1

I have a web service that works through giving users javascript to embed in their code. Users can also place that code on other sites to make it work there. However I also need to allow users to create a blacklist of sites that the JS should not function on. For example, a competitor or an inappropriate site.

Is there a way to check where our JS files are being loaded from, and block loading or break functionality on a per account basis?

Edit: The javascript loads an iframe on the site, so another solution would be to somehow block certain domains from loading an iframe from our server, or serve different content to that iframe

Edit 2: We're also trying to avoid doing this from with the JS because it could be downloaded and modified to get pass the block

Improve this question

2 Answers 2

Reset to default
2

Inspecting the url of the page

Yes, the javascript file, when it starts executing, can inspect window.url and see if the url of the main document is ok.

To see where the script was loaded from

It can also go through the dom, looking for the script node which brought in the javascript file itself and see from where the JS was loaded.

However

Anyone can load the javascript into a text editor, then change it to eliminate the tests, then host the modified JS on their own server. Obfuscating or minimizing the JS can slow someone down but obscurity is not security.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Yeah that caveat is what we're trying to avoid. I'll update the question to clarify this.
1

One thing you could do is have the javascript load another javascript file. That you serve from the server at a given url. The trick here is that that url will not go to a file but to a server end point that will return a javascript file. The you have that endpoint check for the routes for that user and decide if it will return the javascript you want to work or an error javascript of some kind.

This blog shows how to do it in php.dynamic-javascript-with-php

Improve this answer

2 Comments

Usually not hard to get around this: if the bad guy can ever run the "right" url/page and have it work (JS is supplied to the page), Then the bad guy can use Firebug or equivalent to store the downloaded JS in a local file for analysis, later use, etc. Remember, eventually you need to supply the JS to the page. So anyone with access to that page can store the JS by using a debugger.
You are correct. You can never stop a user form getting access to content in the browser. You can make it more difficult though.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.