Protect .js files?

Evil Phil

Folks,

I've got my javascript functions in a .js file in a single directory. I want the pages on my website to be able to access those functions but I don't want some ****er opening the .js file with their browser and stealing my precious scripts. This is an Apache server running on Linux.

Should I use a .htaccess file, and if so, how?

If not any suggestions would be a great help. (Well not any suggestion )

Kev

javascript is client side, so for it to run the browser has to download it, so if you protect it, it wont run.

Talliesin

Who cares about your .js file. Does it contain the second secret of Fatima in a comment?

zAbbo

Use it as an include file in asp,

simple

cgarvey

Originally posted by bazH
Use it as an include file in asp

Not that simple, the JS is obviously client side. And the goal is to protect the source being viewed. So if you include it in ASP page, then it can still be viewed just by viewing the source of the HTML.

If you mean do the logic in the JS server side, then that's not always possible or a good idea.

I think the bigger question is why would you want to protect it? Have you something really really secret that is not in the public domain? No offense, but probably not. And if you do, then you might as well submit it to some scripts site and at least try and get credit for it.

You could try using the Referrer of the HTTP request to make sure the request for the JS file came from the page, but that's nowhere near 100% protection.

mneylon

He's on linux... so you could try using an include in PHP... though as javascript is client side it probably won't work..
do a search on google or dynamicdrive.. there are a few tools to obfuscate javascript, though I don't know how good they are

Talliesin

If your code was really worth protecting (doubt it) it would be worth reverse engineering the obfuscatation.

Evil Phil

All I wanted to do was prevent people from getting a listing on the directory that contained the files. Boards has changed since I've left Ireland.

Thanks for the help (not).

mneylon

If you want to prevent a directory listing you might want to try a .htaccess if you are on Linux

Evil Phil

Thanks BK.

The Corinthian

One means is to use server side scripting to decide weither or not to dish out your JS file in the first place, based upon the referrer. Your script would call, say:
[PHP]<SCRIPT SRC="foobar.php">[/PHP]
which would be a PHP script (or JSP or ASP, doesn't matter) outputting your JS object with a Content-Type of text/plain.

Then encrypt your code and allow it to decrypt/execute using eval. The important thing it to encrypt it on the server on the fly and to use the current date as the key. This means that others will still be able to download your code, but it won’t work after a day, as you will be using the system clock to pull out a key at their end. Given this, they could still decrypt your code if they put their minds to it (e.g. by just replacing eval with document.write).

Alternatively, just check whether the call is coming from a valid location (i.e. your HTML page) using the referrer page. Downside to this is that they may still find a cached version on their PC’s and some browsers may not bother sending a referrer header for JS objects.

Bottom line is that with client-side code, the best you can ever do is obfuscate, never truly protect. However, if all you’re trying to do is protect your code (rather than any data contained within) this would probably do the trick as most snarf monkeys who need to steal other peoples’ code would not be able to de-obfuscate it anyhow.

cgarvey

Originally posted by Evil Phil
All I wanted to do was prevent people from getting a listing on the directory that contained the files. Boards has changed since I've left Ireland.

Thanks for the help (not).

Sure, but next time, maybe try to ask the question you want answered, rather than asking a different question to the one you want answered and then getting all sarky (and mature.. not) when you don't get the answer you want.