-2

I'm working on a web application that involves loading images into a canvas object, then manipulating those images beyond recognition. I need to hide the original source image file (a jpeg) so that the user on the client side should not be able to use dev tools to see the original image.

I have tried to encode the images as a base64 and load it via a JSON data file, but even with this method, the inspector tool still shows the original image file (when it is set as the src of my javascript image object). Is there some way that I can encrypt and decrypt the image files, so that the user has no way of seeing the original image (or have it be some garbled image, for example)? Preferably I'd like to do this on the client side, as all my code is client side at the moment. Thanks in advance!

Here is my code for loading the base64 encoded image data via a JSON file:

//LOAD JSON INSTEAD?
        $.getJSON( "media/masks.json", function( data ) {
          console.log("media/masks.json LOADED");
          //loop through data
          var cnt = 0;
          for (var key in data)
            {
               if (data.hasOwnProperty(key))
               {
                  // here you have access to
                  //var id = key;
                  var imgData = data[key];

                  //create image object from data
                  var image = new Image();
                  image.src = imgData;

                  console.log('img src: '+ imgData);

                  var elementId = $scope.masks[cnt].id;

                  // copy the images to canvases
                  imagecanvas = document.createElement('CANVAS');
                  imagecanvas.width = image.width;
                  imagecanvas.height = image.height;
                  imagecanvas.getContext('2d').drawImage(image,0,0);
                  imageCanvases[elementId] = imagecanvas;
               }
               cnt++;
            }

        });

This is what I see in the Chrome dev tools Network inspector (exactly what I'm trying to avoid): Screenshot

JackKalish
  • 1,555
  • 2
  • 15
  • 24

1 Answers1

2

I need to hide the original source image file (a jpeg) so that the user on the client side should not be able to use dev tools to see the original image.

That's not possible. There is always a way to get at the image using developer tools. Even if there wasn't, a simple screen capture would defeat whatever measures you put in place.

Brad
  • 159,648
  • 54
  • 349
  • 530
  • They would not be able to take a screenshot of the image, because I am not showing the original image to the user, I am manipulating the original image, and showing a highly distorted version of the image. I imagine there must be some way to encrypt the image being loaded, and decrypt it on the client side via JS, I'm just not sure what the correct method is for that. Thanks! – JackKalish Jul 26 '15 at 23:07
  • 1
    @JackKalish There are ways to do that, and all of them enable the image to be captured by the user. No matter what you do, if you enable the data to be sent to the client the user can capture it in some way. If you encrypt it, you have to supply a method to decrypt for the content to be used in the way that you describe, which enables the client to capture it. – Brad Jul 26 '15 at 23:08
  • Can you point me to those ways? I understand that a very smart hacker can decrypt it if they put in the effort, I basically want to make it hard for them to do so, so that it's not as easy as just viewing the dev tool inspector to see the image. Does that make sense? Any ideas? – JackKalish Jul 26 '15 at 23:15
  • It makes perfect sense. It doesn't take a "very smart hacker" to drop a single line in your JS to dump whatever the original image is. Developer tools in browsers now format your JS for you. Obfuscation does little in terms of making your code hard to understand. Perhaps if you told us what your end goal was, we could suggest an alternative. The methods you suggest will be fruitless. – Brad Jul 26 '15 at 23:18
  • I disagree with you, but I'm not on here for your opinion, Brad. I would prefer a constructive suggestion, if you're incapable of that, then please stop commenting and let someone else speak. Thanks. – JackKalish Jul 26 '15 at 23:38
  • @JackKalish It's impossible to give a better suggestion without knowing what you're trying to do. You are asking for a method to implement something that will not work for your purposes. I am trying to help you, but if you would prefer to not have help then don't ask a question on Stack Overflow. My commentary here does not prevent anyone else from posting an answer. Others can post answers if they wish, but I think you will find in time that the right answer happens to be the one you disagree with. – Brad Jul 26 '15 at 23:58
  • You specifically said in your last comment "there are ways to do that" I'm looking or those ways! That was what my original question was to begin with! Why not just answer me if you know the answer? In your opinion, obfuscation is fruitless. In my opinion it's not, but I'm not here for your opinion. I'm here to find a method for obfuscation of my data. I understand it won't be bullet proof, I'm ok with that... Thanks! – JackKalish Jul 27 '15 at 00:06
  • @JackKalish: You’re aware that it’s trivial to override `drawImage`, right? As long as something is passed to `drawImage`, it’s easy to extract. If you draw the image pixel by pixel, there’s a canvas method to get the image back at the end. You’ll have to reimplement an entire canvas (and it will be terribly slow) to have any hope of making the image remotely difficult to extract. – Ry- Jul 27 '15 at 03:59