Welcome to WebmasterWorld Guest from 34.238.189.171

Forum Moderators: open

Message Too Old, No Replies

Prevent Javascript download

     
8:37 am on May 5, 2006 (gmt 0)

New User

10+ Year Member

joined:May 4, 2006
posts:15
votes: 0


Hi there!

I know it's almost impossible to hide client-side javascript but I'm building an AJAX app that is a bit different.

My client-side js file resides on my server and is generated by php (after setting the content-type header to application/x-javascript). The client fetches it using a <script> tag and it runs on his browser.

But I want to prevent the client from downloading the file. If he puts the url in a link, the browser will prompt for a download when the link is clicked. Is there any way to prevent this - either with php or javascript coding?

9:58 am on May 5, 2006 (gmt 0)

Junior Member

10+ Year Member

joined:July 6, 2005
posts:121
votes: 0


But I want to prevent the client from downloading the file.

If you would prevent this, the browser couldn't access it either, rendering your whole script useless.
I know it's difficult to accept, but anything that can (and should) be read by your browser can be read/downloaded by the client/visitor

11:25 am on May 5, 2006 (gmt 0)

New User

10+ Year Member

joined:May 4, 2006
posts:15
votes: 0


It sure is difficult to accept... but thanks for the info.

One more point though; part of the php script that writes up the Javascript checks where the client is coming from i.e. the url of the client which I get using HTTP_REFERER. So if the user types in the path to my file in the address bar (directly), he gets redirected to somewhere else.

Unfortunately, my redirection does not work with links, using HTTP_REFERER. Any ideas on this. As in, even if download prevention is not possible, how can I force a redirection from a hyperlink. In other words, I want my script to only recognise requests from the <script> tag.

Thanks in advance.

12:04 pm on May 5, 2006 (gmt 0)

Junior Member

10+ Year Member

joined:July 6, 2005
posts:121
votes: 0


you should never write anything that relies on referers. first of all they are untrustworthy and second: browsers simple don't always give them.

I think there is a solution to your problem though (if i understand it correctly).
If this is your php-script:
index.php
that looks somewhat like this:
--------

<html> 
<head>
<title>page</title>
<script type="text/javascript" src="javascript.php"></script>
</head>
<body>
<?php
echo "boe";
?>
</body>
</html>
------------

and you want to ensure that only that index.php can access the javascript.php file, then you could do this trick:

index.php
--------

<?php 
session_start();
$_SESSION['checkAccess'] = md5(mktime());
?>
<html>
<head>
<title>page</title>
<script type="text/javascript" src="javascript.php?ca=<?= $_SESSION['checkAccess'];?>"></script>
</head>
<body>
<?php
echo "boe";
?>
</body>
</html>
------------

javascript.php
--------------

<?php 
session_start();
if (isset($_GET['ca']) && isset($_SESSION['checkAccess']) && $_GET['ca'] == $_SESSION['checkAccess'])
{
unset($_SESSION['checkAccess']);
// output script
}
else
{
echo "alert('you are not allowed to access this script');
}
?>
-----------------

if this does not make sense let me know and i'll explain it

12:12 pm on May 5, 2006 (gmt 0)

Preferred Member

10+ Year Member

joined:Oct 1, 2004
posts:607
votes: 0


Regarding keeping your JS private, one thought would be to obscure (obfuscate) the script's contents as much as possible, e.g. putting everything one one line, using cryptic function / variable names etc.

That's in no way perfect protection, but it will put off the casual snooper, and for anyone with enough skill to "reverse engineer" it, the time required might cause them to find more productive things to do.

Regarding the linking thing, one approach would be to do some referer and cookie based checking, so that e.g. the JS file can only be fetched by a client within X seconds of the HTML page being retrieved. Again, not hackproof though.

1:03 pm on May 5, 2006 (gmt 0)

Junior Member

10+ Year Member

joined:July 6, 2005
posts:121
votes: 0


making it difficult is, of course, always a possibility

regarding the referer and cookie thing: i would advise against that. Like i said before: referers are sometimes not even passed on by the browser and besides the fact that cookies are easy to alter, they could also be disabled and then your script won't work anymore.

i think the php-session thing i proposed is a far more stable solution

1:12 pm on May 5, 2006 (gmt 0)

New User

10+ Year Member

joined:May 4, 2006
posts:15
votes: 0


Thanks a lot simkin. I think I understood the code pretty well. Yeah, you did get what I explained except that the client page is not from my server so I using sessions may not work (the client page could be using some other language besides php).

I've never used Google's adsense before but I noticed that it does almost exactly what would like - provides a javascript for clients to place Google ads on their site. But it seems that they're not interested in "hiding" the javascript.

zCat's suggestion of obfuscation seems like a good idea. Thanks a lot indeed.

2:04 pm on May 5, 2006 (gmt 0)

Junior Member

10+ Year Member

joined:July 6, 2005
posts:121
votes: 0


well, what you could still do, is read the contents of the javascript file with a php-file (javascript.php in my example) and output it. the client would never know where it originally came from
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members