Page 1 of 1
unviewable javascript?
Posted: Sat Jul 07, 2007 9:43 am
by s.dot
Code: Select all
<script type="text/javascript" src="../js/somescript.js"></script>
Obviously this is downloadable. But is it easily viewable by the end user?
[edit]Assume the current working directory is /docroot/ and .. would be one level above the doc root.
[edit2]bleh, this should be in client side
Posted: Sat Jul 07, 2007 10:20 am
by nickvd
if i cant get to the javascript with my browser then it wont load it...
i.e. php stuff can be stored outside the docroot, as my browser doesnt need to see it, but my browser MUST be able to download the javascript, and as such, can be viewed by the end user.
Obsfucate?
Posted: Sat Jul 07, 2007 10:25 am
by s.dot
Oh, so the post i made wouldn't load the javascript? Hmm, for some reason I assumed it would.
Posted: Sat Jul 07, 2007 11:21 am
by Chris Corbyn
scottayy wrote:Oh, so the post i made wouldn't load the javascript? Hmm, for some reason I assumed it would.
Nope, anything which the client needs has to be accessible from the web root. You can't hide your JavaScript code, but you can make it a pain in the ass to do anything with.
Posted: Sat Jul 07, 2007 11:24 am
by superdezign
You can't hide JavaScript, but you could try out one of those condensers.
If you're really weird about it, you could copyright your code so if anyone used it, you could sue them. Though, I'm not sure how that'd even work.

Posted: Sat Jul 14, 2007 6:39 pm
by smudge
Here's one:
Code: Select all
<script type="text/javascript" src="../js/somescript.php"></script>
Note that you're calling a php page...
somescript.php:
Code: Select all
<?php
if ($_SERVER['REMOTE_ADDR']=='127.0.0.1'){
echo 'alert("Hello from PHP!")\n';
} else {
echo "Hah! You can't see anything!";
}
?>
I tested it, you CAN load a php script with <script>.
I just know realized it, but the REMOTE_ADDR will always be the client's IP, so maybe if you can find a way around it...
[edit]
Even better!
use include('realscript.js') where the alert is.
Posted: Sat Jul 14, 2007 6:57 pm
by feyd
include() will provide nothing. It's not possible to hide it as d11wtq stated.
Posted: Sat Jul 14, 2007 7:21 pm
by smudge
That won't hide it from everybody, it will only hide the js from people he doesn't want to see it.
Just for a second assume that we're using my script above and when the browser fetches the file, it uses, say...127.0.0.1, but if the actual person goes there, they use 127.0.0.2. (I know, I know... That won't happen, and that's the problem w/ using an IP, but hang with me)
The browser fetches it with 127.0.0.1, and PHP shows the js code.
The person fetches it with 127.0.0.2, and PHP denies access.
Do you understand what I'm talking about?
Posted: Sat Jul 14, 2007 10:08 pm
by feyd
include() won't hide anything at all from anyone.
The browser and the user will have the exact same IP. It will not be localhost unless the server is on their computer, which is probably not true.