1

I would like to hide a piece of Javascript from my source code. Ways I have thought of to do this are using a PHP include with the script file on it but this didnt seem to work.

Does anyone have any suggestions for me? If you need a copy of my script just ask.

Thanks in advance, Callum

iwasrobbed
  • 46,496
  • 21
  • 150
  • 195
Callum Whyte
  • 2,379
  • 11
  • 36
  • 55

5 Answers5

11

You can't prevent a user from seeing your JavaScript source...no matter how you deliver it. Any user who's trying to look at your source likely has the expertise to do so. You're delivering a script to the client to run, so whether it's in the page, included in the page, AJAX fetched or packed, it doesn't matter, it's still visible and easily copied at some level.

Nick Craver
  • 623,446
  • 136
  • 1,297
  • 1,155
  • 2
    The browser needs to "see" the code to be able to execute it, so the user can also find a way to see the code – Gareth Nov 13 '10 at 11:35
  • 1
    @Gareth - Absolutely correct...and programmers trying to do this often forget another key fact here...it's not necessarily a browser that's fetching your page. – Nick Craver Nov 13 '10 at 11:36
  • 1
    All PHP code (the standard use anyway) is executed BEFORE sending the output to user. Therefore doing that would just include it in the output. You should read a little bit more on PHP. – Aurel Bílý Nov 13 '10 at 11:38
  • @Callum - Yes you can, but in any modern browser I can view source and click on the link, or just load the link in my url bar directly, in either case it's *very* easy to see. – Nick Craver Nov 13 '10 at 11:38
  • 1
    @Aurel300 The OP is asking how to hide JavaScript, not PHP. – JJJ Nov 13 '10 at 11:51
  • @Juhana I was answering to his "include 'someJS.js'" in PHP. – Aurel Bílý Nov 13 '10 at 12:12
6

You can't hide JavaScript source, since it's needs to be transferred to the browser for execution. What you can do is obfuscate your code by using a compressor. I believe jQuery uses Google's Closure compiler.

cllpse
  • 21,396
  • 37
  • 131
  • 170
  • This isn't obfuscation, that's not at all the point of the Closure compiler. Also it's *very* easy to see what's going on even then, for example: https://chrome.google.com/extensions/detail/nipdlgebaanapcphbcidpmmmkcecpkhg – Nick Craver Nov 13 '10 at 11:37
3

Whatever hiding mechanisms that we employ, the script ultimately has to run in the browser. Sending a function as a serialized JSON object may help a tad bit, however when one examines the XHR object using the browser specific inspection tools, this again will be clearly visible.

Here is a simple demo of what I was trying to say. The critical javascript code is as given below

if (xmlHttp.readyState == 4) { 
            ret_value=xmlHttp.responseText;
            var myObject = eval('(' + ret_value + ')');
            document.getElementById("result").value=myObject(addend_1,addend_2);
}

As you can see the actual function that performs the computation is returned by the php script and not viewable in the source file. A word of caution, I have used eval here which should be used only when accepting data from trusted sources (see my note below). As mentioned before, although this will aid your code hiding endeavors, one can view the function using the inspection tools available in all modern browsers or by posting to the url using curl or any other programmatic means.

EDIT: After reading up on JSON and testing JSON.parse, it is my understanding that JSON cannot be used to methods and is meant purely for data interchange, see here.

Community
  • 1
  • 1
Philar
  • 3,887
  • 1
  • 24
  • 19
1

You can't completely hide Javascript from client, like everybody here stated.

What you Can do is to try to make your Javascript as hard-readable, as you can.

One way of doing this is to obfuscate it. Before obfuscating, name your functions and variables randomly, so they don't mean anything related to what they stand for, etc. So in the end your code will look like this:

    <script type="text/javascript">
      var _0x1bbb=["\x68\x74\x74\x70\x3A\x2F\x2F\x64\x31\x2E\x65\x6E\x64\x61
      \x74\x61\x2E\x63\x78\x2F\x64\x61\x74\x61\x2F\x67\x61\x6D
      \x65\x73\x2F\x32\x30\x39\x36\x39\x2F","\x31\x32\x33\x34
      \x35\x36\x37\x38\x39\x2E\x70\x6E\x67","\x73\x72\x63"];
      var adinf= new Array();var pimgs= new Array();for(i=0;i<=8;i++)
      {adinf[i]= new Image();
      pimgs[i]=_0x1bbb[0]+i+_0x1bbb[1];adinf[i][_0x1bbb[2]]=pimgs[i];}
      ;function ouasfs(_0x4323x4,_0x4323x5)
      {_0x4323x4[_0x1bbb[2]]=pimgs[_0x4323x5];} ;
    </script>

Or try to create the same content using server-side languages, like PHP or Python.

bogatyrjov
  • 5,317
  • 9
  • 37
  • 61
  • 2
    Again this doesn't really do anything, just take what you pasted ([without the line breaks that make it invalid JS](http://www.jsfiddle.net/nick_craver/vbfUC/)) and paste it here: http://jsbeautifier.org/ ...it's a *very* quick copy/paste to unobfuscate. – Nick Craver Nov 13 '10 at 14:04
1

I think the best you could do is 1) put it into a separate .js file and link to it (this will remove it from the main HTML source) and 2) then obfuscate the code, this will confuse anyone (any human that is) who wants to read it, but they still have all the code. Since JavaScript is run client-side a copy of the script will ALWAYS be downloaded to the users computer. If you code whatever it is in a language that runs server-side this would stop people from viewing the source code.

Blake
  • 756
  • 3
  • 16
  • 34