-5

First, this could look like duplicate for

How to prevent your JavaScript code from being stolen, copied, and viewed ?

And other, but it's not.

I search for ideas that can do, that stealing of JS can be very hard

Some of my examples:

  • of course obfuscate code
  • use a document.location an check if some letter in domain equals to letter on that position where script normally works
  • use part of this location in function call, something like eval('first_part_of_function_name'+part_from_location+'third_pard(parameters)');
  • store some important constant need in application in some element in your page-design, and get it from there in JS like $('#header div.onright a rel')
  • get some portion of script by AJAX and eval() it
  • add to script some unnecessary function, instructions.
  • check for existance of some elements in page (copyright text on footer)
  • generate some time-variable hash in PHP and put in JS, where will be function that checks this hash and current time to work or not
  • maybe use of other JS files ? or events binded to elements hidden in very common scripts (like bind some action in jquery-min.X.X.X.js file where all jquery is.

Are they good ideas ? Have some more ? I think that most important can be variety of things wich you can do with document location, is that the only element that will be driffrent than working in normal coditions on our site ?

Community
  • 1
  • 1
Piotr Müller
  • 5,323
  • 5
  • 55
  • 82
  • 1
    possible duplicate of [How to prevent your JavaScript code from being stolen, copied, and viewed ?](http://stackoverflow.com/questions/1660060/how-to-prevent-your-javascript-code-from-being-stolen-copied-and-viewed) – phihag Jul 23 '11 at 13:08
  • You didn't read even one sentence... – Piotr Müller Jul 23 '11 at 13:09
  • 5
    I read most of the question, but neither I see a reasoning by you why it's not a duplicate nor did I find done myself. Care to give one? –  Jul 23 '11 at 13:10
  • That question is only about obfuscation. As you can see, there are some other ways wich I proposed, and maybe someone knows some more that weren't equals to obfuscation. – Piotr Müller Jul 23 '11 at 13:12
  • 2
    Most of the things you list are just (trivial) forms of obfuscation (often with performance implications). – Quentin Jul 23 '11 at 13:15
  • @killer_PL I can assure you I read your entire question. All your suggestions are specific ways to obfuscate the code. – phihag Jul 23 '11 at 13:16
  • It's sad that quality conent like "use part of this location in function call..." will be deleted (it's propably the only way to prevent running script on other domain and i didn't found it anywhere in internet) i is just my idea, ane maybe someone have another – Piotr Müller Jul 23 '11 at 13:19
  • 2
    Quality conent[sic]? Really? That is more likely to expose an XSS vulnerability then prevent someone from reusing your code! – Quentin Jul 23 '11 at 13:27
  • XSS is a result of publication of code that someone inject, so that has nothing to JS that is some tool for user and none of his actions are published. If someone want to inject JS to himself, he can do it on every page with firebug or sth, so this have none similar with XSS – Piotr Müller Jul 23 '11 at 13:31

2 Answers2

6

No matter how complex you make your code, it can always be read, if necessary with abstract interpretation, i.e. automatically capturing the essence of your code. Code without knowledge of internals, variable names (I assume you're already using minimization, for example with the YUI compressor), documentation, support, and generalization is worthless for anyone else.

If a competitor (or potential customers) of yours is stealing your code, consider simply suing them. If it's some random guy on the internet, why do you care?

phihag
  • 278,196
  • 72
  • 453
  • 469
  • But, this is about doing something, that decoding of script will require tens of hours, so that will be harder that write script from scratch. It's about someone can take my application and use it on localhost, so i can't even know it has been stolen – Piotr Müller Jul 23 '11 at 13:15
  • 6
    @killer_PL There are ways to make decoding take 10 hours, but these would apply to anyone else using the site too. I hate to break it to you, but it's [extremely unlikely that your code is the holy grail of programming](http://en.wikipedia.org/wiki/Illusory_superiority) and worth stealing in the first place. And if some random kid uses it for his geocities homepage, why do you care? – phihag Jul 23 '11 at 13:21
  • Becausa it has to be a service (online editor) where 99% of it is JS and it will be paid monthly. – Piotr Müller Jul 23 '11 at 14:16
  • 1
    @killer_PL Then the value of your product is in a nice user interface, good collaboration and organized data storage. If somebody just wants an editor, it's easier to download and setup TinyMCE than copying your editor. – phihag Jul 23 '11 at 14:49
  • it's not about text editor and that is special in this script (such a tool doesn't exist so far as I know). – Piotr Müller Jul 23 '11 at 20:01
0

One more tool http://closure-compiler.appspot.com/home

Valentin Kantor
  • 1,799
  • 1
  • 23
  • 27