0

i know that there is'nt a way to completely prevent code theft but i saw this online, so it just kept me wondering
if you go to https://docs.mobiscroll.com/javascript/getting-started and inspect element you will see this <script src="/Scripts/beta?v=0bMbCiV-nSZ2y-6wt_A0QihIYiHSq9XowrOLivvMPws1"></script>
but if you add /Scripts/beta?v=0bMbCiV-nSZ2y-6wt_A0QihIYiHSq9XowrOLivvMPws1 to the link you will just see a normal page, which brings me to this question 'How to prevent theft of javscript code'
should i just cache all my script and use them from the browser or how did the mobiscroll guys do it

Preben Huybrechts
  • 5,853
  • 2
  • 27
  • 63
  • 5
    You can’t and there’s no point in trying. No one wants to steal your code. – bryan60 Jul 16 '20 at 18:37
  • 2
    The best you can do is bundle/minify/uglify it, making it virtually impossible for a human to reuse or reverse engineer. – Bill Doughty Jul 16 '20 at 18:44
  • 1
    https://docs.mobiscroll.com/Scripts/beta?v=0bMbCiV-nSZ2y-6wt_A0QihIYiHSq9XowrOLivvMPws1 Displays the JS file in the browser (jQuery v2.2.4). – Adrian J. Moreno Jul 16 '20 at 18:44
  • a common way that some malware (domains) use to hide itself (to evade google safebrowsing reports), is to have URLs that time-out or use one-time use tokens, or block based on user-agent and referrers (sometimes the referrer used in combination with the tokens and time-outs). Not particularly helpful here. – user120242 Jul 16 '20 at 18:48
  • @AdrianJ.Moreno , sorry i didn't know –  Jul 16 '20 at 18:50
  • @user120242 , by 'its not really helpful' do you mean that if you use that it will still be unsafe –  Jul 16 '20 at 18:51
  • I mean that it's not really a good way to legitimately "protect" your code other than as toy code. It's useful for malware just to reduce the window that malware researchers and collectors have to take them down. Sort of a plausible deniability for compromised domains. So I guess I'm saying yes? – user120242 Jul 16 '20 at 18:52
  • @user13782016 When JS and CSS files are referenced in HTML, those files have to be downloaded to your browser's cache on your computer. The one-time token will time out the actual URL that is used to access the file on their server, but the file that was downloaded with the page is on your computer. You can just look through your browser's cache folder to find it and files from other sites you've visited. Just reiterating that client-side JavaScript code can always be copied. – Adrian J. Moreno Jul 16 '20 at 19:49
  • Right, although cache is probably not a good example; you can use meta or headers to prevent browsers from caching. It's still trivial to use network/source tabs in dev console or a local proxy to save the files. You could go down the rabbit hole of preventing saving of scripts using websockets/XHR or something similar and obfuscated chunks of code (probably using some form of eval), but that's really only of "practical" use for malware and is at its core not much more than simple obfuscation. Further rabbit hole techniques of polymorphism and encryption. Mostly of academic use. – user120242 Jul 17 '20 at 12:30

0 Answers0