4

I am wondering are there any standard mechanisms available to protect the asp.net asp code in the client browser ? I found some references to Windows script encoders. Question is, are these script encoders encodes both aspx and code behind source ? If aspx is encoded with the Windows script encoders then how client browsers can decode it? Are they aware of the encoding algorithms ?

Or can we control the client browsers ( IE, Firefox, Chrome etc) to disable the view source option in the Tasks Menu when web site a loaded in them?

Any pointers will be appreciated.

Mogsdad
  • 44,709
  • 21
  • 151
  • 275
Kishore
  • 41
  • 1
  • 2

6 Answers6

4

The HTML code generated on a webpage is by definition public. It has to be accessible to the browser for it to be able to render the page properly. You will not find a reliable solution to hide the view source option in browsers.

To explain the basics a little bit :

When you create a page, you write markup in your .aspx file and some c# source code in the .aspx.cs file. The c# code is the server side code, which means that it is executed on the server (as opposed to, say, javascript which is executed directly in the client's browser -- client side).

When a page request is executed, the ASP.NET engine executes the server side code, and also executes the asp tags that you wrote in the .aspx page (for example : <asp:Button runat='server'... /> . It then spits out HTML code (this is a very simplified version of what actually happens).

The client's browser only ever gets the HTML (and it will not see the C# code nor any of asp markup code which is used to generate your page).

As I said before, the HTML generated is, and will always be public. There is nothing you can do to reliably hide it.

Hugo Migneron
  • 4,867
  • 1
  • 32
  • 52
  • Thanks. Are there any ways we can control programetically to disable the view source option in the browser. I understand that browser needs the html code to display the page, but there should be way to disable or enable the view source option... – Kishore Jan 05 '11 at 18:40
  • @Hugo Migneron: So server side code is the c# code, and when you say 'executes the asp tags...in the .aspx page', is that what people mean by "Server Side SCRIPT"? – VoodooChild Jan 05 '11 at 19:27
  • @Hugo Migneron: another question, any recommended links regarding not so simplified answer to what the ASP.NET engine works? – VoodooChild Jan 05 '11 at 19:29
  • @Kishore : Not that I am aware of. I would be very surprised if you found a good solution to be honest. Trying to change the behavior of the browser is pretty bad practice and will annoy people. Browsers behave differently as well, so a solution that would work on one browser wouldn't work on the others. – Hugo Migneron Jan 05 '11 at 19:41
  • @VoodooChild : This article : http://www.4guysfromrolla.com/articles/092904-1.aspx gives a very good detailed explanation of what happens on a postback. The part called "Understanding the Page Lifecycle" is what will be the most interesting to you. – Hugo Migneron Jan 05 '11 at 19:46
  • @VoodooChild : As for your first question, server side scripting is the same as server side code really. It just means logic that is executed on the server rather than on the client's browser. I talked about the asp tags and the c# code just to be clear about what was being done server side. The article that I provided in the other comment will explain what happens with the asp tags in the markup. So basically, code is either executed client-side or server-side (call it scripting or not, doesn't matter). HTML / JS == Client side. ASP.NET / c# == Server side. – Hugo Migneron Jan 05 '11 at 19:49
  • @Hugo Migneron: thanks. I will look further in to the link provided. – VoodooChild Jan 05 '11 at 20:44
3

Server-side code (ie. code in code-behind pages, controllers, helpers, <% code nuggets %>, etc) will of course never be visible to a web client.

Your aspx or view pages (ie. .aspx, .cshtml, .vbhtml) files will also not be visible to web clients unless you have a signficiant security vulnerability, but the HTML generated by said files will be, along with any outputted or referenced JavaScript.

If the client couldn't read the HTML or JavaScript, how would the web browser be able to parse it?

Here's a question about obfuscating JavaScript, which will at least hinder but not completely remove a user's ability to view your source: How can I obfuscate (protect) JavaScript?

Similarly, one could theoretically obfuscate outputted HTML as well, but it could also be likely be reversed with some work.

Community
  • 1
  • 1
adamjford
  • 7,478
  • 6
  • 29
  • 41
  • If outputted HTML is obfuscated then how the browser can read it ? Is browser aware of how to decode it before it parse – Kishore Jan 05 '11 at 18:42
  • @Kishore: Sorry, I should have been more specific. The HTML would have to be obfuscated in a way that would make it difficult for a human to read and understand it, but not in a way that would make any difference in the way it would be parsed by the browser. – adamjford Jan 05 '11 at 18:46
1

It is impossible for the user to see your server-side (C#) source.
It is impossible to stop the user from seeing your client-side (HTML & Javascript) source.

SLaks
  • 868,454
  • 176
  • 1,908
  • 1,964
1

In terms of javascript - the only thing you can do is obfuscate it to an extent that makes it worthless for someone to try to understand.

Ta01
  • 31,040
  • 13
  • 70
  • 99
0

None of the code behind code is sent down to the client, only the rendered HTML.

there is no way to completely remove the ability for a client to view the source of your HTML. The only thing you can do is to obfuscate your HTML to make it harder for them to tell what they're looking at.

There are many libraries out there for obfuscating HTML in .net if you do a google search.

AaronS
  • 7,649
  • 5
  • 30
  • 56
0

I'm confused really, but...

  1. If you are on about the ASP.NET markup, you need not worry as any request to an ASP.NET page will cause the page to be compiled (if it hasn't already been, or isn't cached) which renders the page content as HTML.

  2. If you are worried about people navigating to your code behind (e.g. mysite.com/SomePage.aspx.cs), you need not worry, as ASP.NET will not serve that content [unless the standard configuration has been changed].

  3. If you are worried about people accessing your code through FTP, then I would suggest you change your compilation method and not deploy the source.

Am I missing anything?

Matthew Abbott
  • 60,571
  • 9
  • 104
  • 129
  • I am worried about users can see the rendered HTML code of aspx page. My question is can we disable the View Source option in browser with programmable code as soon as the page loaded into the browser. – Kishore Jan 05 '11 at 22:41
  • You can't stop people viewing the source of your website. And in reality, does it really matter? It's just content for the browser to interpret, its read-only, and its all built on standards, so its not like you need to protect any intellectual property. In regards to point 3, instead of deploying the project with source code, you can pre-compile your website project. If you are using a web application project you should use the Publish option... – Matthew Abbott Jan 05 '11 at 22:53