faqts : Computers : Programming : Languages : JavaScript : Event handling

+ Search
 Add Entry AlertManage Folder Edit Entry Add page to http://del.icio.us/
Did You Find This Entry Useful?

47 of 70 people (67%) answered Yes
Recently 6 of 10 people (60%) answered Yes

Entry

how do I prevent people from viewing source?

Feb 3rd, 2003 12:46
Yuriy Fuksenko, Alvin Zhang, Harpo Veld, Mike Hall, Sean Anderson, 


The bottom line is, you can't. Whatever your web server sends to a
client can be viewed by the user, be it an HTML page, an image, etc.
You can protect server-side scripts, like ASP, Perl, Cold Fusion or any
other CGI program by ensuring that your web server is properly
configured to only allow those files to be executed, not read. However,
the output of these programs (HTML, script, etc.) can be viewed.
For web pages and JavaScript code, you can use a variety of pop-up
windows, no-right-click scripts, etc. to keep casual users from seeing
the code but the bottom line is that if the browser is going to render
it, it has to have a copy. Users can always disable JavaScript or look
in the browser cache files to find the source.
Also, anyone with some programming knowledge can build their own 
browser
pretty easily. Microsoft even offers a sample VB app (see
http://msdn.microsoft.com/library/techart/msdn_vbhttp.htm) that does
nothing but request files on the web and download the source as well as
view and set the HTTP headers that a regular browser handles behind the
scenes.
You really can't prevent people viewing your source code. However, 
there are some apps that will 'encrypt' your source code and make 
impossible reading,editing and reusing it. This is, of course, not 
100% 
secure, but will prevent stealing your code in almost all cases, if 
that's what you're aware of. Maybe the best program of this kind is 
called HTML Guardian. I don't remember the URL but you can search for 
it at major download sites such as www.tucows.com
Alvin,
One traditional way, though not encrypting or whatsoever, is to lump 
all the code together. It also helps to scale down the file size of 
the HTML file. However this method is only effective with large files 
with lots of coding and can be decrypted if there is time. The 
disadvantage is that it takes time and as above, the bottomline is 
that you still cannot prevent the user from looking at what is on 
his/her computer. This method is similar to what HTML guardian employs 
but HTML guardian makes it encrypted by adding garbage in between the 
lines of codes. The garbage added are all ignored by the client's 
browser. According to the HTML guadian's help file, they mentioned 
that encrypted .asp file included in another encrypted .asp file does 
not work (direct quotation from help file), so ASP developers take 
note.
Example:
<body>
abcabc
</body>
becomes
<body>abcabc</body>
Well, since in almost all cases user has address bar available, all he 
need to do really is just replace the URL in address line with the 
following:
javascript:open("","").document.write("<textarea cols=100% rows=100%
>"+document.body.innerHTML+"</ textarea>"); 
OR
javascript:"<TEXTAREA>" + document.body.innerHTML + "</ tex area>";
(Don't forget to remove spaces in closing tag)
Well, in IE it works much better than in NS :) Funny, but he will see 
the real HTML, not an encrypted one :) Even if that HTML is produced by 
JavaScript code.