Obfuscating JavaScript

Some people are concerned that others can view the source of their JavaScript (at least those scripts that run in the web browser). For some JavaScript beginners this issue is significant enough to them that they obfuscate their JavaScript code. The reason why they do this is not clear since de-obfuscating JavaScript is relatively easy and so the only real impact of doing so is to slow down the execution of the script.

In any case beginners code is not worth obfuscating as it will not differ significantly from the code written by most other beginners and the obfuscated version is as useful an example of how not to write JavaScript as the original version of their code is likely to be. After all if they had a reasonable knowledge of how to write JavaScript properly they wouldn't be a beginner. Everyone starts out as a beginner so the fact that their code is poorly written is not important as they will soon improve on it as their knowledge of JavaScript increases.

Those who have gone beyond the beginner level will soon have abandoned trying to obfuscate their code. They will have come to the realisation that obfuscating JavaScript is ineffective an d slows down the code execution. Since execution speed affects thousands of times as many visitors as are likely to even try to view the JavaScript source it is the far more important consideration. In any case, unless their code does something significantly different from every other JavaScript ever written there will be large sections of the code that duplicate what is found on many other sites anyway.

To apply real protection to the code means not writing it in JavaScript in the first place but instead using a server side language where the source code can't be viewed. Where interaction with the web page is required then part of the script could be run on the server using an ajax call of some sort to pass data to and from the server. Anyone viewing the source in that case would see only that part that is in the browser.

What is worth doing with large pieces of JavaScript code is to minimize them. This means stripping out the comments and whitespace. Minimized copies of scripts can be up to 30% or more smaller than the original script. This makes the code harder to read but that isn't the purpose of the minimizing. Minimized scripts will load slightly faster meaning that the web page will be faster with minimizing rather than slower as it would be with obfuscating.

Note that while a minimized script is missing all of the comments that well written JavaScript will not need many comments in the first place and the whitespace can easily be put back by using a JavaScript formatter. Minimizing therefore does not really make a script harder to read for anyone who knows JavaScript beyond a beginner level.

Some minimizers go a step further than just removing comments and whitespace and also attempt to shorten variable names. This can result in a slightly smaller minimized version of the file. It also makes the code slightly (but only slightly) more difficult to read as the variables no longer have meaningful names. The nature of JavaScript means that this changing of variable names can only take place within small pieces of the code. An attempt to shorten variable names used across larger pieces of code is more difficult and likely to end up breaking the code and so is far less likely to be done except with the simplest of scripts.

There are far more beginners writing JavaScript than there are professionals and so beginners are far more likely to copy the poor code of other beginners (which they can at least partly understand) than they are to copy the code of professionals where they are a lot less likely to understand the code and so are almost certainly not going to be able to use the code correctly.

Professionals may look at other professionals code but it will generally only be to see how a particular small part of the processing was done. This may lead to their adding another small code sample to their toolbox but will certainly not lead to wholesale copying of large pieces of code.

Basically you don't need to obfuscate your JavaScript because anyone who knows enough JavaScript to understand your code will be able to easily write their own version and anyone who knows a lot less JavaScript than you do will be unlikely to be able to figure out how to adapt your code to do what they want to do. The only circumstance where beginners will be able to use advanced code is where the code is written specifically to make it easy to apply to multiple pages and there are plenty of copies of such scripts made available for beginners to cop[y legally without them needing to steal one.


This article written by Stephen Chapman, Felgall Pty Ltd.

go to top

FaceBook Follow
Twitter Follow