unviewable javascript?

JavaScript and client side scripting.

Moderator: General Moderators

Post Reply
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

unviewable javascript?

Post by s.dot »

Code: Select all

<script type="text/javascript" src="../js/somescript.js"></script>
Obviously this is downloadable. But is it easily viewable by the end user?

[edit]Assume the current working directory is /docroot/ and .. would be one level above the doc root.
[edit2]bleh, this should be in client side
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
nickvd
DevNet Resident
Posts: 1027
Joined: Thu Mar 10, 2005 5:27 pm
Location: Southern Ontario
Contact:

Post by nickvd »

if i cant get to the javascript with my browser then it wont load it...

i.e. php stuff can be stored outside the docroot, as my browser doesnt need to see it, but my browser MUST be able to download the javascript, and as such, can be viewed by the end user.


Obsfucate?
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

Oh, so the post i made wouldn't load the javascript? Hmm, for some reason I assumed it would.
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

scottayy wrote:Oh, so the post i made wouldn't load the javascript? Hmm, for some reason I assumed it would.
Nope, anything which the client needs has to be accessible from the web root. You can't hide your JavaScript code, but you can make it a pain in the ass to do anything with.
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

You can't hide JavaScript, but you could try out one of those condensers.

If you're really weird about it, you could copyright your code so if anyone used it, you could sue them. Though, I'm not sure how that'd even work. :P
smudge
Forum Contributor
Posts: 151
Joined: Sun May 20, 2007 12:13 pm

Post by smudge »

Here's one:

Code: Select all

<script type="text/javascript" src="../js/somescript.php"></script>
Note that you're calling a php page...

somescript.php:

Code: Select all

<?php
if ($_SERVER['REMOTE_ADDR']=='127.0.0.1'){
  echo 'alert("Hello from PHP!")\n';
} else {
  echo "Hah! You can't see anything!";
}
?>
I tested it, you CAN load a php script with <script>.
I just know realized it, but the REMOTE_ADDR will always be the client's IP, so maybe if you can find a way around it...

[edit]
Even better!
use include('realscript.js') where the alert is.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

include() will provide nothing. It's not possible to hide it as d11wtq stated.
smudge
Forum Contributor
Posts: 151
Joined: Sun May 20, 2007 12:13 pm

Post by smudge »

That won't hide it from everybody, it will only hide the js from people he doesn't want to see it.
Just for a second assume that we're using my script above and when the browser fetches the file, it uses, say...127.0.0.1, but if the actual person goes there, they use 127.0.0.2. (I know, I know... That won't happen, and that's the problem w/ using an IP, but hang with me)
The browser fetches it with 127.0.0.1, and PHP shows the js code.
The person fetches it with 127.0.0.2, and PHP denies access.
Do you understand what I'm talking about?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

include() won't hide anything at all from anyone.

The browser and the user will have the exact same IP. It will not be localhost unless the server is on their computer, which is probably not true.
Post Reply