-1

I have got a main javascript file(say main.js) which takes values from different functions called from other javascript files. What i want is that the main should function properly as soon as it is called by the index page or any other page or script but if the users try to watch what is inside of it, they won't be able to access what is written inside of it(or else it should return a forbidden error). Also, after searching for long i got to know that .htaccess can be used to do it so i already tried these two methods:

Method 1:

Order Allow,Deny    
Deny from all

This just stops the main javascript file to be loaded at all when it is called from anywhere and it stops functioning at all. Although it blocks users from viewing it directly.

Method 2:

RewriteEngine on    
RewriteCond %{HTTP_REFERER} !^http://(www\.)?mydomain.com [NC]    
RewriteCond %{HTTP_REFERER} !^http://(www\.)?mydomain.com.*$ [NC]    
RewriteRule \.(js)$ - [F]

This actually works but still the users can access it for the 1st time when they try to. Rest every other attempt after the 1st one blocks the access to that file and shows a forbidden error untill the main site is either opened again or gets refreshed. So anyone can get to see my main.js after continuously refreshing the main site page and then accessing the code from it.

I need to know how this can be achieved properly? like the script should work fine when it is being called by any other page or script but no user can actually see what is inside of it. Also, i don't know much about htaccess so a much explained version would be highly appreciated.

Dvsh
  • 19
  • 4
  • 2
    you can view the source of any JS file a page uses in both the network and sources tab of devtools, and that's without loading it a 2nd time... in short, you're asking the impossible. – dandavis Apr 10 '16 at 19:34
  • Agreed with Dan. I used to use this method to serve a phony JS file if referrer is not present, worked well in the IE6 days! Until Devtools came around! – Aaron Gillion Apr 10 '16 at 19:51
  • My new method is to load & eval the JS code via AJAX request, so the user cannot view the code in devtools without having to load the link directly, which referrer will not be present. With a good enough fake, the perp will be fooled. – Aaron Gillion Apr 10 '16 at 19:53
  • so that means that there is no possible way by which we can combine these two methods displayed above and then create a better one? – Dvsh Apr 10 '16 at 20:02
  • how can i do the same via AJAX? sorry, am just a newbie with these terms so will take time! – Dvsh Apr 10 '16 at 20:04
  • Let me explain: If you have a normal ` – Aaron Gillion Apr 10 '16 at 20:11
  • @AaronGillion: i am using this statement to assign the source and call the file: var wts=document.createElement('script');wts.type='text/javascript'; wts.async=true; wts.src=('https:'==document.location.protocol?'https://':'http://')+ document.location.hostname + '/myscript.js'; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(wts, s); so will this method to call the file will still work if i will be using AJAX call? if yes then please let me know or else if no then any better way to call myscript.js without having risking its path getting leaked? – Dvsh Apr 10 '16 at 20:22
  • That code will definitely expose your JS code. Obfuscation is your best defense, but it is not _nearly_ enough for total protection. The `RewriteRule` is only going to protect your code in Internet Explorer, not Firefox, or Chrome. – Aaron Gillion Apr 10 '16 at 20:25
  • @AaronGillion: got your idea. Thanks for the help, just 1 more thing, how much time will it take for a newbie like me to learn all these AJAX requests so that it would appear to be calling a phony.png file which in actual will load the desired JS file? is there any shortcut way to achieve this because this appears to be much safer then all of the rest above methods! – Dvsh Apr 10 '16 at 20:32
  • Not long, I'll give it about a week until you begin applying the concepts, given you know JS already. You have to Google & fully understand a few terms: "ajax asynchronous vs synchronous", "JS event handlers", and "onreadystatechange". I linked to the w3schools page a few comments above, which is a good "sum up" of everything. – Aaron Gillion Apr 10 '16 at 20:46
  • @AaronGillion: Thanks for the help. – Dvsh Apr 10 '16 at 20:48

1 Answers1

0

There's really no foolproof way to prevent this. Essentially, the server is sending the .js file in response to an http request. You can put security on the file at the server side, but that will just prevent a user without proper authorization from being able to download it. Once a user has been authorized, the server will allow it to be downloaded to the client. There's no way for the server to prevent the client application (browser, or something else) from allowing the user to view the file once it has been received by the client.

As an alternative you may want to consider using an obfuscator on your .js file. This makes it very difficult for people to be able to decipher the code even if they do look at it.

RJM
  • 1,164
  • 9
  • 21
  • thanks for the quick response, but i believe this can be achieved by formatting the htaccess file properly. Also, i would like to know more about obfuscator, like what it does and how to get the desired result? – Dvsh Apr 10 '16 at 19:50
  • .htaccess won't do what you're looking for. As far as obfuscators go, there are several out there. Just google 'javascript obfuscator' and you'll be able to do some research on them. – RJM Apr 10 '16 at 19:53
  • Also by using an obfuscator, will the code will still be accessible by any other script? and will the main script which is obfuscated will still be able to retrieve values of variables declared in any other script previously being called? – Dvsh Apr 10 '16 at 19:59
  • Yes, the obfuscator will rename variables and function names to meaningless strings. It can also scramble the logic of your code to something equivalent, but convoluted so that no one can understand what the code does simply by reading it. Other than that, it is still a perfectly valid .js file completely logically equivalent to your original file. – RJM Apr 10 '16 at 20:03
  • see i am using this method in my js file to load another js with getting its directory leaked out upto a certain extent: var wts=document.createElement('script');wts.type='text/javascript'; wts.async=true; wts.src=('https:'==document.location.protocol?'https://':'http://')+ document.location.hostname + '/myscript.js'; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(wts, s); so will this obfuscator will work with this calling? – Dvsh Apr 10 '16 at 20:08
  • my main motive is just to hide the contents from being viewed of myscript.js file so that no one can copy that but on the same time it should do its job when it is being called. any better way to achieve this rather then this? – Dvsh Apr 10 '16 at 20:12
  • I would personally go with an obfuscator, but you could go with an alternative workaround like the eval approaches mentioned in the comments to your question. – RJM Apr 10 '16 at 20:20
  • thanks for the help. will try to use obfuscator and will see if it works! – Dvsh Apr 10 '16 at 20:26