JavaScript in Password Protected Folder?

Re: JavaScript in Password Protected Folder?

<xmp333@yahoo.c om> wrote in message
news:4a0da86b.0 402160725.11462 a4b@posting.goo gle.com...[color=blue]
>I am trying to hide my JavaScript source.[/color]

Why?
[color=blue]
>The method I chose was to keep all the important source in
>a password protected folder, and then use a SRC="folder/script.js"
>to include it in my code. This way, the script will run, but
>the user will be unable to view the included code.
>Or so I think :).[/color]

You are wrong.
[color=blue]
>I have tried this method, and it seems to work.[/color]

Anyone who knows enough about javascript to be able to do anything
useful with the source will probably know several ways of viewing the
source once they have access to the page that imports it.
[color=blue]
>However, I would like to know if you can see any problems
>with this. For instance, can you think of a way to bypass
>this and get at script.js? Can you foresee any problems
>that would arise as a result of keeping scripts behind
>password protected folders? Any other security concerns?[/color]

It isn't going to work. You can restrict access to the page but once
someone has access they can read the source code, because you will be
sending them the source code.

Richard.

Re: JavaScript in Password Protected Folder?

xmp333@yahoo.co m wrote:[color=blue]
>
> I am trying to hide my JavaScript source. The method I chose was to
> keep all the important source in a password protected folder, and then
> use a SRC="folder/script.js" to include it in my code. This way, the
> script will run, but the user will be unable to view the included
> code. Or so I think :).
>[/color]
It would surprise me if a client's browser can load the script without
having to log in, if so that's a security bug in your webserver. Also
this will *never* hide your scripts, as soon as the browser loads them
they're available either in the cache (read: on disk somewhere) or just
by viewing them in your browser. It's not possible to hide JavaScript
source code.

Cheers,

Guido

Re: JavaScript in Password Protected Folder?

xmp333@yahoo.co m wrote:[color=blue]
> Hi All,
>
>
> I am trying to hide my JavaScript source. The method I chose was to
> keep all the important source in a password protected folder, and then
> use a SRC="folder/script.js" to include it in my code. This way, the
> script will run, but the user will be unable to view the included
> code. Or so I think :).
>
> I have tried this method, and it seems to work. However, I would like
> to know if you can see any problems with this. For instance, can you
> think of a way to bypass this and get at script.js? Can you foresee
> any problems that would arise as a result of keeping scripts behind
> password protected folders? Any other security concerns?
>[/color]

Open your page in IE.
File>Save As and save it.
Theres the .js file, in a folder all of its own.


--
Randy
Chance Favors The Prepared Mind
comp.lang.javas cript FAQ - http://jibbering.com/faq/

Re: JavaScript in Password Protected Folder?


JavaScript is a client side script, by definition, it's processed by th
client's browser. If the browser can access it, then the user can als
see it.

If you put it in password protected folder and a client does not hav
access to that folder, then his browser will not be able to get th
script.

Basically, I don't think there is a way to hide javascript.

Just like you can't hide

.css style file.





xmp333@yahoo.co m wrote:[color=blue]
> *Hi All,
>
>
> I am trying to hide my JavaScript source. The method I chose was to
> keep all the important source in a password protected folder, an
> then
> use a SRC="folder/script.js" to include it in my code. This way
> the
> script will run, but the user will be unable to view the included
> code. Or so I think :).
>
> I have tried this method, and it seems to work. However, I woul
> like
> to know if you can see any problems with this. For instance, ca
> you
> think of a way to bypass this and get at script.js? Can you foresee
> any problems that would arise as a result of keeping scripts behind
> password protected folders? Any other security concerns?
>
>
> Thanks in advance.[/color]

Re: JavaScript in Password Protected Folder?

[top posting fixed][color=blue]
>xmp333@yahoo.c om wrote:[/color]
<snip>[color=blue][color=green]
>>I am trying to hide my JavaScript source. ...[/color][/color]
<snip>
"StanD" <StanD.11r18o@m ail.forum4desig ners.com> wrote in message
news:StanD.11r1 8o@mail.forum4d esigners.com...[color=blue]
>
>JavaScript is a client side script, ...[/color]
<snip>

Pleas do not top-post to comp.lang.javas cript. The group FAQ outlines
acceptable posting style in section 2.3 paragraph 5 and references the
applicable standard.

Your posting software appears to exhibiting faulty behaviour in its
handling of the "References " header in your postings. It has sent (split
across lines at the location of spaces to avoid uncontrolled wrapping):-

References: <4a0da86b.04021 60725.11462a4b@ posting.google. com>
<c0qq5p$h0h$1$8 302bc10@news.de mon.co.uk>
<403101d9$0$567 $e4fe514c@news. xs4all.nl>
<Ao-dndO9Rb2p0KzdRV n-ug@comcast.com>

But:-

| RFC 1036 Standard for USENET Messages December 1987
|
|
| 2.2.5. References
|
| This field lists the Message-ID's of any messages prompting the
| submission of this message. It is required for all follow-up
| messages, and forbidden when a new subject is raised.
| Implementations should provide a follow-up command, which allows a
| user to post a follow-up message. This command should generate a
| "Subject" line which is the same as the original message, except
| that if the original subject does not begin with "Re:" or "re:", the
| four characters "Re:" are inserted before the subject. If there is
| no "References " line on the original header, the "References " line
| should contain the Message-ID of the original message (including the
| angle brackets). If the original message does have a "References "
| line, the follow-up message should have a "References " line
| containing the text of the original "References " line, a blank, and
| the Message-ID of the original message.
|
| The purpose of the "References " header is to allow messages to be
| grouped into conversations by the user interface program. This
| allows conversations within a newsgroup to be kept together, and
| potentially users might shut off entire conversations without
| unsubscribing to a newsgroup. User interfaces need not make use of
| this header, but all automatically generated follow-ups should
| generate the "References " line for the benefit of systems that do
| use it, and manually generated follow-ups (e.g., typed in well after
| the original message has been printed by the machine) should be
| encouraged to include them as well.
|
| It is permissible to not include the entire previous "References "
| line if it is too long. An attempt should be made to include a
| reasonable number of backwards references.

- would require that the References header of a message that appears,
from the quoted material and its attribution, to be intended as a
response to the OP should carry the header:-

References: <4a0da86b.04021 60725.11462a4b@ posting.google. com>

And if intended to be a response to any of the other contributors to
date would be only the References header from that "original message"
(singular) followed with a space and the message ID of that message.

While the header that you sent contains the message IDs of all of the
contributions to the thread to date and will probably give most
newsreader software the impression that it is Randy that you are
responding to (or just confuse it). It is important for newsreader
software to be able to accurately represent which messages are replying
to which other messages and they need meaningful References headers in
order to be able to do that. Hence the clearly specified format and
contents of that header and the fact that it is required in messages
that represent responses.

If you are going to post to Usenet, in addition to making yourself
familiar with the conventions of the groups that you are posting to, it
would be a very good idea to be using software that does not violate
such an important aspect of the applicable standard.

Richard.

Re: JavaScript in Password Protected Folder?

StanD wrote:[color=blue]
> JavaScript is a client side script[/color]

But that is not all its limited to. Before one posts as horribly as you
did, you should read the FAQ, about 8 times or so, and then read it 88
more times.


--
Randy
Chance Favors The Prepared Mind
comp.lang.javas cript FAQ - http://jibbering.com/faq/

Re: JavaScript in Password Protected Folder?

Richard Cornford wrote:
[color=blue]
> While the header that you sent contains the message IDs of all of the
> contributions to the thread to date and will probably give most
> newsreader software the impression that it is Randy that you are
> responding to (or just confuse it).[/color]

It confused mine. My reply to Stan is showing as a reply to you, when it
was actually a reply to Stan (I read/replied to his before I read yours).



--
Randy
Chance Favors The Prepared Mind
comp.lang.javas cript FAQ - http://jibbering.com/faq/

Re: JavaScript in Password Protected Folder?

"Randy Webb" <hikksnotathome @aol.com> wrote in message
news:ZpSdnZyQ96 X6NKzdRVn-vA@comcast.com. ..
<snip>[color=blue][color=green]
>>While the header that you sent contains the message IDs of all
>>of the contributions to the thread to date and will probably
>>give most newsreader software the impression that it is Randy
>>that you are responding to (or just confuse it).[/color]
>
>It confused mine. My reply to Stan is showing as a reply to you,
>when it was actually a reply to Stan (I read/replied to his before
>I read yours).[/color]

I can't tell how the threading is going to come out on my newsreader yet
as I can see both of your replies (as responses to stanD) but my post
hasn't shown up yet. It appears to have made it across the Atlantic but
hasn't yet managed to propagate across the room at my ISP from the
receiving box to the reporting box (or could they be on different
continents?).

On the plus side both of our newsreaders have followed RFC 1036 to the
letter. (I assume you noticed the organisation originating this latest
nonsense; another great contribution to the Usenet community.)

Richard.

Re: JavaScript in Password Protected Folder?

"Richard Cornford" <Richard@litote s.demon.co.uk> wrote in message news:<c0qq5p$h0 h$1$8302bc10@ne ws.demon.co.uk> ...[color=blue]
> <xmp333@yahoo.c om> wrote in message
> news:4a0da86b.0 402160725.11462 a4b@posting.goo gle.com...[color=green]
> >I am trying to hide my JavaScript source.[/color]
>
> Why?[/color]

Because the organization wishes to protect its source code, since it
is proprietary and may reveal internal details that we prefer to keep
secret.



Thanks.

Re: JavaScript in Password Protected Folder?

Hi All,


Thanks for the rapid and definitive responses. It looks like I cannot
use JavaScript for any proprietary coding (only things that I don't
mind being open source).

This helps with making decisions about this project.


Thanks again!

Re: JavaScript in Password Protected Folder?

xmp333@yahoo.co m wrote:
[color=blue]
> Hi All,
>
>
> Thanks for the rapid and definitive responses. It looks like I cannot
> use JavaScript for any proprietary coding (only things that I don't
> mind being open source).
>
> This helps with making decisions about this project.
>
>
> Thanks again![/color]


Well, you are correct, and incorrect. You do not have to make your
JavaScript code open source... you simply have no method for hiding your
code... this is true. Open Source means something different than making
your code publically readable. You can put strinct copyrights in your
code, making it obvious that it is illegal to use your code in any
way... that is about all you can do.

There is one hotly contested method, called something like obfuscation,
where you run the code through a program that will mangle all of the
variables, and remove white-space, making it harder to read.

While this is a method for making it harder for someone to read your
code, it in no way hides it. If someone wants to put effort forward,
they can still read the code... it is just more difficult to do.

If you need to hide your code, you might consider Java, or server-side
scripting. In both cases, the user never has access to your source code.

Brian

Re: JavaScript in Password Protected Folder?

Richard Cornford wrote:
[color=blue]
> "Randy Webb" <hikksnotathome @aol.com> wrote in message
> news:ZpSdnZyQ96 X6NKzdRVn-vA@comcast.com. ..
> <snip>
>
>
> On the plus side both of our newsreaders have followed RFC 1036 to the
> letter. (I assume you noticed the organisation originating this latest
> nonsense; another great contribution to the Usenet community.)[/color]

Actually, I hadn't paid attention to it until you mentioned it. But
knowing that, they also stopped adding the generated signature lines to
there posted posts.

It won't slip by me again though :)

I have to figure out how to make Mozilla quote the way I want it to and
show more than "so and so wrote" :-(

Ahh, the joys of learning :)
--
Randy
Chance Favors The Prepared Mind
comp.lang.javas cript FAQ - http://jibbering.com/faq/

Re: JavaScript in Password Protected Folder?

[My Misuse of the Term "Open Source"]
[color=blue]
> Well, you are correct, and incorrect. You do not have to make your
> JavaScript code open source... you simply have no method for hiding your
> code... this is true. Open Source means something different than making
> your code publically readable. You can put strinct copyrights in your
> code, making it obvious that it is illegal to use your code in any
> way... that is about all you can do.[/color]

True, I should have been more careful with my language. Thanks for
the correction.


[color=blue]
> There is one hotly contested method, called something like obfuscation,
> where you run the code through a program that will mangle all of the
> variables, and remove white-space, making it harder to read.
>
> While this is a method for making it harder for someone to read your
> code, it in no way hides it. If someone wants to put effort forward,
> they can still read the code... it is just more difficult to do.[/color]

I read about that, but it wasn't enough protection for my tastes, I
think I encountered a few pages like that as a matter of fact. I gave
up on them because I figured I could find other pages that were
properly formatted, but had I wanted to, I could have figured out the
contents. Normally, I wouldn't think of hiding source since I would
like people to be able to examine my work and (hopefully) learn from
it, as I have done with other pages. However, since this is
intellectual property for my employer the situation is much different.

[color=blue]
> If you need to hide your code, you might consider Java, or server-side
> scripting. In both cases, the user never has access to your source code.[/color]

I have used server side scripting, and while it's the safest "platform
independent" technique, it is also lacking in interactivity and
responsiveness.

Java is the only other possibility that I can see, but I have no idea
of its future -- especially on the Windows platform. Furthermore,
since this application is targeted towards end users, I don't want
people to have to go through any hassle to run it -- and this includes
installing additional components.

Oh well, if it weren't a challenge, it wouldn't be fun :D


[color=blue]
> Brian[/color]


Thanks.

Re: JavaScript in Password Protected Folder?

<xmp333@yahoo.c om> wrote in message
news:4a0da86b.0 402170559.284bf de7@posting.goo gle.com...
<snip>[color=blue][color=green][color=darkred]
>>>I am trying to hide my JavaScript source.[/color]
>>
>>Why?[/color]
>
>Because the organization wishes to protect its source code,
>since it is proprietary and may reveal internal details that
>we prefer to keep secret.[/color]

Client-side code (including Java, which may be decompiled) should
not contain internal details that can be exploited. You don't keep
secrets by distributing them to people you can't trust to keep
them for you.

Richard.