ProcessingJS code permission

Question

Since Java updated its security settings in Jan. and I can't afford a trusted certificate to sign in my jar file online, which is about 200 USD a year, I just converted my Processing2 jar file to Processing1.5 JavaScript file. And now the problem is, to let visitors see the js output, I have to let them at least 'read' my pde file, while I don't want to make my source code public.

So how can I present my work without releasing my source code? Thanks a lot!

my processing folder under /var/www/html/visual:

-rw-r--r--. 1 root root   2709 Sep 10 21:03 main.pde
-rw-r--r--. 1 root root    238 Mar  6 15:12 proj01.html
-rw-r--r--. 1 root root 231867 Mar  4 23:55 processing-1.4.1.min.js

the html file looks like (so visitors know my pde file name):

<!DOCTYPE html>  
 <html>  
 <head>  
    <script src="processing-1.4.1.min.js"></script>

 </head>  
 <body>  
    <canvas data-processing-sources="main.pde"></canvas>  
</body>  
</html> 

and the self-signed jar file is blocked by Java Update51 unless visitors manually set the security level to the lowest. Only certificates bought from services like Symantec or Godaddy can let the jar file run smoothly in a browser.

Answer 1

Yes there are easy ways to hide code (and any other assets). They aren't bulletproof, it's as close as I could get to compiled code without getting overly paranoid. What you see here is a self-executing anonymous function, leaving nothing behind but dust and ashes (and of course a running processing.js sketch). Inside that function goes your processing code, base64 encoded (see marked spot, see below for more info)

It will also import the library, setup the canvas, and run it. No pde, no script element, no canvas-id except what Processing sets. No reference to the code except somewhere inside the global Processing library object, couldn't find it after 5 mins so I considered it safe enough.)

(function(){
    var lib,code;
    code=atob("/*YOUR BASE64 ENCODED CODE GOES HERE*/");
    lib = document.createElement("script");
    lib.src="processing-1.4.1.min.js";
    document.head.appendChild(lib);
    lib.onload=function(){
        var canvas,pjs;
        canvas = document.createElement("canvas");
        document.body.appendChild(canvas);
        pjs = new Processing(canvas,code);
        this.onload=null;
}
})()

Additional info about base64 encoding: This methods transforms anything into a Datastring. You use btoa() to encode, or atob() to decode. There are websites that will do the encoding for you, it's more comfortable if you have big files that are -not- already in javascript like in your case.

It can be applied on all sorts of assets, making it possible to create entire games with sound and textures without external Resources for example. But it's just another way to represent your data, it's not really "compiled" as encoding doesn't permanently change the code you don't need to do anything but run atob() on the string and it's instantly back in original form.

Additional info about how to run the script: You can hide the script tags somewhere in the dom tree (may be the easiest solution) Load it at an external javascript (maybe even experiment with obscure file names, omitting the .js extension or using another one) Here you could also apply minification. Your base64 string will most likely be 95% of your code and the rest will be minified and almost indistinguishable from encoded data.

There are tons of ways to improve that, in all directions, but I wanted to stick to the ones I think are most practical to you. If you want more, just ask.

Answer 2

you can edit the html file not to include a link to the pde file, which you can delete. Still, you ca view the html source of the page.

You can create a self signed certificate to sign your .jar file though. Here's an example of a self signed applet I uploaded a few years ago. I have signed it using there instructions.

Letting your visitors view the source however might prove useful to them.