Can we block opening CSS, JS files?

Question

It is very common we link CSS and JS files in out HTML, PHP pages. Can we block opening of the CSS and JS files directly from a browser. Since the source code can be viewed by anyone, he/she can open those files by understanding the path. How can we achieve blocking these files?

You can't. If the user couldn't read them the web browser wouldn't be able to read them. — robertc, Jun 14 '12 at 17:59
All you can do is obfuscate the files, but that doesn't really keep a user from reusing them as-is. — gcochard, Jun 14 '12 at 18:00
Say for example we can set 403 permission for folders such as www.websitename.com/images. But still the files/images under the tree are still accessible. — Sarvap Praharanayuthan, Jun 14 '12 at 18:00
Why would you bother the user opening the file? If you're placing sensitive information in javascript, well, that's your fault entirely... — Ortiga, Jun 14 '12 at 18:01
Obfuscation is the solution. People will write code rather than trying to read obfucated code :) try you self [here online obfuscator](http://www.daftlogic.com/projects-online-javascript-obfuscator.htm) — Shiham, Jun 14 '12 at 18:04
@Andre Yep!!! The user must be blocked to open the file such as www.websitename.com/css/filename.css. So that they cannot reuse it. This is just an example. I just need to utilize the technique for all other type of files. — Sarvap Praharanayuthan, Jun 14 '12 at 18:04
@Andre: The reason why I tried to block is not security issue. People try to download the files inside a tree using DOWNLOAD MANAGER and SITE GRABBERS. So if we were able to block then only genuine requests can be served. — Sarvap Praharanayuthan, Jun 14 '12 at 18:11
I wonder, could you show users an image of the styled page they're getting and after they fulfill whatever requirements there are, email them a direct link to the CSS/page, or perhaps email it as an attachment (zip maybe)? — DACrosby, Jun 14 '12 at 18:19

score 1 · Answer 1 · answered Jun 14 '12 at 18:01

1

You need to setup your web server to server the static content (js, img, css) only if refered by your host (looking at the http headers), but it won't totally prevent user from doing it. as for the php users won't see it, it runs on the server, and will output most of the times inert html.

answered Jun 14 '12 at 18:01

Eric Fortis

16,372
6
41
62

There's a major issue with this. If the browser is set to not send the referrer header, then if you require it to be present and set to the site these people cannot view any resources. – Robert K Jun 14 '12 at 18:02
What I'm saying is: without the referrer header set the user cannot see the resources, period. So if I had my system going through a proxy that strips this, or I configured my browser this way, then I cannot see anything protected like this. – Robert K Jun 14 '12 at 18:06

score 1 · Answer 2 · answered Jun 14 '12 at 18:02

1

A basic block would force the browser to send a valid Referer header when accessing the files. This can be done with some simple .htaccess:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !your\.domain\.here [NC]
RewriteCond %{REQUEST_FILENAME} \.(css|js) [NC]
RewriteRule .* - [L,F]

However this is not a great idea because it's easy enough to fake the referrer, or add a link to the page so that the browser naturally sends it. Also, some browsers just don't show the referrer header.

answered Jun 14 '12 at 18:02

Niet the Dark Absol

320,036
81
464
592

IME, this doesn't work that well with Firefox... at least not older versions. – user1337 Jun 14 '12 at 18:02
I would appreciate your comments on my answer – Raab Jun 14 '12 at 18:21

score 1 · Answer 3 · edited May 23 '17 at 12:29

1

The browser has to be able to access those files in order to properly display the page. You can obfuscate the JS, either through something basic like minification, or something more complex like How can I obfuscate (protect) JavaScript?

With CSS, you can try something similar.

edited May 23 '17 at 12:29

Community