Reputation: 406
How can I prevent javascript code theft?
Actually I'm developing a Chrome extension and a jQuery plugin to upload it and sell it on Codecanyon. When I "Inspect source" of the page and I click on the "Resources" tab, the javascript file looks empty. How does Codecanyon do that? I want to have file theft prevention in my own website too, but I don't know how to do it. I know php and javascript and there's no method to do it, because the browser downloads the file to execute it.
You can see the example here.
Upvotes: 19
Views: 5824
Answers (7)
Reputation: 6654
If you're licensing the code on a per-site basis, I would suggest domain locking your javascript as well.
You can do this yourself by simply checking the window.location somewhere in an encrypted file. This isn't going to be very secure, but for 90% of users who just drop a script into a directory and hope it works, it will provide some level of deterrent.
You can also use https://domainlockjs.com (free) to easily lock scripts to domains. This is a slightly better solution because DomainLockJS throws hard to trace errors and is much harder to debug.
A more complicated approach would involve using an Ajax script injection, and allowing specific domains to access the script / not trigger an XSS error. This is the hardest to set up, but if you inject a large amount of js, it might be the hardest to get around.
All of these can be circumvented by a skilled coder though... you're only making things difficult, not impossible.
Upvotes: 1
Reputation: 11
Liblock is a small tool built by myself. It encrypts your JS-sources - it's no simple obscurity by obfuscation, but good security by encryption.
When you inspect the DOM in your client, all you'll see is: nplreq(url) for each script that you bind into HTML head.
See how it works here liblock-demo - this is a demo only for hiding the scripts in "nopro_lib" and "xscroll.js".
Encryption and decryption are totally transparent to the browser. It is tested with Firefox, Chrome, Opera, Konqueror, IE8-10 on PC, and with Dolphin and Safari on an Android tablet.
The sources are securely hidden, and only with really great efforts they may be layed open again. Encryption is done with AES (Rijndael 256) using one-shot-keys which are negotiated between client and (liblock-)server using Diffie-Hellman.
Upvotes: -8
Reputation: 7781
On JavaScript "protection" - basically what everyone else said.
Explaining the example you provided:
Indeed, http://demos.pixelworkshop.fr/circular_countdown_cc/js/countdown.min.js appears to be empty, however the actual plugin code is appended to the jquery.js file, starting at line 58:
http://demos.pixelworkshop.fr/circular_countdown_cc/js/jquery.js
Upvotes: 2
Reputation: 2909
You can use this javascript obfuscator tools:
http://www.javascriptobfuscator.com
http://www.daftlogic.com/projects-online-javascript-obfuscator.htm
Upvotes: 1
Reputation: 1624
You cannot hide it because your browser needs it to perform it. Simple as that.
You need to understand that it is a script executed on the client side. It is not compiled (meaning it's not a binary (0 and 1 machine language)). So it is freely readable.
Nevertheless you can obfuscate it using tools like YUI compressor
Basically this kind of tools remove extra spacing, tabs line returns and rename methods (like method "a" standing for "MyShinyMethodWhoMakesNiceStuff") and variables. That makes it very difficult to read and understand code. Reverse engineering is thus harder to achieve.
Some uses some tricks like base64 or other encode and decode part of code with a function but it's only tricks and will not fool the sharp eye.
By obfuscation, you make people spend much more time in analyzing your code and stealing is thus much more complex, and takes time. Let's say you made a nice javascript plugin that makes every white background in purple (ok, not so great example but used it just for having an imaged example). Somebody might want to steal it and makes it blue instead of purple. If code is obfuscated, he might think that's easier to copy your idea and rewrites it on his own with his own code and blue background, it will takes him less time than reverse engineers and understanding wells yours, easier to maintain in the time too. In the end he will "only" "steal" your idea but not your code.
I think that in the end, it's just a matter of time.
Upvotes: 35
Reputation: 60190
You can only try to make it less readable (through minifiaction and obfuscation), but the code is still tranferred and it can be reverse engineered.
The actual code in your example is downloaded with the jquery.js file.
Upvotes: 11
Reputation: 16184
If you see it's empty, it means that it's empty. There is no way to hide your javascript code from a client that must execute the code.
Upvotes: 13
Related Questions
- What are the ways to protect javascript code
- securing php code from ajax / javascript misuse
- javascript and php security
- securing javascript source code
- Safeguard javascript [AJAX] code?
- Prevent removal of code when distributed?
- Best way to avoid javascript's executing
- how to protect client side codes
- PHP/Web Script Protection