Prevent Unauthorized access to JavaScript files - javascript

Is there any way to prevent unauthorized access to JavaScript files.
<script src="JS/MyScript.js" type="text/javascript">
Users should not be able to view the MyScript.js file.
I would like to know ,is it possible to do that ? If possible please give me an idea. :)
Thank you..

It's not possible.
The file must be fully accessible for it to work in your pages. The server has no way to determine if the request was from a script tag, by directly typing it into the browser window, etc.
You can minify your file to make it less human-readable. You can also obfuscate it, although that will have a performance impact on your website. However these are reversible, and anyone who really wants to reverse engineer your code still can.
As with everything though, you should be prepared for anyone to see anything you put online.

If the JS file is getting loaded on the client its possible to read it.
If you got stuff in the JS file that the user is not supposed to have access to, I would recommend another approach to the problem.
If you don't want it to load at all on the client if its not authorized, you could use some serverside script to prevent it from load.

Related

Load Custom Javascript Instead of External Source

I am trying to reverse engineer some javascript code and am struggling to see how things are working.
In order to get a better feel for this I would like to add some console.log() statements and watch a few variables so that I could see what is going on as the code gets executed.
Is there a way to force my page locally to load javascript from my box instead of from the externally hosted site? I essentially want to modify the script and load my modified version when this external page tries to call whatever functions it needs to go through.
I was thinking maybe modify the hosts file so that when my browser goes to look for the external site it redirects to some kind of internal host? I am not quite sure exactly how to do it. If someone could point me in the right direction I would really appreciate it.
Thanks!

javascript external file hides source

i have seen answers to similar questions. but, not quite what i want to know. if i make an external javascript file. then, on the client side, when the client loads the HTML, all they see is a link to the external javascript file. like this:
<script src="myScript.js"></script>
they never see the source code.
i don't get all this talk about obfuscation & minification. best way is just make an external file. then, without hacking into the server to download the source, they will only get machine code.
They can still follow the link to get the file directly.
Just display the source of this (this question) page, you can see
<script src="//ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js"></script>
but you can still simply open https://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js to see the source.
Even obfuscation doesn't provide protection as the source is still accessible to the client and he can de-obfuscate it (although that can be hard, it is not impossible).
And minification is used to reduce file size, so the file loads faster (and thus the page load time is lower).
i get it now. but, someone answered that you can hide the source w/PHP server side produced web pages. i haven't understood this yet. but, i have seen this answer a few times. this would seem the way to hide your scripts.

Unable to execute JavaScripts files protected through .htaccess

Being new to .htaccess concept, I have a basic question.
I tried to protect a directory which hosts my stored procedure files... this is because I need not anyone else accessing the code of the file. My issue is the following:
When I try to access a file of the directory through javascript as part of my coding, the same pop up comes up requiring username and password. How can this be resolved?
Please advise if the route I am taking is wrong.
My intention is that the code should have access to stored procedure files, but none should have access to the actual file content. This can be applicable for css files or javascript files as well.
You can't differentiate between a client asking for a resource because your code asked it to and the same client asking for a resource for some other reason.
Even if you could, then the resource would still be available to the owner of the client, without making another request for it, through (for example) the developer tools built into most browsers.
If the files you're talking about are all Javascript then protecting them like that isn't really feasible. They are client-side scripts, meaning they need to be downloaded by the user's browser. Unfortunately, you can't reliably tell the difference between a browser downloading them as part of an HTML page, and a user downloading them directly to steal them.
The best you can do is obfuscate the files to make them difficult to understand. That will never prevent a determined code thief though.

Javascript caching and protection?

I'm writing a javascript that generates some data. I intend to use it as a free web application, open for everyone that want to use it.
But I got a lot of time and effort to write this this script (mainly because I want it to personal use and I couldn't find anything efficient and resumed as this). I'm a beginner developer and I know is impossible to protect or obfuscate the script because you don't even need other app to decoding obfuscated info, there's a lot of methods and the laziest is just find the "eval" word in the js file and replace it with "alert". When you open the html page boom you receive a popup window with all the code decoded...
What I'm asking is if there's anyway to prevent when a user "save as..." the page with the browser, the javacript and css files do not be saved in the structure.
In the past I tried to save some pages with the browser and I only could save the html file (and sometimes not even with all the html information, I suspect there was iframes), no js and no css... I tried with some websites downloaders (sitesucker,deepvacumm,etc) and not even with this downloaders I was able to download the files. The only way was to "inspect" the page and download it manually and make the folder structure manually.
As I said I want to give this script totally free as a service (I will even buy a domain for it) because I made it with love. My only request (to receive some kind of personal pride) is that when people want to use it they came to my site and made it in real time and if they "save as..." the page, they can save the generated information that don't save the script, so they came back again to use the service.
Does anyone can help with some tips and information. Links, advices, professional and personal tricks?
I think it is not possible to prevent access to the Javascript code in the browser. I also think that by minifying the JS code e.g. with Google's Closure compiler (ADVANCED option) you protect your code as much as you can. Although the code can be copied as it is, it cannot be understood or modified with a reasonable effort.
You could download all JavaScript/CSS files through one JavaScript file (a loader), like this. That way, downloaders have to execute JavaScript before they can know what JavaScript/CSS files are included, which I don't think they do. As I said in my comments, I'm not entirely sure whether this works!
HTML:
...
<script src="loader.js"></script>
<!-- no other JavaScript/CSS here -->
...
loader.js:
window.onload = function() {
var head = document.getElementsByTagName('head')[0]; // the <head>
var scriptElement = document.createElement('script'); // create <script>
scriptElement.src = 'file1.js';
head.appendChild(scriptElement); // add <script> to <head>
var linkElement = document.createElement('link'); // create <link>
linkElement.setAttribute('rel', 'stylesheet');
linkElement.href = 'file1.css';
head.appendChild(linkElement); // add <link> to <head>
}
Convert your code to a server side script (PHP, Python, C#, etc). It's the only way to be sure your users won't be able to "steal" your work.
JavaScript must eventually be decoded by my browser, and at that moment, is available to me too, and there is no way to prevent it, you can only make it harder.
But the bottom line is: why do you have to do it? If you only want "personal pride" wouldn't it be better to upload your code to a collaborative site like github or SourceForge where other people can appreciate your work and maybe even contribute to it?
Also, if you share your code under a licence like GPL or CC everyone who reuses your code must give credit to you (yes, one can simply steal it, but that is possible under your scenario, too).
There is really no technical solution to your problem: if the user can execute your javascript, they will have to download it somehow. Whatever solution chosen, anyone with sufficient knowledge of Firebug or the Webkit inspector will be able to retrieve the script. You can obfuscate it my minifying it, but it will not prevent anyone to use it as-is.
The solution to your problem is legal, not technical. If you explicitly state, in your Javascript header, that the script is under a restrictive licence, anybody copying it would break the law. If you find somebody doing this, you can then:
nicely ask them to remove the script from their site
threaten to sue?
(by the way, if I may give a personal opinion here, there is much personal pride to be had in giving away code anybody can re-use... you can include your name and a link to your site in the header of the script: it is considered very bad form (and potentially illegal) to remove attribution and copyright notices)

Confused: javascript.js code shows in Chrome?

My understanding was that only the javascript code placed inline in the HTML page would show, never the code stored in .js files
...and I had never seen in any browser code in a .js file show on the clientside...
until I started to use Chrome and noticed all my code is available for viewing???
Have I been convincing myself the code is safe in .js files, when in fact it never was?
and while on this subject can a responder be totally clear whether the code in .js files can be hidden or not.
I have read many posts that left me doubting whether it can be done or not.
. Some say to place it in a .js file on the server so it executes on the server...
--- using 'language=javascript' and an html line with 'runat server'? no idea how to do that.
--- But, would that not defeat the purpose of speed, and refresh since the server has to be accessed?
--- might as well code it in the code-behind???(C#, VB, php, ...)
. Some say use an AJAX call etc... but it seems others contradict that, saying the code lands on the clientside anyway thus will show? ...and I am assuming this would be a callback with no page redraw...
JavaScript is executed in the browser, this means the script has to be submitted to the client. So, of course anyone can view the code, wether it's happening in the developer tools, getting the direct link out of your html or, for example, using a http sniffer.
Altough, there are some methods to make the script unreadable for humans.
Minifying your script is a good practice in general. It decreases file-size, so the client has to download less, speeding up loading time. After all, this does not really help making your script "unreadable" for users, there are a lot of deminifying services all around the web.
Still, there is another way: obscurifying (or obfuscate) your script. This replaces the code to make it unreadable. Unfortunately, I don't really have experience with using this technique, so I don't know how it would affect the performance of the js-code.
Maybe you want to have a look at this: How can I obfuscate (protect) JavaScript?
Javascript code can be seen even if its in a .js file the only thing you can do to make it little tough to understand is minify the js file.
Actually, javascript code stored in a separated file wont be shown directly; the user must explicitly type the name of the file in the address bar to see its content.
The only way to hide it is, as said before, to minify the file, which compress the file and make it unreadable for humans.

Categories