your site as a means to differentiate your site from competitors
There are tools that could be used to compress javascript code and render it difficult for the end user to understand.
Is there a reason why this won't do the trick for you?
http://www.javascriptobfuscator.com/
Do not put any sensitive or personal information in javascript.
Spend your time on keeping your data on the server secure.
Step 1: Don't.
You would have to do a lot to achieve any meaningful level of obfuscation. Obfuscating the names alone is not enough, since all of the standard functions will still be there (although they may be buried in a layer of shorter/obfuscated aliases), and deriving the purpose of a particular function is easy once the code is formatted nicely again. Anybody who really wants to know what your JS code does can, and will, no matter what you do to it before their browser gets a copy of it.
If you truly have valuable business processes in your JavaScript, then you're Doing It Wrong(tm).
No obfuscation is going to keep your code truly secure and it might just give you the false illusion of security (cf. security by obscurity).
If you do need to keep some portion of your code secret, consider pulling the sensitive portions into a server side script and making (say) AJAX calls to the script. Especially with the advent of JSON, communicating with server-side scripts has never been easier.
It is possible to use following tools:
YUI Compressor - requires Java - very good compressor
Packer - creates the most confusing, and smallest code, but scripts don't run as fast as YUI - this can be used online though. Select 'Base62 encode' for maximum effect.
The Dojo Compressor I've never used this one, but it's on the top-list. It also requires Java.
JSMIN By Douglas Crockford, this one has a very simple algorythm, but it is still good. Meant to be used in combination with JSLint.