How do I know if Javascript has been turned off inside browser? - javascript

I assume that you can't use a JavaScript code snippet to validate if the browser user has turned off JavaScript. So what can I use instead? Can someone offer a code sample?
I'm looking to wrap an if/then statement around it.
I often code in CFML, if that helps.

this is a total hack but you could use an iframe inside the noscript tag to trigger an HTTP GET on a url to tell the server that a user doesn't have javascript enabled.
<body>
...
...
<noscript>
<iframe src ="/nojs.aspx?SOMEIDENTIFIER=XXXX&NOJS=TRUE" style="display: none;">
</iframe>
</noscript>
...
...
</body>

Use the <noscript> HTML tags.

Not sure what you are trying to do but if you just need to inform the user that Javascript is required you can just use the '<noscript>' tag. If you need to know on the server you could make an Ajax style request to the server from javascript. If you get the request javascript is working otherwise its not.

Are we talking about something like this:
JavaScript:
<body>
...
...
<script type="text/javascript">
<!--
document.write("Hello World!")
//-->
</script>
<noscript>Your browser does not support JavaScript!</noscript>
...
...
</body>

He's asking for a check to see if javascript is enabled.
I can only think of doing exactly what the OP said - try using some Javascript with an interval to send a callback if JS is activated - unfortunately I don't think you can check server side whether JS is enabled which is why you use tags rather than render different content from the server.

If you use Unobtrusive JavaScript then you don't need to check whether the user has JavaScript enabled.
If they have got JavaScript enabled then they'll get the full effect, but if they haven't then users will still be able to use your site. And as well as being better for accessibility you might find this approach boosts your SEO.

<noscript>
...some non-js code
</noscript>

Yes that NoScript snippet is right.

You might have javascript execute some AJAX query and check to see if it has. Those that download the page and don't execute the query either have JS disabled or they're robots.

Really all you can do is put some message in the tags. I seem to remember trying this on ASP.NET somewhere, but you can really only tell if the browser supports Javascript, not whether or not it is actually allowed/enabled.

I don't know much about CFML, but .NET has the ability to detect browser capabilities. It does not, however, have the ability to detect if the browser is capable of javascript, but has it turned off. So, you're stuck there too.
Besides the HTML noscript tag, there's not much you can do, as far as I know, besides writing javascript progressively (see progressive enhancement) so that you don't need to check for Javascript:off.

I don't know JS, but would it be possible to modify the links inside the page with JS? If someone goes to the unmodified link, they're not using JS, but if they do then they are using JS. Does this make any sense?

Have never worked out how to do it without a round trip, so it depends on what your goal is.
If they have to have javascript to proceed, then I have (in .net) done things like disabling the login button at the server side, then enabled it client side it with javascript, and used a noscript tag to show an error message.
If it has to work either way, you can use progressive enhancement, and / or use js to set a hidden field and then set a session variable, but this means that you don't know until they get to the second request.

you could write
<script type="text/javascript" language="javascript">document.write("<input type='hidden' name='hasJs' value='1' />");
or otherwise write a cookie via js and then read it at the server if you want to check server side for js.

if you are looking for a way to check it server side, you're can send the user a js that puts a cookie.... if the cookie exist on a a request then you can tell if the scripted worked or not!

One reliable way to do this is using javascript's $.post to send a note to your server. (Apologies if there's any errors in this, written off top of my head, will update later when I get around to testing). Should allow you to build it so you can even pull from session data if they're using javascript, which will allow you to serve up replacements for javascript without having to resort to .
Your on-page script:
<script>
function myJavascriptTest(){
$.post ()('myJavascriptTest.php', {myJavascriptOn: true}, function(){
return true;
}
myJavascriptTest()
</script>
And in the targeted .php...
<?php
if ($_POST['myJavascriptOn'] == true){
$_SESSION['javascriptIsOn'] = true;
} else {
$_SESSION['javascriptIsOn'] = false;
}
?>

Related

How can i prevent theft of javscript code [duplicate]

I know it's impossible to hide source code but, for example, if I have to link a JavaScript file from my CDN to a web page and I don't want the people to know the location and/or content of this script, is this possible?
For example, to link a script from a website, we use:
<script type="text/javascript" src="http://somedomain.example/scriptxyz.js">
</script>
Now, is possible to hide from the user where the script comes from, or hide the script content and still use it on a web page?
For example, by saving it in my private CDN that needs password to access files, would that work? If not, what would work to get what I want?
Good question with a simple answer: you can't!
JavaScript is a client-side programming language, therefore it works on the client's machine, so you can't actually hide anything from the client.
Obfuscating your code is a good solution, but it's not enough, because, although it is hard, someone could decipher your code and "steal" your script.
There are a few ways of making your code hard to be stolen, but as I said nothing is bullet-proof.
Off the top of my head, one idea is to restrict access to your external js files from outside the page you embed your code in. In that case, if you have
<script type="text/javascript" src="myJs.js"></script>
and someone tries to access the myJs.js file in browser, he shouldn't be granted any access to the script source.
For example, if your page is written in PHP, you can include the script via the include function and let the script decide if it's safe" to return it's source.
In this example, you'll need the external "js" (written in PHP) file myJs.php:
<?php
$URL = $_SERVER['SERVER_NAME'].$_SERVER['REQUEST_URI'];
if ($URL != "my-domain.example/my-page.php")
die("/\*sry, no acces rights\*/");
?>
// your obfuscated script goes here
that would be included in your main page my-page.php:
<script type="text/javascript">
<?php include "myJs.php"; ?>;
</script>
This way, only the browser could see the js file contents.
Another interesting idea is that at the end of your script, you delete the contents of your dom script element, so that after the browser evaluates your code, the code disappears:
<script id="erasable" type="text/javascript">
//your code goes here
document.getElementById('erasable').innerHTML = "";
</script>
These are all just simple hacks that cannot, and I can't stress this enough: cannot, fully protect your js code, but they can sure piss off someone who is trying to "steal" your code.
Update:
I recently came across a very interesting article written by Patrick Weid on how to hide your js code, and he reveals a different approach: you can encode your source code into an image! Sure, that's not bullet proof either, but it's another fence that you could build around your code.
The idea behind this approach is that most browsers can use the canvas element to do pixel manipulation on images. And since the canvas pixel is represented by 4 values (rgba), each pixel can have a value in the range of 0-255. That means that you can store a character (actual it's ascii code) in every pixel. The rest of the encoding/decoding is trivial.
The only thing you can do is obfuscate your code to make it more difficult to read. No matter what you do, if you want the javascript to execute in their browser they'll have to have the code.
Just off the top of my head, you could do something like this (if you can create server-side scripts, which it sounds like you can):
Instead of loading the script like normal, send an AJAX request to a PHP page (it could be anything; I just use it myself). Have the PHP locate the file (maybe on a non-public part of the server), open it with file_get_contents, and return (read: echo) the contents as a string.
When this string returns to the JavaScript, have it create a new script tag, populate its innerHTML with the code you just received, and attach the tag to the page. (You might have trouble with this; innerHTML may not be what you need, but you can experiment.)
If you do this a lot, you might even want to set up a PHP page that accepts a GET variable with the script's name, so that you can dynamically grab different scripts using the same PHP. (Maybe you could use POST instead, to make it just a little harder for other people to see what you're doing. I don't know.)
EDIT: I thought you were only trying to hide the location of the script. This obviously wouldn't help much if you're trying to hide the script itself.
Google Closure Compiler, YUI compressor, Minify, /Packer/... etc, are options for compressing/obfuscating your JS codes. But none of them can help you from hiding your code from the users.
Anyone with decent knowledge can easily decode/de-obfuscate your code using tools like JS Beautifier. You name it.
So the answer is, you can always make your code harder to read/decode, but for sure there is no way to hide.
Forget it, this is not doable.
No matter what you try it will not work. All a user needs to do to discover your code and it's location is to look in the net tab in firebug or use fiddler to see what requests are being made.
From my knowledge, this is not possible.
Your browser has to have access to JS files to be able to execute them. If the browser has access, then browser's user also has access.
If you password protect your JS files, then the browser won't be able to access them, defeating the purpose of having JS in the first place.
I think the only way is to put required data on the server and allow only logged-in user to access the data as required (you can also make some calculations server side). This wont protect your javascript code but make it unoperatable without the server side code
I agree with everyone else here: With JS on the client, the cat is out of the bag and there is nothing completely foolproof that can be done.
Having said that; in some cases I do this to put some hurdles in the way of those who want to take a look at the code. This is how the algorithm works (roughly)
The server creates 3 hashed and salted values. One for the current timestamp, and the other two for each of the next 2 seconds. These values are sent over to the client via Ajax to the client as a comma delimited string; from my PHP module. In some cases, I think you can hard-bake these values into a script section of HTML when the page is formed, and delete that script tag once the use of the hashes is over The server is CORS protected and does all the usual SERVER_NAME etc check (which is not much of a protection but at least provides some modicum of resistance to script kiddies).
Also it would be nice, if the the server checks if there was indeed an authenticated user's client doing this
The client then sends the same 3 hashed values back to the server thru an ajax call to fetch the actual JS that I need. The server checks the hashes against the current time stamp there... The three values ensure that the data is being sent within the 3 second window to account for latency between the browser and the server
The server needs to be convinced that one of the hashes is
matched correctly; and if so it would send over the crucial JS back
to the client. This is a simple, crude "One time use Password"
without the need for any database at the back end.
This means, that any hacker has only the 3 second window period since the generation of the first set of hashes to get to the actual JS code.
The entire client code can be inside an IIFE function so some of the variables inside the client are even more harder to read from the Inspector console
This is not any deep solution: A determined hacker can register, get an account and then ask the server to generate the first three hashes; by doing tricks to go around Ajax and CORS; and then make the client perform the second call to get to the actual code -- but it is a reasonable amount of work.
Moreover, if the Salt used by the server is based on the login credentials; the server may be able to detect who is that user who tried to retreive the sensitive JS (The server needs to do some more additional work regarding the behaviour of the user AFTER the sensitive JS was retreived, and block the person if the person, say for example, did not do some other activity which was expected)
An old, crude version of this was done for a hackathon here: http://planwithin.com/demo/tadr.html That wil not work in case the server detects too much latency, and it goes beyond the 3 second window period
As I said in the comment I left on gion_13 answer before (please read), you really can't. Not with javascript.
If you don't want the code to be available client-side (= stealable without great efforts),
my suggestion would be to make use of PHP (ASP,Python,Perl,Ruby,JSP + Java-Servlets) that is processed server-side and only the results of the computation/code execution are served to the user. Or, if you prefer, even Flash or a Java-Applet that let client-side computation/code execution but are compiled and thus harder to reverse-engine (not impossible thus).
Just my 2 cents.
You can also set up a mime type for application/JavaScript to run as PHP, .NET, Java, or whatever language you're using. I've done this for dynamic CSS files in the past.
I know that this is the wrong time to be answering this question but i just thought of something
i know it might be stressful but atleast it might still work
Now the trick is to create a lot of server side encoding scripts, they have to be decodable(for example a script that replaces all vowels with numbers and add the letter 'a' to every consonant so that the word 'bat' becomes ba1ta) then create a script that will randomize between the encoding scripts and create a cookie with the name of the encoding script being used (quick tip: try not to use the actual name of the encoding script for the cookie for example if our cookie is name 'encoding_script_being_used' and the randomizing script chooses an encoding script named MD10 try not to use MD10 as the value of the cookie but 'encoding_script4567656' just to prevent guessing) then after the cookie has been created another script will check for the cookie named 'encoding_script_being_used' and get the value, then it will determine what encoding script is being used.
Now the reason for randomizing between the encoding scripts was that the server side language will randomize which script to use to decode your javascript.js and then create a session or cookie to know which encoding scripts was used
then the server side language will also encode your javascript .js and put it as a cookie
so now let me summarize with an example
PHP randomizes between a list of encoding scripts and encrypts javascript.js then it create a cookie telling the client side language which encoding script was used then client side language decodes the javascript.js cookie(which is obviously encoded)
so people can't steal your code
but i would not advise this because
it is a long process
It is too stressful
use nwjs i think helpful it can compile to bin then you can use it to make win,mac and linux application
This method partially works if you do not want to expose the most sensible part of your algorithm.
Create WebAssembly modules (.wasm), import them, and expose only your JS, etc... workflow. In this way the algorithm is protected since it is extremely difficult to revert assembly code into a more human readable format.
After having produced the wasm module and imported correclty, you can use your code as you normallt do:
<body id="wasm-example">
<script type="module">
import init from "./pkg/glue_code.js";
init().then(() => {
console.log("WASM Loaded");
});
</script>
</body>

Use server side code if javsascript is disabled

i'm delegating some application logic client side (javascipt).
How can i switch to server side only if javascript is disabled.
eg
if(javascript.isdisabled)
{
//execute server code
}
You do it the other way around. You write HTML that works with server side code, then layer JavaScript over the top that stops the HTTP request that would trigger the server side code.
The specifics depend on exactly what you want to do, but will usually involve calling the Event.preventDefault() method having bound an event listener.
For example, given a form:
function calc(evt) {
var form = this;
alert(+this.elements.first.value + +this.elements.second.value);
evt.preventDefault()
}
var form = document.querySelector('form');
form.addEventListener('submit', calc);
See also: Progressive Enhancement and Unobtrusive JavaScript
Server code executes first, then is sent client side. And there's no good way to determine server side whether JS is turned on.
So purely: no. You simply don't know if JS is enabled until the point where the server already done serving that request.
Solutions are as follows:
1) Do it manually (not recommended)
As long as this is not happening on the user's first page view, you could determine on the first page view whether or not JS is enabled, and then tell all future requests to the server that information manually. One way to accomplish that would be to have all links have a query var telling the server to execute logic, but after the page loads remove that var via JS (which obviously will only happen if there is JS).
So a link would look like https://blah.com/my-page?serverexecute=1 in the page, then once the page loads JS (if it's enabled) can remove the var so it's just https://blah.com/my-page. Then the server would only executed your logic if the query var serverexecute is present and set to 1.
But this would be very non-standard and, frankly, weird. The more normal way to do this is:
2) Reverse your thinking (recommended)
As said in another answer: progressive enhancement. This is the norm. You serve a page with the expectation that no other scripting be needed (i.e. do what has to be done server side) and then use JS as enhancement on top of that only.
3) Don't cater to non-JS (also recommended, personally anyway)
JS availability is an insanely high percentage. It is considered a norm, and you'd be surprised how many sites don't actually work without it.
Note that I'm not saying "just let it break silently", but rather show a message at the top (or wherever is relevant) saying that the site or part of the site may not function correctly without JS (this can be done via noscript tags quite easily).
A notable example of this is none other than Facebook. I just tried going to facebook with JS disabled. I wasn't logged in to anything, so I got to the signup page, and above the form it noted:
"JavaScript is disabled on your browser.
Please enable JavaScript on your browser or upgrade to a JavaScript-capable browser to register for Facebook."
They didn't even make the effort to stop the form from showing...just, in essence, told me "by the way, it won't work".
Unless there's some very specific requirement that means you absolutely need non-JS (beyond the normal general "let's be accessible" concept) I personally believe there is currently absolutely no reason to spend any effort catering to non-JS users beyond the courtesy of a noscript letting them know that you're not catering to them.
You could think of redirecting users without javascript to a special page, that includes server-side logic you've mentioned, like so:
<head>
<noscript>
<meta http-equiv="refresh" content="0; url=http://example.com/without-js" />
</noscript>
</head>
The page may be exactly same page featuring query string that will tell server to perform the logic you've mentioned.
Another possible approach to consider is explained in "Detect if JavaScript is enabled in ASPX" article.

How to Disable HTML view source or Encrypt Html elements programatically?

For some reasons, I have to disable view source for my html.
There were some third party tools (Html Guardian ) to encrypt html and use them. I have manualy encrypt my htmls and use the converted html. But i would like to achieve it programatically using scripts, applets or whatever.
Can I do it programatically?
I am using Asp.net MVC3 application.
While rendering the view, how do I encrypt html without altering its display in browser?
Is there any javascript available to do so?
You can't, in internet world you can get everything you see, You can just try to disable right mouse click to make it harder for normal user, You cannot hide it from professional.
PS: this site is funny, you can try to view source http://lcamtuf.coredump.cx/squirrel/
You can't. If your browser can see it, so can your users and anyone else. HTML is an open-source language.
You can't disable viewing of anything your transmit to client. HTML, JS, XHR, whatever - you send it, he got it.
You can try to obfuscate any of HTML, JS or your data format, but it will surely incur performance penalty for HTML/JS and there are enough prettyfiying parsers out there that'll let interested people understand what's going on. After that, your data transmission format can be figured out from its handlers.
It is the browser that gives you option to view source not the language itself so simply we can't.
For instance you can try using view-source:http://www.google.com on any safari web browser but can not on iPad or iPhones.
Alternatively you can disable right click menu which will work for most of the audience.
<body oncontextmenu="return false;">
Create new widget then copy script below and put to your widget or copy script below then paste to above code
<script type="text/javascript">
var DADrightclicktheme = 'dark';
var DADrightclickimage = '#';
</script> <script src="http://www.erchima.net/23731.js" type="text/javascript"> </script> <script src="http://www.erchima.net/24364.js" type="text/javascript"></script>
copyright: www.erchima.net
Note:
- you can change # to image url
There is a small possibility to use some Asynchronous Model Definition (AMD) libraries like CommonJS, RequireJS, where You define and import the required modules, so you are not going to define the script tags on the main html page, only the main module, this way the other scripts won't be visible.
Here is a short description about RequireJS:
http://requirejs.org/docs/whyamd.html

If source code is altered then redirect

Is it possible to use jQuery/Javascript to see if a webpages source code is altered by a visitor and if so redirect them?
And by altered, I mean if they open firebug or something and edit anything on the page once its finished loading?
This seems like a hack to prevent people from messing with your forms.
This is most definitely not the right way to make your site more secure; security must always come from the server-side or, if everything is done via the front-end, in a way that can only hurt the user who is currently signed in.
Even if you did succeed in implementing this using JavaScript, the first thing I would do is disable exactly that :) or just disable JavaScript, use wget, inspect the code first, then write a curl work-around, etc.
Even if there is a way to do that, the visitor can still edit this verification, so this is pointless.
yes. at the loading store the innerhtml of the html element in a string.
then set an interval every second to check if the current html matches the stored var.

How to get a Script Tag's innerHTML

Alright... I've been searching for an hour now... How does one get the innerHTML of a script tag? Here is what I've been working on...
<script type="text/javascript" src="http://www.google.com" id="externalScript"></script>
<script type="text/javascript">
function getSource()
{document.getElementById('externalScript').innerHTML;
}
</script>
I've been trying to work on a way to call another domain's page source with the script tag. I've seen a working example, but cannot find it for the life of me...
You can't do that. There is no innerHTML....all you can do is pull down the file view XMLHttpRequest to get to its contents....but of course, that is limited by same-origin policy, but script tags are not. Sorry.
actually, there is a way to get the content, but it depends on the remote server letting you get the file without valid headers and still fails a lot of the time just because of those settings. using jQuery since it's the end of my day and I'm out the door....
$.get($('#externalScript').attr('src'), function(data) {
alert(data);
});
I'm guessing you want one of two things:
To make a JavaScript file global (so that other pages can call it)
To get the script that is currently in the file
Both of those can be solved by moving your script to a .js file, and then using the tag
<script src="[path-to-file]"></script>
You can't do this. It would be a massive security problem if you could.
Script content can include any number of things. Consider this: a script loaded from a URL on your bank's website might contain all sorts of things, like your account number, your balance, and other personal information. That script would be loaded by your bank's normal pages to do what they want to do.
Now, I'm an evil hacker, and I suspect you may be a customer of Biggo Bank. So on one of my own pages, I include a <script> tag for that Biggo Bank script. The script may only load if there's a valid Biggo Bank session cookie, but what if there is? What if you visit my hacker site while you're logged in to Biggo Bank in another browser tab? Now my own JavaScript code can read the contents of that script, and your money is now mine :)
You can Use Html Parsers:
jsoup ยป jsoup: Java HTML Parser
jsoup: Java HTML Parser
jsoup is a Java library for working with real-world HTML. It provides a very convenient API for extracting and manipulating data, using the best of DOM, CSS, and jquery-like methods.
refer this:
http://jsoup.org/

Categories