11

I'm writing an HTML5 based game that runs as a stand-alone application. It is distributed via the web, but there are no other server requirements—no database, etc.—everything is "in-app". This is by design since additional servers would raise the cost of distribution.

So given that it's just a static html file with a lot of JavaScript, what's to keep someone from hosting the file on their own site? Are there any techniques that can be used to help mitigate this?

My concern is not the odd user, it's the identity theft committed by the other site. Non-additional server solutions would be preferred, but any ideas would be appreciated.

Yi Jiang
  • 49,435
  • 16
  • 136
  • 136
MarcusBooster
  • 121
  • 5

5 Answers5

11

There's not a whole lot you can do if everything is run client side. You can try obfuscating the JavaScript but that's not a very effective solution. What you need to do is tie it to the backend in appealing ways, such as

  • Highscores
  • Multiplayer
  • Achievements
  • Integration with your other games

Give them a reason to come back to you by providing a superior experience.

Finally actively seek out and protect your intellectual property. When you find a site that is ripping you off, do everything in your power to shut it down.

Yi Jiang
  • 49,435
  • 16
  • 136
  • 136
JaredMcAteer
  • 21,688
  • 5
  • 49
  • 65
  • 1
    +1 Yeah this is open source, and if someone is determined not to pay for it, they will be able to. Adding additional benefits makes it not appealing to pirate it, especially if this is an inexpensive game. Even if you compress your javascript, anyone even with basic knowledge can crack your software very soon. – Michael Papile Apr 08 '11 at 17:26
5

First of all, as you are distributing the source-code of your application, any one who has a bit of technical knowledge should be able to understand how it works.


But you can make things harder -- typically, using Obfuscation (so meaningful variables names, such as 'hero_score' are replaced by non-meanningful ones, such as 'a45')

For Javascript code, take a look at the YUI Compressor

Pascal MARTIN
  • 395,085
  • 80
  • 655
  • 663
  • 1
    The JavaScript has already been "compiled" down using Closure-Complier, but they wouldn't even need to see or modify the js file, it would run untouched on their own server. – MarcusBooster Apr 08 '11 at 17:39
3

Make sure you have a clear copyright in your code. You can't win this fight on technical grounds alone.

Obfuscating and compressing your code is the best technical solution, as Pascal says.

Consider linking to the server for login or something. Something like Google AppEngine makes it really easy and cheap to run a scalable server.

Leopd
  • 41,333
  • 31
  • 129
  • 167
1

I suggest adding a javascript function to test where it is behing played, and then protect your code, in the web you can find a lot of info on obfuscating/encrypting javascript.

EDIT: What I would do in this case, and knowing that stealing/re-editing javascript even obfuscated, can be done:

I would have a server-side page to hold the file, and some core variables would be written via the server-side.

The tough part is to programm this in a way that can't be done exclusively in javascript (without the server-side).

Then, maybe some items could be constructed/placed via the server-side also, this way it would be difficult for the pirate to remake everything.

Also, the script for the domain check could be done via the server-side.

jackJoe
  • 11,078
  • 8
  • 49
  • 64
  • 4
    Since this test would be run client side what's to prevent someone stealing the code from changing it to returning true everytime the check is run? Or removing it altogether. – JaredMcAteer Apr 08 '11 at 17:22
  • 1
    that's why I then suggested encrypting/obsfuscating, so that it can't be changed. Sad that someone found my answer negative. – jackJoe Apr 08 '11 at 17:26
  • Obfuscation only prevents casual pirates, someone determined can follow source even without semantic clues and spotting a domain check or an ajax call would be a no brainer to remove. – JaredMcAteer Apr 08 '11 at 17:28
  • @OriginalSyn - The test could be done server side before serving up the game. Not that this would solve the OP's problem. –  Apr 08 '11 at 17:30
  • @OriginalSyn yeah, that's why I would suggest a server-side + javascript approach. – jackJoe Apr 08 '11 at 17:39
0

I have found that this Javascript Obfuscator is the best protection you will get, it Makes your code completely unreadable, it supposedly shrinks it, and I have done a JSPERF and it seems to run faster as well.

www.javascriptobfuscator.com

About - Free Javascript Obfuscator is a professional tool for obfuscation of javascript. It Converts JavaScript source code into scrambled and completely unreadable form, preventing it from analysing and theft.

The output code looks like this.

var _0xe305=["\x48\x65\x6C\x6C\x6F\x20\x57\x6F\x72\x6C\x64\x21","\x0A","\x4F\x4B"
];var a=_0xe305[0];function MsgBox(_0xc87ax3){alert(_0xc87ax3+_0xe305[1]+a);}
;MsgBox(_0xe305[2]);

Just make sure you keep a copy of the original :)

iConnor
  • 19,997
  • 14
  • 62
  • 97