0

I have this script that starts with <script> and finishes with </script>

People can actually see it if they go to the source code of the page.

Is there a way to avoid that? I mean to make that code invisible as if it where PHP?

svick
  • 236,525
  • 50
  • 385
  • 514
Rosamunda
  • 14,620
  • 10
  • 40
  • 70
  • 7
    No. JavaScript is executed by the browser (whereas PHP is executed by the server) and will always be visible to someone who wants to see it. The best you can do is obfuscate your JS. – James Allardice Oct 22 '11 at 21:58
  • You could obfuscate like Google does, which just makes it harder to "read". Why do want to do this anyway? Do you have highly valuable code? – Jared Farrish Oct 22 '11 at 22:00
  • 2
    No, but you could transfer all of your 'private' (or whatever) functionality to the server side php, and then use Ajax (just running the non-'private' stuff client-side). – David Thomas Oct 22 '11 at 22:00
  • Try this: http://stackoverflow.com/questions/6869312/how-do-i-hide-javascript-code-in-a-webpage/13262948#13262948 Hope this helps. – Jepp Nov 07 '12 at 04:49

3 Answers3

6

No, with normal JavaScript it is run on the client-side which means that it must be accessible to the user's browser running it. You can try obfuscating your code, or a newer technology like server-side JS (V8) But for traditional JavaScript it must be run client-side.

majic bunnie
  • 1,395
  • 2
  • 10
  • 21
  • 5
    @RosamundaRosamunda - You realize with a console in Firebug or Chrome I can see your video url if the browser can play it, right? – Jared Farrish Oct 22 '11 at 22:07
  • Yes, but I´ve got an Amazon account and I´ve planned to put an expiry date on the link... Hope that helps to prevent the hot linking... – Rosamunda Oct 24 '11 at 16:45
5

Edit: Now that you've added a comment that says what you're actually trying to protect is the URL of a video (why don't people just say what they're really trying to do in their question?).

The answer is that you can't protect a video URL that you play in a web page. That can easily be seen lots of ways. Any of the browser debugging tools will show all network traffic to/from the browser which will easily disclose the video URL.

If what you really want to do is to prevent direct linking of the video, then there are some techniques (none of which are foolproof) you can use to prevent most directly linking. If you do a Google search for "prevent direct linking", you will find a lot of articles that discuss this concept. The two techniques I've seen used are:

  1. On your server that serve's up the video, check the http referrer and only server the video to referrers that you like. While the http referrer can be spoofed by a determined and schooled theif, just this simple step renders most direct linking by most users impractical.
  2. Require some sort of algorithmic parameter in the URL of the video before it will be successfully servered that your server can check. This can be derived from other content on the site and combined with a data reference or can be issued hourly by your site and embedded in a valid hosting web page, etc...

All javascript in your web page will be visible to anyone who wants to see it.

The only way to truly hide an algorithm is to put it on the server, execute it on the server and either put the result in the web page as it's rendered by the server or use an ajax call to retrieve it.

Because of the way Javascript works in the browser, the code must be available to the browser in order to run it. If it's available to the browser, then it's available to any person who wants to see it.

There are some things you can do to make it more difficult for people to see your javascript, but these are only obstacles that will slow someone down or make them take more time to understand your code, but they can all be overcome by anyone who has enough persistence to do so.

The simplest thing you can do is to minimize your code by running it through one of the free popular minimizer tools (Google Closure or Yahoo's minimizer and there are many others). These tools main goal is to reduce the size of your javascript code, but in the process they also make it a lot less readable by removing indentation, line breaks, renaming local symbols to something short and meaningless, etc...

There are also obscuration tools that purposely obscure your javascript code to make it more difficult to see/understand.

I repeat though. All of these tools can ultimately be defeated and the most they do to thwart a determined snooper is slow them down.

If you really want to protect an algorithm or trade secret or secret code or something like that, you have to put the algorithm on the server and have the code execute only on the server so that the browser can only see the result, not the actual code.

FYI, in most cases, it's never as important to protect your actual code as people think it is. Business success is not achieved by keeping secrets, but rather by getting known and by meeting the needs of customers at an appropriate price.

jfriend00
  • 683,504
  • 96
  • 985
  • 979
  • My guess is, in most cases it would be impossible (say, for manipulating elements on the page) or not really a value-added proposition (the technique's or resource's it's obfuscating aren't truly valuable). For most people that want to do this, my guess is it's one of these two conditions, and they should probably not even bother. – Jared Farrish Oct 22 '11 at 22:06
  • @JaredFarrish - I agree. It's rarely worth worrying about. Much more important to worry about things that actually make your business successful. – jfriend00 Oct 22 '11 at 22:08
  • 1
    Although video links could easily be found using debuggers some websites with paid video contents use techniques like requiring authenticated cookie to get the video resource link and then playing from that link, some use much more complicated methods like chopping the whole video into many parts and getting the video content by sending many requrests/responses from inside the video player. That way at least plugins like video downloader cannot buffer or download the video resource directly. If video is main part of business, it is a matter of concern to prohibit direct or unauthorized access – Birey Oct 22 '11 at 22:38
  • Thanks for your answer @jfriend00!!! Anyway, how about an expiry date? I´m using Amazon S3 and set the video as private, then use the Amazon CludFront program CloudBerry to set an expiry date of the link, so that way, people would be able to see it just for X days. How about that solution? I think it is easier... And yeah, it shouldn´t be such a big deal to make it "secret", I know. The thing is that the video is about an online course, and don´t want people to download it, at least not that easily. – Rosamunda Oct 24 '11 at 16:49
  • Thanks for your answer @Bipins! I don´t know if I can make thet "chopping" thing. Is there a tutorial about how to do such a thing? A program to do that? How should I google that? "chopping video to prevent download"? Thanks! – Rosamunda Oct 24 '11 at 16:54
  • The way i've seen it, like in cbtnuggets , they send request from say 0 second to 10 second and get that much video that is then rendered in the player, after that it sends request for another random piece say 10 to 24 seconds, like that, at least for people who just want to crawl and download whole link would have a very tough time. In netflix, they get the whole video in multiple wmv files ( probably server has capability to send only piece of a large file ), – Birey Oct 24 '11 at 17:02
  • some video sites also do not directly render the whole url but rather make it a 2 step process where first step requires an authentication cookie as in cookie based authentication to get the video link ( which is confusing,random and long). if user authentication is not required then a simple captcha could work but that would be an overhead from end user prospective. – Birey Oct 24 '11 at 17:03
0

JavaScript is a client-side scripting language, so it's not possible to hide it from the client. You could obfuscate it, but some clever people could deobfuscate it.

If you really want to hide your code, you could have the javascript call a PHP script through AJAX, although this may be server heavy.

orangething
  • 708
  • 5
  • 16