3

How do you disable/ view source/ and /inspect element/, ctrl + u ctrl+shift+I f12 menu bar and right click, also ctrl + s ctrl p ctrl+v ctrl+a ctrl+c and drag select page, please answer all parts that's possible, I prefer to do this will JavaScript array keycodes or html no php or other languages.also I want to block ifram use on my site like somesites such as google. As I understand it is not possible to completely disable view source and inspect element, so I want minification of code and rest of my question answered instead.

Edit:

I solved alot of it myself, I used onkeydown return false to disable all keys, still need the arrays, I disabled inspect element menu bar by forcing browser to window.open I still need right click, however would like to add that I need a custom right click menu, I disabled the possibility to disable Javascript in order to stop the key block by using noscript function redirects. I also still need the drag and select part. I would still like betterways to fix it...maybe even just minify the code or encrypt it. Of anyone needs some of the code I used just reply. I just need to fix it.

Universal Omega
  • 206
  • 1
  • 5
  • 26
  • 4
    What is your goal for this? Are you trying to prevent the user from seeing something hidden in your HTML? Keep in mind that no matter what client-side restrictions you put on the user, you're still handing their browser the entire page which they can pick apart with other methods. – Eric Dobbs Jun 01 '17 at 14:59
  • 1
    Yes, I am attempting to block something In the source, however I found one not very reliable method i need a better one. – Universal Omega Jun 01 '17 at 15:03
  • 8
    It's simply not possible, any user will be able to see your code no matter what you do. Whatever the browser can see, the user can see too. Anything secret needs to be kept on the server. – Lennholm Jun 01 '17 at 15:06
  • 1
    What about encryption of the code or minifying it? – Universal Omega Jun 01 '17 at 15:09
  • 4
    If you minify it, it will be harder to read for sure but everything will still be there. Encryption is pointless since you would have to decrypt it in the browser in order to make the code run. – Lennholm Jun 01 '17 at 15:12
  • Ok, I will just minify it and make it as hard to access as possible – Universal Omega Jun 01 '17 at 15:14
  • 1
    I think this begins to get into the realm of "Is the effort worth it?" This is a lot of effort being put into code that can be bypassed by anyone except the very casual observer. If you need security, then it shouldn't be handled on the client's side. And security through obfuscation really only makes things tougher on you when you have to go back and edit this code. I'd say be more specific in the problem you're trying to solve and maybe someone can suggest a better overall solution. – Shawn Jun 01 '17 at 21:36
  • @Shawn i know the effort is impossible to stop completely i got that from the other answers, i still need the rest of my question answered though, like the custom right click menu i also still need to know how to minify the code and disable keys with key codes with JavaScript arrays, thanks for your time. – Universal Omega Jun 01 '17 at 22:05
  • @javamaster What exactly is the overall problem you're trying to solve? I still think this seems like a lot of complexity for a problem that may just be piling onto your future maintenance of this code. See http://xyproblem.info/. – Shawn Jun 02 '17 at 14:14
  • Looks like a duplicate of this anwser: https://stackoverflow.com/questions/1037593/how-to-disable-view-source-and-ctrl-c-from-my-site – Erwan Legrand Mar 27 '18 at 10:11
  • If you use postman or curl in the console, you'll still get the source code because they are no browsers. – shaedrich Apr 08 '21 at 16:08

4 Answers4

3

It is impossible to prevent the user from inspecting code running on their machine. At the end of the day, the HTML they are getting delivered will be readable in plain text. You can cause a nuisance for most people, but this will not be a valid security measure - chrome extensions will still run, for instance, so if someone is using the NoScript extension it will disable all javascript.

A much better option would be to handle your logic server side, and only send the client the information they need to know/requested.

There are some free javascript obfuscators, such as https://javascriptobfuscator.com/. Please remember that it is not a secure method, though.

seenukarthi
  • 8,241
  • 10
  • 47
  • 68
JonLuca
  • 850
  • 6
  • 25
  • 2
    I have prevented the noscript possibility by making site not run without javascript – Universal Omega Jun 01 '17 at 15:12
  • 3
    That does not matter though - imagine this, at the end of the day, the entirety of your webpage is transmitted in plaintext to the user. They can always just do a view-source:URL of your webpage, or inject their own, or intercept the HTTP request before it gets to them. It's impossible - client side security isn't security at all – JonLuca Jun 01 '17 at 15:13
  • 2
    What about if I where to only allow access to the page from my home.page, then redirect if not coming from that source to another page that doesn't matter the page that will be coming from my site is auto redirected to a new window with its source minified and address is hidden? – Universal Omega Jun 01 '17 at 15:18
  • 3
    @javamaster It's very easy for a client to request your page and claim that it's coming from your home page even though it's not. That's just a header which can be easily spoofed. Also, most modern browsers make it impossible to hide the address bar. – Lennholm Jun 01 '17 at 15:21
  • 2
    Ok, so its not possible to disable inspect element and view source completely, what about the rest of my question? – Universal Omega Jun 01 '17 at 15:23
  • 3
    @javamaster Here you can learn about blocking iframes on your page: https://stackoverflow.com/questions/19843085/how-to-block-website-from-loading-in-iframe – Lennholm Jun 01 '17 at 15:25
  • 2
    What about the custom right click and key code disable with arrays? – Universal Omega Jun 01 '17 at 15:33
1

I mean no matter how much you block it a person can just type

view-source:https://example.com
ACO_Tech
  • 11
  • 1
  • For example, I made a website that disabled right-click, ctrl commands, and added a meta tag to the – ACO_Tech Feb 16 '21 at 17:53
1
document.onkeydown = function(e)
    {
        if(event.keyCode == 123)
        {
            return false;
        }
        if(e.ctrlKey && e.shiftKey && e.keyCode == 'I'.charCodeAt(0))
        {
            return false;
        }
        if(e.ctrlKey && e.shiftKey && e.keyCode == 'J'.charCodeAt(0))
        {
            return false;
        }
        if(e.ctrlKey && e.keyCode == 'U'.charCodeAt(0))
        {
            return false;
        }
    if(e.ctrlKey && e.shiftKey && e.keyCode == 'C'.charCodeAt(0))
    {
      return false;
    }
    }

e is a keyboard event. e.[key] returnes true if key pressed.

If document.onkeydown returns false, key doesn't count.

This programm seeing if code view combination pressed and returning false.

Example. if ctrl, shift and 'J' pressed - return false.

AKK
  • 44
  • 4
  • Please explain what the code does and how it does it. – M-Chen-3 Apr 08 '21 at 18:04
  • e is a keyboard event. e.[key] returnes true if key pressed. If document.onkeydown returns false, key doesn't count. This programm seeing if code view combination pressed and returning false. Example. if ctrl, shift and 'J' pressed - return false. – AKK Apr 18 '21 at 14:46
1

Bump

To the people saying it isn't possible, how would you recon this website managed to do so?

The following website disabled, view source, right click and the dev console.

I am genuinely interested.

https://www.techgyd.com/contact-facebook-directly/6579/

Edit: all input from keyboard is disabled, but by adding "view-source:" before the httpps:// to the url to become:

view-source:https://www.techgyd.com/contact-facebook-directly/6579/

makes me able to see.

If you would like to know how they did that then take a look at their JS, raw copy/paste:

<script type="text/javascript">
        //<![CDATA[
        var show_msg = '';
        if (show_msg !== '0') {
            var options = {view_src: "View Source is disabled!", inspect_elem: "Inspect Element is disabled!", right_click: "Right click is disabled!", copy_cut_paste_content: "Cut/Copy/Paste is disabled!", image_drop: "Image Drag-n-Drop is disabled!" }
        } else {
            var options = '';
        }

        function nocontextmenu(e) { return false; }
        document.oncontextmenu = nocontextmenu;
        document.ondragstart = function() { return false;}

        document.onmousedown = function (event) {
            event = (event || window.event);
            if (event.keyCode === 123) {
                if (show_msg !== '0') {show_toast('inspect_elem');}
                return false;
            }
        }
        document.onkeydown = function (event) {
            event = (event || window.event);
            //alert(event.keyCode);   return false;
            if (event.keyCode === 123 ||
                    event.ctrlKey && event.shiftKey && event.keyCode === 73 ||
                    event.ctrlKey && event.shiftKey && event.keyCode === 75) {
                if (show_msg !== '0') {show_toast('inspect_elem');}
                return false;
            }
            if (event.ctrlKey && event.keyCode === 85) {
                if (show_msg !== '0') {show_toast('view_src');}
                return false;
            }
        }
        function addMultiEventListener(element, eventNames, listener) {
            var events = eventNames.split(' ');
            for (var i = 0, iLen = events.length; i < iLen; i++) {
                element.addEventListener(events[i], function (e) {
                    e.preventDefault();
                    if (show_msg !== '0') {
                        show_toast(listener);
                    }
                });
            }
        }
        addMultiEventListener(document, 'contextmenu', 'right_click');
        addMultiEventListener(document, 'cut copy paste print', 'copy_cut_paste_content');
        addMultiEventListener(document, 'drag drop', 'image_drop');
        function show_toast(text) {
            var x = document.getElementById("amm_drcfw_toast_msg");
            x.innerHTML = eval('options.' + text);
            x.className = "show";
            setTimeout(function () {
                x.className = x.className.replace("show", "")
            }, 3000);
        }
    //]]>
    </script>

or just look from line 86 I hope it helps

AndradeL
  • 64
  • 7
  • I found this script on a website in "the wild". If there are any iframes on the website you can still right-click on the Iframe, open the inspector and navigate to outside of the iframe from there. – jrswgtr Apr 25 '23 at 14:29