Preventing Javascript file download

[solveitnow]

Hi everyone, I'm a new member.....

I am really enjoying reading all your posts but can't find one that I can use to solve my problem.

I am trying to make it almost impossible for a surfer to view or download my .js file that is used by a .php page.

You'll see below that I have moved the real .js files into a secret folder and have left dummy ones behind in the address that is called by the .php file. That way, if someone looks up the direct address of the .js files in the .php file, they will only be able to download the dummy files.

I have tried to use a mod_rewrite to manipulate the locations but now the .php file isn't working.

The content of my .htaccess file is below. The phyiscal location of the folders is at /public_html/js/ and /public_html/qrv/secret/

My questions are:

1) is a .htaccess file what I should be using for this idea?

2) if so is this .htaccess file correct? (I've modified it from something I found on a blog site).

3) where should this .htaccess file be located?

4) is there a setting that I need to check with my host that allows mod_rewrite to work?

Without the mod_rewrite addition to the .htaccess file, the .php page works fine.

Any suggestions would be greatly appreciated.

Kind Regards,

solveitnow


/////////////////////////////////////////////////////////////////
Options All -Indexes

#
# /qrv/secret/.htaccess -- per-dir config file for directory /qrv/secret
# Remember: /qrv/secret is the physical path of /js, i.e., the server
# has a 'Alias /js /qrv/secret' directive e.g.
#

RewriteEngine On

# let the server know that we were reached via /js and not
# via the physical path prefix /qrv/secret
RewriteBase /js

# now the rewriting rules
RewriteRule ^abc123\.js$ abc123_secret.js

#a request to /js/abc123.js gets correctly rewritten to the physical file /qrv/secret/abc123_secret.js

RewriteRule ^abc123_dts\.js$ abc123_dts_secret.js

#a request to /js/abc123_dts.js gets correctly rewritten to the physical file /qrv/secret/abc123_dts_secret.js

////////////////////////////////////////////////////////////////

[jimbeetle]

Hi solveitnow.

I think you're just going to wind up chasing your tail on this and put in a lot of work for very little or no gain. Casual visitors have no interest in your .js files while those visitors who might really want a copy know that it's already cached on their local machines. No matter how many hoops you try to put in their way, they don't have to jump through any of them to access the files.

[solveitnow]

Thanks heaps JimBeetle,

I really appreciate your advice. I can see now that maybe I am trying to use the wrong application.

Perhaps I should look at something like Flash, or does that have the same problems?

Do you have any other suggestions? I would like a secure calculation solution that can be displayed on the internet.

Or maybe I'm just dreaming?

Vanessa

[jimbeetle]

I'm not familiar enough with Flash to make an educated comment, but a quick look around shows a few Flash rippers and decompilers out there (heck, even Apple offers a link to a download). They appear to be able to extract just about anything; you might want to download one and see the exact capabilities.

Also, having another look around, there appear to be a few javascript obfuscators out there that seem to be a bit more effective than in the past. Test a couple of them across different platforms and see if they make you feel a bit more secure.

[solveitnow]

Thanks again JimBeetle,

You have been very helpful.

Kind Regards,

Vanessa

[Jazajay]

If you really want to "hide" your JS code you can make it to hard for people to read it. To do this

1. compress the JS sheet so all the white space is removed.
so rather then

var a;
var b;
var c;
var d;
it appears as

var a;var b;var c;var d;

2. Change all the variables to

a b c.

So rather than
var about
or
var variableName

you change it to
var a
or var i

So if you had a js sheet that looked liked

var about;
var bye;
var cat;
var dog;
var doc=document;
about=document.getElementById("menu");
alert("Hello");
etc...
it would appear as
var a;var b;var c;var d;a=doc.getElementById("menu");alert("Hello");

that way the compression would make a large JS sheet too hard to read or work out. There are online tools that can make this process automatic.

Thats the best you are going to get unfortunatly

Jaza

[solveitnow]

Hi Jaza,

Thanks heaps for your advice - I will try to do this with a program and then see how it looks. This looks to be the only way to go.

Kind Regards,

Vanessa

[Jazajay]

Hi solveitnow
I've decided to think on improving my suggestion. Maybe a combined object tag and ajax solution with compression and extremely optimization. If I get any decent results I'll let you know.

I've just learnt unobtrusive Javascript via DOM scripting and AJAX so I'm intressted in a better solution. I hate "coding theifs" learn to do it your self.

Any way I'll let you know if I get any results.
Jaza

If you have an idea for a starting point let me know as you seem to have more expereince with JS. It would still have to be a SBO technquie though otherwise it wouldn't be accessiable to the browser. But I think it can be done.

[Jazajay]

Ok this is my best solution.
Now I would put this in an external sheet at the bottom of the page, preferable at the end of a line of code that you have to scroll to see it. If the page is large it would be a pain to find.

Ok split your code into 2 types -
1 The JS calls to the Ajax function to receive the JS returned.
2 the beautifully written Ajax call itself -

Place this AJAX call in the middle of the already compressed code - Don't obfuscate (change variable names to smaller ones) as that will mess this script up. Compression is fine. You then call your main JS in via the AJAX call and only have the variables needed to pass over on show. The rest of your JS is basically hidden. Unless you have a talented hacker who realizes whats going on. However I have a safe guard against that.

Ok simple Ajax call but as always with a Jazajay upgrade to it. Something about band-aid comes to mind I forget what -
This AJAX call -
1. Posts the data
2. Optimized by timing out after a period of time if the request is frozen.
3. Optimized by sending a new request if the button is clicked twice. Otherwise if it is clicked twice the request just gets resent taking longer to get sent to the client. I bet you wish you where me.
Excuse the PHP comments in the JS.

Quote:

function call(data,id,process){
var request=false;
try{
request = new XMLHttpRequest()}
catch(error){
try{
request = ActiveXObject("Microsoft.XMLHttp")
}
catch(error){
return true
}
} //test to see if you are dealing with IE or another browser and set the request object, the thing you need to make the AJAX call appropriately.
if(request){
var b = d.getElementById(id); //short cut for the id you want to set the output in
request.open("post",data);
request.setRequestHeader('Content-Type','application/x-www-form-urlencoded');
request.setRequestHeader('If-Modified-Since','thr,06 apr 2007 00:00:00 GMT'); //Sets the AJAX script to post
request.onreadystatechange=function(){
if(request.readyState==1){
var long = window.setTimeout(function(){
if(request.readyState == 1){
var timeOut = true;
request.abort();
var err="Sorry an error has occurred fetching the data.";
err+="This error has been logged and we will look into why this has happened";
err+="We apologize for any inconvenience this may have caused";
b.innerHTML=err;
}
},10); //aborts the script if the AJAX connection fails to connect after 10secs
b.innerHTML="Loading..."; //set a user message for slow connections
}
if(request.readyState==4 && request.status==200){
d.getElementById(id).innerHTML=request.responseTex t;
delete request;
request=null; //if the request completes echo the data retrieved and delete the request
}
}
request.send(process); //send the variable to the AJAX call
}
}

This takes 3 parameters -
The URL you want to send - data (this will be where you keep the other JS /PHP hybrid sheet)
the id of the tag where you want to echo out the data/JS - id
and the data you want to send - process.

Call this in in the script on your main JS script. The same one on the ajax call page. I'm going to use old school sorry other wise the code would just be ridiculous.

onclick="call('urlYouWantTOSend','IdOnThePageWhere YouWantToEchoTheData',url=script1)" ;
script1 is the number of the function you want to retrieve. I'll explain this in a min

Right now on the receiving page, the one that gets the AJAX call add this
<?php
if($_SERVER['HTTP_REFERER']!=yoursite.com/the sent page.php)
{
As the script will only come from your domain test to see where the post array came from if it came from an external site it's down to a very clever content thief who has worked out what you are doing. If the referrer is from your site it may be genuine so continue. Otherwise return a space (nothing). The refferer can be faked but not everyone knows how to do it. Also minify the code on the page. I would also encode the php.
I would then test the ip address that you could set via a session on the previous page. If the post array comes from your site but you have the ip logged from someone who has used an external site to try to get your data also return nothing. By which point they should give up or have no idea as to why they are still having problems. Now you can see why I annoy so many hackers. Probably why I get a redicuos amount trying to hack me, o well.

What I would personally do is set script1 variable to script1hacked then return script1hacked js function that would be different JS from what you are using normally then they would just get confused to why the codes not working after they have "aquired it".

O I'm annoying.

You should see some of the safe guards on my site. The endless loops when a hacker gets into my fake admin CMS is just really annoying.

}
function cleanInput($url)
{
$url1=preg_replace('#[^A-Za-z0-9. ]#', '', $url);
return $url2;
} //creates a cleaning function
$clean=cleanInput($_POST['url']) //cleans the post array. not nesercary depending on what you are doing with the variable(s) passed.

Ok now echo the JS to send back
if($clean=="script1")
{?>
<script type="javascript">
function() || alert() || document.get....."
</script>
}
elseif($clean=="script2")
{
js function2
}
elseif($clean=="script3")
{
js function3 is returned.
}
etc.....
?>

So for them to see the js code they would have to access the AJAX call via the URL but post the right script number over.

I will kill the person that notices a problem with this. Just so know. Probably with a blunt knife.

Now I'm a god you can admit it, I honestly don't mind.
Jaz

The fight against scammers, Malious hackers and content theifs continues....

[jimbeetle]

Once you get a problem in your head you can't get it out until it's solved, huh? ;-)

Very nice solution.

[Jazajay]

Man as long as that solution means I get my own back on as many spammers , malicious hackers and content thief's, sorry the scum of the earth, as possible I will spend weeks, well at least a week with this one, coming up with a solution and then share it on 3 big coding forums to reep my revenge.

I've been hacked badly twice in the past - **** heads.

Honestly if they request JS via an external Post, as I said above, send them back the wrong JS function rather than just nothing.

They will try for ages to get it to work because it is the function that they think you are using so it must work, right?

Also I'm not sure it's possible to send back the whole function either. If it is this is a perfect protection policy if it isn't it is just a nice safe guard.

The war continues.....

[Jazajay]

Hi guys if you are using my technique delete it from any indexed page.
I came across this a while ago and for some reason it just came to mind - weird. It's from Matt at Google and could make my code utterly useless to most of us - 90% of the time. Cant believe no one picked it up the second the post was made, I include myself in that statement. Most of you have already had the light bulb switch on as to what I mean, I imagine.

Hiding JS is good for another group of people.....

Here's what Matt says about JS redirects - hold in it's very related.

Quote:

• If you’re doing JavaScript redirects, don’t obfuscate the code–it just makes people think that you’re doing things after lots of deliberate consideration.
• If you do obfuscate code, ask yourself: can a regular person still look at this code and tell what it’s doing without even knowing JavaScript?

Ok he's talking about javascript redirects granted. That said point 2 is quite interesting and could be very, very related.

The problem is I've come up with what looks like an infallible JS hiding technique, well 90% any way. Using this technique is a lot better than obfuscating your code which is good against content thief's.

This technique will work and that is the problem what if some one from G does a personal eval? hum... you could be up **** creek w/o a paddle as not only will they not be able to read the code. But there will be no JS to read at all even if they access the AJAX page itself due to how this script is designed. Something to bare in mind.

The only circumstance I can see this not being a problem is if you don't have any thing that could trigger an eval, dodgy techniques, possible hidden code that is used for good reasons ie- tabbed menu's, accidental alt spamming - ok maybe not. Using any of the css styles that may lead to an eval.
hidden,
none,
etc...
However a clever competitor might just report you anyway for using this technique alone, Now that would be annoying .

Only use this script on non-SE pages that have JS you want to remain hidden. - IMO.

My personal advice don't use it on any indexed page. O well not like it was a week of my life now that would just add salt to the wound if it was.
- wounded now where's that bottle of Archers