Current solutions for source code protection of web pages. from Gaowenmei on 2013-06-14 (public-webappscp@w3.org from June 2013)

From: Gaowenmei <gaowenmei@huawei.com>
Date: Fri, 14 Jun 2013 03:48:43 +0000
To: "public-webappscp@w3.org" <public-webappscp@w3.org>
Message-ID: <10FB9842605CBF44BB21AE26C3C437965563815E@nkgeml505-mbs.china.huawei.com>

Dear friends,
Welcome to join the webappscp CG. Hope everyone is generous with your criticism.
As we all know, the source codes of web pages loaded by browser are usually public and easily viewed. Thus, source code protection is a difficult thing in web page/web app area.
As far as I know, currently there are two main solutions to protect the web source codes: User Interface Disabling and Code Obfuscation.

1. User interface disabling: a mechanism of forbidding users to view source code by right-clicking, shortcut key pressing or menu bar selecting. Usually, it can be realized by integrating some small pieces of codes into your web page, for example:
(1) Forbid right-click button:
e.g. document.oncontextmenu = function() {return false;}
(2) Shield the shortcut key (usually F12):
e.g. document.onkeydown = function () {if(event.keyCode == 123){event.returnValue = false;}}
(3) Hide the menu bar and location bar:
e.g. function openNewpage() {window.open ('foobar.html', '', 'toolbar=no,menubar=no,location=no');}
The three methods above can be used together to maximize the protection effect. It looks like a good way to protect your web app's code, especially the hosted web app.
However, there is a fatal problem: browsers always prohibit to open pop-up windows by default, so the page will not be opened if you use "window.open()" method.

2. Code obfuscation: including JS obfuscation, html obfuscation and css obfuscation. The principle of this mechanism is that source codes are rearrangement and handled to make them difficult to read.
There are some online obfuscation tools, for example:
(1) Jasob: http://www.jasob.com/

(2) Free Javascript Obfuscator: http://www.javascriptobfuscator.com/

(3) Javascript Obfuscator: http://www.javascript-source.com/javascript-obfuscator.html

(4) YUI Compressor: http://yuilibrary.com/projects/yuicompressor/Yahoo

etc.
However, the drawback of this mechanism is that the codes are still clear text. So it is still easy for developers to get original code structure by reverse engineering.

So, are there any other better solutions for source code protection, especially for web apps (including hosted web apps and packaged web apps)?
Thank you.

郜文美 Gao Wenmei
Huawei Technologies Co., Ltd.

Received on Friday, 14 June 2013 03:50:46 UTC