PHPers rejoice.. keep your JavaScript secure!

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Gen-ik
DevNet Resident
Posts: 1059
Joined: Mon Aug 12, 2002 7:08 pm
Location: London. UK.

Post by Gen-ik »

Ok last attempt for now.

What happens when you save the entire page at http://www.urbanchaos.net/Lockdown2/ ?

I'm not too worried about Firebird being able to download the javascript because hardly anyone uses Firebird and the site(s) I'm working on are either NS/IE only, or just IE only... any other browser will just get bounced off the site to a 'your browser is not compatible' page.

So I guess I'm really just making sure I can secure things for NS and IE.
m3rajk
DevNet Resident
Posts: 1191
Joined: Mon Jun 02, 2003 3:37 pm

Post by m3rajk »

patrikG wrote:But the problem is not me accessing the .js-file in particular, rather ripping the entire website.

How is a webserver supposed to differentiate between a "normal" HTTP-request to dish out the data and a "rip"-request?

The solution your provider suggests doesn't help you there either. It simply prevents "direct" access to the file.
add to that if you figure out that's what the second php is for, then you can get tot he file directly anyway, so it only slows it down
m3rajk
DevNet Resident
Posts: 1191
Joined: Mon Jun 02, 2003 3:37 pm

Post by m3rajk »

Gen-ik wrote:Ok last attempt for now.

What happens when you save the entire page at http://www.urbanchaos.net/Lockdown2/ ?

I'm not too worried about Firebird being able to download the javascript because hardly anyone uses Firebird and the site(s) I'm working on are either NS/IE only, or just IE only... any other browser will just get bounced off the site to a 'your browser is not compatible' page.

So I guess I'm really just making sure I can secure things for NS and IE.
if firebird is mozilla, and mozilla and netscape are closely enough related to check as netscape/mozilla when looking, wouldn't that means if it's ns/ie then mozilla will get to it?
User avatar
twigletmac
Her Royal Site Adminness
Posts: 5371
Joined: Tue Apr 23, 2002 2:21 am
Location: Essex, UK

Post by twigletmac »

Gen-ik wrote:any other browser will just get bounced off the site to a 'your browser is not compatible' page
Unless they just modify their user-agent info so your site thinks they are IE or NS (both Mozilla and Opera can do this).

Mac
Gen-ik
DevNet Resident
Posts: 1059
Joined: Mon Aug 12, 2002 7:08 pm
Location: London. UK.

Post by Gen-ik »

twigletmac wrote:Unless they just modify their user-agent info so your site thinks they are IE or NS (both Mozilla and Opera can do this).

Mac
Yep that's true but the site won't work if this is done because the javascript only works on the more modern NS/IE browsers.

I normally run a triple-check on browsers anyway using PHP, JavaScript, and VBScript so it's rare that any 'un-wanted' browsers get through.


m3rajk wrote:if firebird is mozilla, and mozilla and netscape are closely enough related to check as netscape/mozilla when looking, wouldn't that means if it's ns/ie then mozilla will get to it?
No because there are other ways to check browser types rather than just checking for 'mozilla' in the user-agent string.
qartis
Forum Contributor
Posts: 271
Joined: Sat Dec 14, 2002 4:43 pm
Location: BC, Canada
Contact:

Post by qartis »

I wrote:You may want to have a look at javascript.encode
m3rajk wrote:quartis: that is exactly why i was trying to figure out how to encode things so it'd be sent in gibberish.
http://msdn.microsoft.com/library/defau ... ncoder.asp
User avatar
twigletmac
Her Royal Site Adminness
Posts: 5371
Joined: Tue Apr 23, 2002 2:21 am
Location: Essex, UK

Post by twigletmac »

Gen-ik wrote:Yep that's true but the site won't work if this is done because the javascript only works on the more modern NS/IE browsers.
Erm, Mozilla shares the same Gecko engine as the 'more modern' NS browsers. Opera is flaky when it comes to JavaScript but I've not had any problems with Mozilla thus far.

Personally I don't understand why any web developer would prevent someone from accessing their site based on the browser they use. IMHO, if a site relies heavily on client-side stuff in order to work there should always be a server-side fallback position.

Mac
Gen-ik
DevNet Resident
Posts: 1059
Joined: Mon Aug 12, 2002 7:08 pm
Location: London. UK.

Post by Gen-ik »

twigletmac wrote:Personally I don't understand why any web developer would prevent someone from accessing their site based on the browser they use. IMHO, if a site relies heavily on client-side stuff in order to work there should always be a server-side fallback position.

Mac

It's all down to what you want to do with the website. For example modern browsers allow the use of the document.innerHTML, document.getElementById, and document.getElementsByTagName, which allows for some great dynamic websites to be created.

For example the site I'm working on at the moment uses one page, and once the page has loaded it never needs to be refreshed. Any new data can be loaded out-of-site in an iframe and once loaded the content of the iframe can then be dynamically inserted into the current page.

You can do some cool stuff with this like having a Who's On-line panel which is updated every 10 seconds or so without refreshing the page.

I like to create sites that push website design and development forward, not hold it back because I have to make sure my sites work with the older, or crapper, browsers out there which people (for some unknown reason) are still using.

Some people might not agree with that but they are the people holding back website development, others are trying to push it forward.

Basically if your browser doesn't support the document. stuff above then you don't get into the website. Simple.
User avatar
twigletmac
Her Royal Site Adminness
Posts: 5371
Joined: Tue Apr 23, 2002 2:21 am
Location: Essex, UK

Post by twigletmac »

Gen-ik wrote:I like to create sites that push website design and development forward, not hold it back because I have to make sure my sites work with the older, or crapper, browsers out there which people (for some unknown reason) are still using.
Because, they don't have a new computer? Because they have a disablity which means they use special software for web access?
Gen-ik wrote:Some people might not agree with that but they are the people holding back website development, others are trying to push it forward.
I am one of those 'some people' who you seem to believe are holding back web design. But I don't think that me (or others like me) are holding back web design just because we think it's also important to remember that the web enables people who for one reason or another - poor eyesight, mobility problems - can't access a lot of what you take for granted. By all means have fancy effects on your web pages but don't make that the be all and end all. At the end of the day the web is about sharing information and it doesn't take much to make that information accessible.

There's no reason why you site has to look exactly the same in all browsers - it's the information which is important, not the bells and whistles.

Mac
jason
Site Admin
Posts: 1767
Joined: Thu Apr 18, 2002 3:14 pm
Location: Montreal, CA
Contact:

Post by jason »

"If you are incapable of building a web site that works in all browsers, you are incapable of building a web site."

Me, now
Gen-ik
DevNet Resident
Posts: 1059
Joined: Mon Aug 12, 2002 7:08 pm
Location: London. UK.

Post by Gen-ik »

twigletmac wrote:Because, they don't have a new computer? Because they have a disablity which means they use special software for web access?
Good point, but the sites I create are not geared towards people with disabilities, in fact it never has been and never will be a major influence in my website development. I'm not just talking about simple text based sites with a few fancy graphics on them, I'm taking about multi-user communities and 'virtual worlds' similar to Virtual Ibiza, Zing, and SoulKool which I am developing.

Can you imagine Formular One being restricted to 50 MPH just because one of the drivers had a disability?

twigletmac wrote:I am one of those 'some people' who you seem to believe are holding back web design. But I don't think that me (or others like me) are holding back web design just because we think it's also important to remember that the web enables people who for one reason or another - poor eyesight, mobility problems - can't access a lot of what you take for granted.
I guess it depends on the type of website you are designing. My sites don't take people with disbilities into account because the number of disabled people visiting the sites is minimal. I won't comprimise development or design for the few.

twigletmac wrote:By all means have fancy effects on your web pages but don't make that the be all and end all.
It never is just the be-all-and-end-all. Simply pasting fancy graphics all over a site won't cut it, doing something creative or new with the tools modern browsers offer is where the creativity is, and it's also where new advancements and ideas on and for the net will spring from.
Gen-ik
DevNet Resident
Posts: 1059
Joined: Mon Aug 12, 2002 7:08 pm
Location: London. UK.

Post by Gen-ik »

jason wrote:"If you are incapable of building a web site that works in all browsers, you are incapable of building a web site."
There's a difference between not being able to and not wanting to.

"I'm not afraid of dying, I just don't want to."
User avatar
Stoker
Forum Regular
Posts: 782
Joined: Thu Jan 23, 2003 9:45 pm
Location: SWNY
Contact:

Post by Stoker »

..as discussed and concluded many times in the past on this and other community medium; it is impossible to hide any type of source of whatever kind that the browser needs to parse; If the browser can fetch/decode it, so can anyone else..
Gen-ik
DevNet Resident
Posts: 1059
Joined: Mon Aug 12, 2002 7:08 pm
Location: London. UK.

Post by Gen-ik »

Stoker wrote:..as discussed and concluded many times in the past on this and other community medium; it is impossible to hide any type of source of whatever kind that the browser needs to parse; If the browser can fetch/decode it, so can anyone else..

Does that mean that securing a site using SSL is in fact pointless as anyone can get access to the info?

Would that mean any information passed to and from SSL pages on the server could get intercepted by anyone?

I'm sure this isn't the case. If it is then what's the point of SSL.
jason
Site Admin
Posts: 1767
Joined: Thu Apr 18, 2002 3:14 pm
Location: Montreal, CA
Contact:

Post by jason »

Gen-ik wrote:I'm sure this isn't the case. If it is then what's the point of SSL.
To secure the data between the two parties (the browser and the server). It's not meant to make the data unreadable by both parties (or else, the browser wouldn't be able to parse it.
Post Reply