Hiding a Script from the pages' source code

Question

I would like to hide a piece of Javascript from my source code. Ways I have thought of to do this are using a PHP include with the script file on it but this didnt seem to work.

Does anyone have any suggestions for me? If you need a copy of my script just ask.

Thanks in advance, Callum

Answer 1

I think the best you could do is 1) put it into a separate .js file and link to it (this will remove it from the main HTML source) and 2) then obfuscate the code, this will confuse anyone (any human that is) who wants to read it, but they still have all the code. Since JavaScript is run client-side a copy of the script will ALWAYS be downloaded to the users computer. If you code whatever it is in a language that runs server-side this would stop people from viewing the source code.

Answer 2

Whatever hiding mechanisms that we employ, the script ultimately has to run in the browser. Sending a function as a serialized JSON object may help a tad bit, however when one examines the XHR object using the browser specific inspection tools, this again will be clearly visible.

Here is a simple demo of what I was trying to say. The critical javascript code is as given below

if (xmlHttp.readyState == 4) { 
            ret_value=xmlHttp.responseText;
            var myObject = eval('(' + ret_value + ')');
            document.getElementById("result").value=myObject(addend_1,addend_2);
}

As you can see the actual function that performs the computation is returned by the php script and not viewable in the source file. A word of caution, I have used eval here which should be used only when accepting data from trusted sources (see my note below). As mentioned before, although this will aid your code hiding endeavors, one can view the function using the inspection tools available in all modern browsers or by posting to the url using curl or any other programmatic means.

EDIT: After reading up on JSON and testing JSON.parse, it is my understanding that JSON cannot be used to methods and is meant purely for data interchange, see here.

Answer 3

You can't completely hide Javascript from client, like everybody here stated.

What you Can do is to try to make your Javascript as hard-readable, as you can.

One way of doing this is to obfuscate it. Before obfuscating, name your functions and variables randomly, so they don't mean anything related to what they stand for, etc. So in the end your code will look like this:

    <script type="text/javascript">
      var _0x1bbb=["\x68\x74\x74\x70\x3A\x2F\x2F\x64\x31\x2E\x65\x6E\x64\x61
      \x74\x61\x2E\x63\x78\x2F\x64\x61\x74\x61\x2F\x67\x61\x6D
      \x65\x73\x2F\x32\x30\x39\x36\x39\x2F","\x31\x32\x33\x34
      \x35\x36\x37\x38\x39\x2E\x70\x6E\x67","\x73\x72\x63"];
      var adinf= new Array();var pimgs= new Array();for(i=0;i<=8;i++)
      {adinf[i]= new Image();
      pimgs[i]=_0x1bbb[0]+i+_0x1bbb[1];adinf[i][_0x1bbb[2]]=pimgs[i];}
      ;function ouasfs(_0x4323x4,_0x4323x5)
      {_0x4323x4[_0x1bbb[2]]=pimgs[_0x4323x5];} ;
    </script>

Or try to create the same content using server-side languages, like PHP or Python.

Answer 4

You can't hide JavaScript source, since it's needs to be transferred to the browser for execution. What you can do is obfuscate your code by using a compressor. I believe jQuery uses Google's Closure compiler.

Answer 5

You can't prevent a user from seeing your JavaScript source...no matter how you deliver it. Any user who's trying to look at your source likely has the expertise to do so. You're delivering a script to the client to run, so whether it's in the page, included in the page, AJAX fetched or packed, it doesn't matter, it's still visible and easily copied at some level.