0

I am required to allow a user to view a file in javascript, but not to able to download the file through a direct link.

I understand that using htaccess and changing the permissions will not allow this to ever be possible due to the fact that Javascript is client side.

Therefore the only solution remaining is to allow only the server to access the file, and serve it to javascript via php.

At the moment, the javascript plugin forces me to send a url to it:

loader.load('example.stl');

The external javascript then executes this:

prototype.load = function (url, callback) {

var scope = this;

var xhr = new XMLHttpRequest();

function onloaded( event ) {

    if ( event.target.status === 200 || event.target.status === 0 ) {

            var geometry = scope.parse( event.target.responseText );

            scope.dispatchEvent( { type: 'load', content: geometry } );

            if ( callback ) callback( geometry );

    } else {

        scope.dispatchEvent( { type: 'error', message: 'Couldn\'t load URL [' + url + ']',
            response: event.target.responseText } );

    }

}

xhr.addEventListener( 'load', onloaded, false );
xhr.addEventListener( 'progress', function ( event ) {

    scope.dispatchEvent( { type: 'progress', loaded: event.loaded, total: event.total } );

}, false );

xhr.addEventListener( 'error', function () {

    scope.dispatchEvent( { type: 'error', message: 'Couldn\'t load URL [' + url + ']' } );

}, false );

xhr.overrideMimeType('text/plain; charset=x-user-defined');
xhr.open( 'GET', url, true );
xhr.send( null );

};

Obviously the javascript file reads in the file as XML, however, I'm not experienced enough with Javascript to manipulate it to fit my needs.

Improve this question
6
  • 2
    Realistically, it's quite difficult to attempt to stop a user downloading the file - often times they can parse the JavaScript or the HTML code for the actual URLs if they really want to download it. It's almost impossible to stop those that are determined to steal your stuff - if you really need to show them use other methods such as watermarks on documents and restrictions in PDFs and Word documents to discourage copying. Commented May 21, 2013 at 0:11
  • its trivial to unlock a locked pdf. Commented May 21, 2013 at 0:14
  • Could I encrypt a file during upload and unencrypt it when required by the client? Commented May 21, 2013 at 0:16
  • 1
    Yes, but it still would result in the client having to decrypt it at some point, for which it requires a key on the clientside, for everyone to see. It would still boil down to zero security. It's rather similar to the 'disable right click' scripts you used to see everywhere years ago. Always remember: if the browser can show it, anyone can copy it, you can only make it (a tiny bit) harder. Commented May 21, 2013 at 0:19
  • 1
    Yep, much the same problem that libraries like HighCharts and the like have. They opt to make it hard to remove the copyright notices with code obfuscation, and hope the users will prefer regular updates and good support over 'fixing' the libraries for every new release, but whenever money's involved there will be cheapskates. It's just not possible to reliably secure anything that will have to be downloaded by the browser to be displayed. The user can even always just look it up in his browser's cache folder. Commented May 21, 2013 at 0:30

1 Answer 1

Reset to default
1

If you "understand that using htaccess and changing the permissions will not allow this to ever be possible due to the fact that javascript is client side", you should also understand that it's not possible to "allow only the server to access the file, and serve it to javascript via php".

What you are asking is just not possible - if Javascript can access it, the rest of the browser can access it. Javascript does not have more or less privileges than the rest of the visitor's browser, and even if it did he could just enter the relevant Javascript in his debugger console, or in a plugin.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

I agree with @Niels. In this situation I think I might place the file in a directory not accessible by the web server directly, then write a server-side program to read it and obfuscate the heck out of it before sending to the client, where javascript would decode it. It won't stop people from downloading it directly, but they probably won't want to take the trouble to decode it. Ascii values plus 1 or something along those lines.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.