Hiding Javascript Source

When you code an external javascript you identify that it is a javascript using either or both of the language and type parameters on the script tag. The file suffix of .js doesn't get referenced in determining that the called module is javascript. This means thatr we don't need to use the .js suffix on our javascript code and can use a different suffix that will allow us to make the javascript source much more difficult to obtain.

If we use a .htm suffix on our filename instead of .js then any attempts to access the file separately (as would be done by someone trying to access the source code) will result in the file being processed as if it is an html web page instead of as a javascript (at least by the Internet Explorer and Netscape web browsers). By cleverly including some html commands into the javascript source we can make access to the actual javascript source much more difficult.

So let's see this in action. I have created a javascript to demonstrate this which I have called hide.htm. The javascript is linked into this page using the following code:

<script type="text/javascript" src="inc/hide.htm"></script>

and the hide.htm file contains the following:

h = '<script type="text/javascript">top.location = "..\/jstip54.htm"</script>;<!-- ';
function p() {
alert('Javascript code processed');
h = ' -->';

The extra lines in bold at the top and bottom of the script are the ones that will help hide the source code that is between them. When you copy this code you will want to change the ..\/jstip54.htm (which refers back to this page from the javascript source) to refer to the location of the page where you use your script.

You can execute a call to the function contained in this file by clicking here. As you can see the javascript executes as expected and the alert box is displayed. You can include whatever code you want in the javascript file, you just need to make sure that it has a .htm suffix and contains the two assignment statements at the top and bottom of the file.

With these changes in place, when someone tries to access your javascript code the file is interpreted as a web page and tries to display in a browser. The html tags within the two extra lines are interpreted by most browsers as actual html tags and the content of your javascript is between the <!-- and --> tags and is therefore effectively commented out leaving only h = ' '; to display on the page. To view the commented out javascript code would require viewing the source of that page.

Many of your visitors will not be able to do this easily because to be able to view the source of that page first requires that the page be displayed in the browser. The script code contained in that first assignment statement will be interpreted as a javascript to be executed when the file is displayed as a web page and that script contains instructions to load and display a different page - the one that uses the actual script. The page will therefore not display long enough for your visitors to view the source unless they first disable javascript.

Note that this may not work with all browsers but does work with the latest versions of Internet Explorer, Netscape, and Opera.


This article written by Stephen Chapman, Felgall Pty Ltd.

go to top

FaceBook Follow
Twitter Follow