0

I am developing an web application on java where i need to have kind of functionality that whenever any user try to view the source of the page or try to save entire page from filemenu -> save as option, user should not get javascript code nor should be able to get the css code.

Usually when done javascript code in separate .js file and css code in a .css file and including in page, when user tries to save page, all these entire (js, css,...) files are downloaded and user easily can see that.

In this case user easily can check all kind of validations performed in .js file. Here i have this major point to solve it.

Can anyone help me on this ???

moala
  • 5,094
  • 9
  • 45
  • 66
Dhiren
  • 139
  • 1
  • 1
  • 4
  • 7
    How can user agents download those files if the user can not? I.e. what you want is not possible. Also: one does not simply rely on clientside validation. **ALWAYS VALIDATE SERVERSIDE, CLIENTSIDE VALIDATION IS JUST A NICE TO HAVE FOR A BETTER USER EXPERIENCE AND NOTHING MORE** – PeeHaa Dec 28 '12 at 09:23
  • 1
    You will never find a 100% solution. And don't use security by obscurity. – asgoth Dec 28 '12 at 09:24
  • the risk of working with a webbased js enabled app is that the client can download the resources available on the internet... – Anantha Sharma Dec 28 '12 at 09:26

6 Answers6

2

In simple words, this is impossible to achieve "Period"

Hanky Panky
  • 46,730
  • 8
  • 72
  • 95
1

At best, you can obfuscate your javascript and obfuscate your css, but it can always be retro-engineered. You can't do better, because the browser needs to --and already has-- downloaded it to interpret it as a web page.

If you are using it to make your protocol more secure, that's a bad option: all checks must be done server-side.

Don't lose to much time trying to countermeasure your users on this side, just work on the server-side security and offer your users a better experience.

Community
  • 1
  • 1
moala
  • 5,094
  • 9
  • 45
  • 66
0

In brief it is impossible - since load to client side *.js, *.css, images and so on is part of browser-server communication. But if you provide some unique algorithms you can place sophisticated logic on server side, so js will have no patent or other values for end user.

Another option review possibility to use obfucated SWF (Flash technology)

Dewfy
  • 23,277
  • 13
  • 73
  • 121
0

It's impossible, if the client has to run the javascript, it has to download it, and you can't control that it cannot be downloaded. In any case, the user could see the cache, sniff packets, dump the application memory... there are many ways to see the code. Same happens for CSS. You can only obfuscate the code to make it less readable, but it only takes a little bit more time to read.

Consider that validation should always be done server side, client-side validation using javascript is useful only to make the page more user-friendly and not waste the user time to submit wrong forms.

Jacopofar
  • 3,407
  • 2
  • 19
  • 29
0

Nobody can help you with this.

It's not possible.

I can open Chrome, hit CTRL + SHIFT + J and then get all kinds of information about anything that creates a webpage, that isn't Flash-data, Java-applets or Silverlight.

I can download all of your JavaScript, or inject JavaScript into your page.
Or, I can skip the JavaScript altogether, and use PHP to send GET/POST requests to your server.

Norguard
  • 26,167
  • 5
  • 41
  • 49
0

What you're asking is not possible.

The entire point of JavaScript is that it's client-side code.

As soon as you send it to the client, the client has control over it.
There is no way to prevent people from saving the JS, if the JS has to be used by the client. There is nothing you can do to prevent the client from messing with your JS.

All of this also counts for your CSS: It's sent to the client, so it's out of your hands.

Never rely on JavaScript for your validation purposes. It's laughably easy to circumvent JS validation:

Users can:

  • Disable event listeners, or the entire validation process altogether,
  • Change validation functions so they always return "is valid",
  • Just send any data they like to the server,
  • etc.
Cerbrus
  • 70,800
  • 18
  • 132
  • 147