How can I prevent my javascript from Firebug view?So that I can prevent Hacking from Javascript?
-
possible duplicate of Does Firebug have something built-in to disable all javascript for a site/page?Nick Craver– Nick Craver2010-05-12 11:50:13 +00:00Commented May 12, 2010 at 11:50
-
2@Nick Craver: I think he means something different. His JS should not be discoverable by Firebug, this is the way I understand it (but not 100% sure ;))Felix Kling– Felix Kling2010-05-12 11:52:21 +00:00Commented May 12, 2010 at 11:52
-
Not doable. The only way is to not trust the client.Matti Virkkunen– Matti Virkkunen2010-05-12 11:54:55 +00:00Commented May 12, 2010 at 11:54
-
1@Felix - Thanks! I completely read that wrong, you're certainly right.Nick Craver– Nick Craver2010-05-12 11:55:53 +00:00Commented May 12, 2010 at 11:55
Add a comment
|
5 Answers
You cannot prevent anyone to examine your JS when browsing your page.
The reason is simple: When you visit a web site, all its content (HTML, images, scripts, etc.) is downloaded to your machine in order to process and display it.
Once the data is downloaded, you can do what ever you want with it (if it is legal is another issue).
But you can make it more difficult for others to examine your JS code by obfuscating it.
See this question: How can I obfuscate JavaScript?
This might or might help. It won't stop those who really want to know.
The question is, is your code so valuable, dangerous or whatever that you really have to think about such stuff?
3 Comments
Nick Craver
+1 - I would add that this only slightly hinders anyone trying to see your javascript, it's a deterrent and not a stop: stackoverflow.com/questions/2302618/getjson-and-php-file
Felix Kling
@Nick Craver: Yep I just had the same idea ;)
Dhaval dave
@ Felix Kling :is right I actually meant that My JS should not be discoverable by Firebug
You generally can't prevent people from seeing/debugging your js code. There are ways how to make their life miserable but please don't even think about it.
1 Comment
Dhaval dave
try to check stackoverglow's(this site's) script form Firebug.. You can not watch Javascript. so it is possible, but i dont know how
If you mean what Felix Kling thinks you mean, you can't. You can obfuscate it, but if you want the browser's Javascript interpreter to run it, it has to be readable by the browser, which makes it effectively public information.
Comments
That is impossible. The user will always have a means of executing javascript in the browser - if not using Firebug, then using the pseudo protocol handler javascript: in the address field.
2 Comments
Dhaval dave
try to check stackoverglow's(this site's) script form Firebug.. You can not watch Javascript. so it is possible, but i dont know how
Sean Kinsey
You mean this: sstatic.net/so/js/master.js?v=aed826386fce ? That it doesn't show up in Firebug is most likely a coincidence as Firebug tends to err with some scripts..
This is too involved for me to test, but I see no reason why it wouldn't work:
Add a task to the bottom of your javascript that uses jQuery's .getScript() (or some other method of dynamically loading a script) to re-load the javascript file using a URL that has an innocuous querystring or anchor tag on the end.
You also need to alter the server code to send a virtually empty javascript file if the request has the special URL-ending.
BTC-e.com hid the file at https://btc-e.com/js/core11.min.js from my Firebug at some point. I know this because Firebug tells me that this javascript file contains this text: "$('ul.pairs span').removeAttr('class');". I used the {} button to beautify it, thinking it might be a very long line with a few hundred spaces between that code and the rest of the code (which is a much cheaper but less effective way to achieve the desired result), and discovered that Firebug's record of the file really does, now, contain only that text. The above method is the only way I can see of doing it.
