Re: Current solutions for source code protection of web pages. from Travis Miller Web Development on 2013-06-15 (public-webappscp@w3.org from June 2013)

From: Travis Miller Web Development <tmillerweb@gmail.com>
Date: Sat, 15 Jun 2013 11:27:04 -0400
To: Gaowenmei <gaowenmei@huawei.com>
Cc: "public-webappscp@w3.org" <public-webappscp@w3.org>
Message-Id: <55B0672B-3FCF-440B-A970-88DC7112F232@gmail.com>

Whatever solution we potentially develop shouldn't be completely shut off from others.

It still should be a sense of openness for collaboration when working directly with other developers who want to understand our code better. 

A mechanism like maybe a "pull request" for approving people who want to see our code might be helpful too.


Thanks,
Travis Miller


On Jun 13, 2013, at 11:48 PM, Gaowenmei <gaowenmei@huawei.com> wrote:

> Dear friends,
> Welcome to join the webappscp CG. Hope everyone is generous with your criticism.
> As we all know, the source codes of web pages loaded by browser are usually public and easily viewed. Thus, source code protection is a difficult thing in web page/web app area.
> As far as I know, currently there are two main solutions to protect the web source codes: User Interface Disabling and Code Obfuscation.
>  
> 1. User interface disabling: a mechanism of forbidding users to view source code by right-clicking, shortcut key pressing or menu bar selecting. Usually, it can be realized by integrating some small pieces of codes into your web page, for example:
> (1) Forbid right-click button:
> e.g. document.oncontextmenu = function() {return false;}
> (2) Shield the shortcut key (usually F12):
> e.g. document.onkeydown = function () {if(event.keyCode == 123){event.returnValue = false;}}
> (3) Hide the menu bar and location bar:
> e.g. function openNewpage() {window.open ('foobar.html', '', 'toolbar=no,menubar=no,location=no');}
> The three methods above can be used together to maximize the protection effect. It looks like a good way to protect your web app's code, especially the hosted web app.
> However, there is a fatal problem: browsers always prohibit to open pop-up windows by default, so the page will not be opened if you use "window.open()" method.  
>  
> 2. Code obfuscation: including JS obfuscation, html obfuscation and css obfuscation. The principle of this mechanism is that source codes are rearrangement and handled to make them difficult to read.
> There are some online obfuscation tools, for example:
> (1) Jasob: http://www.jasob.com/
> (2) Free Javascript Obfuscator: http://www.javascriptobfuscator.com/
> (3) Javascript Obfuscator: http://www.javascript-source.com/javascript-obfuscator.html
> (4) YUI Compressor: http://yuilibrary.com/projects/yuicompressor/Yahoo
> etc.
> However, the drawback of this mechanism is that the codes are still clear text. So it is still easy for developers to get original code structure by reverse engineering.
>  
> So, are there any other better solutions for source code protection, especially for web apps (including hosted web apps and packaged web apps)?
> Thank you.
>  
> 郜文美 Gao Wenmei
> Huawei Technologies Co., Ltd.

Received on Sunday, 16 June 2013 20:46:40 UTC