Disabling the View Source Favelet

On my page Purchasing HTML Source Protection I mention two ways of bypassing page encryption. You will notice that the IE favelet doesn't work for all encrypted web pages. There are in fact two very simple ways to block this favelet. The first is to include window.open=null; into a script in the head section of your page. This will stop new windows from being able to be opened from this page at all. If your page needs to be able to open its own separate windows then you need to use the second method which is to include an <iframe> on your web page. This works because most favelets are coded to work with the current page and don't like frames (if your page already uses frames then you don't need to add the iframe unless you want to stop the favelet from viewing the frameset definition).

With an iframe last in the page the iframe content is the last page loaded and is therefore the one that the favelet will process.

The iframe doesn't actually have to contain anything to achieve this protection and can be set up so that it is almost invisible. This page contains such an iframe at the bottom of the page (if you look very closely at the bottom left corner of this page you will see a white dot created by the iframe). If you attempt to use the favelet to view the source of this page you will get an empty browser window open instead. Of course since this page isn't encrypted it is quite readable from the normal browser view source menu option which isn't blocked by this inclusion.

The code for the iframe is as follows:

<iframe name="x" width="1" height="1" border="0" frameborder="0"></iframe>

Alternatively, if you prefer to use more obscure code then the following has been Converted to Javascript and Obscured. Since the code is intended to block the operation of a favelet (which is written in Javascript) it doesn't matter that the obscured version doesn't get included when javascript is disabled.

<script type="text/javascript">
eval(unescape('d%6fc%75%6de%6e%74%2e%77%72
%69%74e%6c%6e%28%27%3C%69f%72a%6de%20
%6ea%6de%3D%22%78%22%20%77%69d%74%68
%3D%221%22%20%68e%69%67%68%74%3D%221
%22%20b%6f%72de%72%3D%220%22%20f%72a
%6deb%6f%72de%72%3D%220%22%3E%3C%5C
%2f%69f%72a%6de%3E%27%29%3B'));
</script>

Note how much larger the obscured javascript version is compared to the plain text version. Also note that the entire content of the script should appear on one line, I have split it here to make it easier to display on the page.

 

This article written by Stephen Chapman, Felgall Pty Ltd.

go to top

FaceBook Follow
Twitter Follow
Donate