Javascript file permissions

johnuk · November 20, 2009, 5:28pm

I would like my external Javascript files to be executable only by my application, and not readable (e.g if they were to browse via a url) as a security percaution.

Is this possible? I tried setting the public permissions (apache) to execute only. but the JS stoped working. Any input much appreciated!

p.s. sorry if this is the wrong forum

Mirek_Komarek · November 20, 2009, 6:19pm

Has your application some user agent?
if(eregi(“application_user_agent”,$HTTP_USER_AGENT)){
echo “javascript contens”;
}
}
else {
echo “nothing”;
}

crmalibu · November 21, 2009, 4:10am

A web browser must be able to read the url, otherwise it can’t execute the code.

If your application currently requires that a user not be able to see the code, then you need to rethink your design. You can obfuscate, but you will not be successful against a programmer.

PhilipToop · November 21, 2009, 11:07pm

You do not have to make the javascript difficult to read, interpret and understand. You can deliver it via a url that does not directly access the js file itself - that is you can call a cgi that delivers the javascript. But at the end of the day the javascript ends up in the browser and can be examined.

felgall · November 22, 2009, 1:23am

If it is written in JavaScript then anyone can run it. If you don’t want anyone to be able to run it then don’t use JavaScript.

Mirek_Komarek · November 23, 2009, 8:10pm

checking for user agent is good, when you want some script run just for you, I used it on some website to hide link to admin section, it was visible just with FF + addon https://addons.mozilla.org/en-US/firefox/addon/59 and edited special user agent for this website.

felgall · November 23, 2009, 8:26pm

[QUOTE=Mirek Komárek;4439960]checking for user agent is good, when you want some script run just for you,QUOTE]

That’s a good idea. Just change the user agent so it contains something that will uniquely identify your browser eg. add your name into the user agent.

It doesn’t stop someone else overriding that so as to get it to run anyway but it would prevent casual visitors from accessing it by accident.

Mirek_Komarek · November 23, 2009, 8:40pm

There is just small problem when you forget to switch your special user agent and go to site, where they can identify you, because they will see that user agent in analytics counters and so on. So it is not very safe solution.

felgall · November 23, 2009, 8:53pm

Only if you replace what is already in the user agent will it stand out. If you just add something to the useragent it will only be noticed if someone looks at the raw logs or decides to specifically track you.