1

How can I prevent my javascript from Firebug view?So that I can prevent Hacking from Javascript?

Alireza Mirian
  • 5,862
  • 3
  • 29
  • 48
Dhaval dave
  • 172
  • 2
  • 10
  • possible duplicate of [Does Firebug have something built-in to disable all javascript for a site/page?](http://stackoverflow.com/questions/592607/does-firebug-have-something-built-in-to-disable-all-javascript-for-a-site-page) – Nick Craver May 12 '10 at 11:50
  • 2
    @Nick Craver: I think he means something different. His JS should not be discoverable by Firebug, this is the way I understand it (but not 100% sure ;)) – Felix Kling May 12 '10 at 11:52
  • Not doable. The only way is to not trust the client. – Matti Virkkunen May 12 '10 at 11:54
  • 1
    @Felix - Thanks! I *completely* read that wrong, you're certainly right. – Nick Craver May 12 '10 at 11:55

5 Answers5

11

You cannot prevent anyone to examine your JS when browsing your page.

The reason is simple: When you visit a web site, all its content (HTML, images, scripts, etc.) is downloaded to your machine in order to process and display it.

Once the data is downloaded, you can do what ever you want with it (if it is legal is another issue).

But you can make it more difficult for others to examine your JS code by obfuscating it.

See this question: How can I obfuscate JavaScript?

This might or might help. It won't stop those who really want to know.

The question is, is your code so valuable, dangerous or whatever that you really have to think about such stuff?

Community
  • 1
  • 1
Felix Kling
  • 795,719
  • 175
  • 1,089
  • 1,143
1

You generally can't prevent people from seeing/debugging your js code. There are ways how to make their life miserable but please don't even think about it.

Jakub Hampl
  • 39,863
  • 10
  • 77
  • 106
  • try to check stackoverglow's(this site's) script form Firebug.. You can not watch Javascript. so it is possible, but i dont know how – Dhaval dave May 12 '10 at 12:40
0

If you mean what Felix Kling thinks you mean, you can't. You can obfuscate it, but if you want the browser's Javascript interpreter to run it, it has to be readable by the browser, which makes it effectively public information.

T.J. Crowder
  • 1,031,962
  • 187
  • 1,923
  • 1,875
0

That is impossible. The user will always have a means of executing javascript in the browser - if not using Firebug, then using the pseudo protocol handler javascript: in the address field.

Sean Kinsey
  • 37,689
  • 7
  • 52
  • 71
  • try to check stackoverglow's(this site's) script form Firebug.. You can not watch Javascript. so it is possible, but i dont know how – Dhaval dave May 12 '10 at 12:39
  • 1
    You mean this: http://sstatic.net/so/js/master.js?v=aed826386fce ? That it doesn't show up in Firebug is most likely a coincidence as Firebug tends to err with some scripts.. – Sean Kinsey May 12 '10 at 13:34
0

This is too involved for me to test, but I see no reason why it wouldn't work:

Add a task to the bottom of your javascript that uses jQuery's .getScript() (or some other method of dynamically loading a script) to re-load the javascript file using a URL that has an innocuous querystring or anchor tag on the end.

You also need to alter the server code to send a virtually empty javascript file if the request has the special URL-ending.

BTC-e.com hid the file at https://btc-e.com/js/core11.min.js from my Firebug at some point. I know this because Firebug tells me that this javascript file contains this text: "$('ul.pairs span').removeAttr('class');". I used the {} button to beautify it, thinking it might be a very long line with a few hundred spaces between that code and the rest of the code (which is a much cheaper but less effective way to achieve the desired result), and discovered that Firebug's record of the file really does, now, contain only that text. The above method is the only way I can see of doing it.

Dave Scotese
  • 498
  • 5
  • 17