views:

968

answers:

10

How can we restrict a user from saving the page?

Please provide some tips to disable File->Save and View Source options

EDIT: Obviously it can't be done, and probably shouldn't be attempted. But possibly a more interesting variant on this question is how can we make is sufficiently hard for a user to save a page in a usable format such that it is not worth their while doing so? The question doesn't pose a value, but say we were protecting an article subscription site where the user is paying a few hundred dollars per annum for continued access to text.

+50  A: 

Since the page has been sent to the client, there will always be a way to get that information. Trying to stop a user from doing this will only frustrate them.

The only way to have a user not be able to save a file is to not send it to them.

Ben S
+4  A: 

What about the browser's cache? It can be saved from there.

What about a print screen? That could also save the page.

The only way to prevent a user from saving something is to not show it to them in the first place.

Ken White
+8  A: 

Don't do it.

Seriously, if the user can see the page in their browser they can see the source code and/or save it to their computer.

You are fighting a losing battle here.

BoltBait
+10  A: 

While the best answer is "Don't do this," there are ways to make it more difficult for them. And since the point of this site is actually answer the question even if it's bad, here is the best way:

First you'll need to have the page open in a new window where you turn off the address bar and toolbar and everything else. That will make it so the user can't easily get to the File menu at all. To do this you'll need a "splash" page that the user loads to and then when they click a link, it opens the popup that serves the main content of your page. Details on how to create popups without things like the toolbar are here: http://blazonry.com/javascript/windows.php

Then you'll want to add some javascript to each page that prevents the user from right clicking. Here is one method: http://javascript.about.com/library/blnoright.htm

Finally, if it's your Javascript code that you don't want to be seen, then obfuscating your code is a pretty effective way to do that. They can still see the code if they have much know-how, but the obfuscated code would be a gigantic pain to actually interpret. There are lots of obfuscators out there; here is a free web-based one: http://www.javascriptobfuscator.com/

This is far from foolproof. It will stop all "casual" users, but any power user will probably be able to easily figure out a way around it. Still if the idea is to at least prevent a good majority of it then this should suffice.

Update for updated question: To address your new expanded question, I would say the best way to accomplish what you're saying is to use a format that supports DRM. Adobe Acrobat would probably be the best choice because almost everyone has the reader installed. You can prevent PDF files from being saved to the computer so that they can only be loaded from the webpage by a logged in user. The user could still do a screen capture of the document itself which I don't believe is preventable (unless Adobe Reader has some security in place for this, which they might) but it should be sufficient security for most uses.

OverloadUT
Unless of course they're not using Internet Explorer on Windows. Then this all doesn't work.
Nerdling
Right. But that still represents a very significant market share, so this technique will still stop plenty of casual users.And actually, the right click prevention script works fine in Firefox; just not Opera.
OverloadUT
You can disable/enable all of the above in Forefox's advanced javascript options.
tj111
And anyone that knows about those options is going to know how to get around these tricks anyway.
OverloadUT
And with FireFox's Tools->Page Info and FireBugz, all of that is wasted time. While I agree the point of this site is to answer questions, I also feel it's wrong to give people a false sense of security. And you didn't address the cache or screen capture at all.
Ken White
The assertion that it's a waste of time is your opinion. His request was "Please provide some tips to disable File->Save and View Source options" which is exactly what I have done and not at all what the higher-voted "answers" have done.
OverloadUT
Furthermore, you don't know any of the surrounding circumstances. What if he is required to do this by a client? Then it doesn't matter what the "right" way is, he should do what the client wants after explaining why he thinks it's a bad idea. Getting the answer to the question is what he deserves.
OverloadUT
Well, you got a +1 from me, if it makes you feel better.
BoltBait
But you haven't prevented them from saving the file at all. You've just pretended you did. That's why I said "waste of time" and "false sense of security". You may have addressed the OP's exact phrasing, but not the obvious meaning and intent of the question.
Ken White
You HAVE prevented many many users from saving the page. If the user wants to save the page, tries, and fails because of these tricks, then you have by definition prevented that user from saving the page. As I address in the answer, it will not stop users with know-how, but it will stop most.
OverloadUT
In fact, you haven't answered the original question at all, which was "How can we restrict the user from saving a web page?" (see the subject line). The answer is: Don't show it. Anything else you say is just not true.
Ken White
No, if one user doesn't get to save it because they can't figure it out, it hasn't stopped the thousands who did because they're even slightly more computer savvy. My 70-year old mother (who is *far* from computer literate) knows how to print pages and capture screenshots, for Pete's sake.
Ken White
What you've basically done is said, "Yes, a padlock will keep things safe in your toolshed." without pointing out that it's true only if the padlock is actually correctly placed into the hasp, and the hasp securely to the shed, and the padlock fastened correctly, and the intruder has no bolt cutter.
Ken White
Two final points: If his client is requiring it, he should be telling his client that it can't be done. Second, you'll notice that while I disagree with you, I haven't said you were wrong and haven't voted you down. I'm simply pointing out the shortcomings in your erroneous "solution".
Ken White
Okay I'll go with your analogy. If someone said "How can I secure my house from intruders?" would you answer "don't do it, because if an intruder has big enough tools, they can break through any security." I would hope not, because that would be very unhelpful.
OverloadUT
No, of course not. But I also wouldn't say "Put a deadbolt on the front door and you're perfectly safe." without pointing out they should close and lock other doors, close windows, etc. as well. Anything less is providing them false security.
Ken White
Right, and I feel that I did the equivalent of telling them about the doors, windows, etc. by my entire paragraph starting with "This is far from foolproof." So I provided a solution to the problem and explained all of the reasons why it will not always work.
OverloadUT
And with the expanded info from the OP's edit, I withdraw *some* of my objections to your post. It's been fun, though. <g>
Ken White
OverloadUT - thank you for your insight and guidance. I get so upset when answers just say "Don't ever do this!" Today I had a user threaten to bash my head in with a baseball bat for asking a similar question! Business requirements aren't always rational, but answers are still needed.
Jess
What about Ctrl+S? (Apple+S for me)
ilya n.
A: 

It shouldn't be an issue, but if you really don't want a user from seeing your code (javascript, css or html) for some reason, than you could use some obfuscation tool which makes the code less readable.

GoodEnough
+4  A: 

It's really a waste of time and resources to try and do this in html as any method you use can be trivially circumvented.

Instead I would use some other technology to display the data - you can never get around a screen capture. but if you're for instance displaying text and you want to make it hard for the use to save that text for use elsewhere then possible options include

  1. PDF - which can disable save and print. There are extensions to most popular web languages that will write a pdf on the fly. Indeed you might be as well just to go down the DRM route with Adobe and embed a document

  2. Flash - most probably via Flex which could be used to write a general-purpose app to display text and images. The advantage of Flash is that it's easier to set up links than pdf.

  3. Or something else, a custom java applet, or even a vrml plugin and display the text in 3D!

In all cases you could display text against a disruptive background to make OCR more difficult, and images could be watermarked. However nothing is going to stop a determined and resourceful viewer, although you can possibly make it sufficiently hard that it's not worth their time.

Cruachan
I think the PDF suggestion is the best in this thread. I allows for the control the OP is asking for.
Ben S
+2  A: 

The least you can do is... the content is generated dynamically by Javascript. In that way, they cannot simply save it. Of course, in FX, they can still view the generated code and then copy&paste. however, normally people cannot save the page.

Murvinlai
+1  A: 

Try javascript "encoding" and obfuscation.

Something like

if(document.location == 'mydomain.com') {
  content = getAjax('mycontent.xml');
  // content will hold something like 72, 94, 81, 99, ... - encoded ASCII codes
  document.write(String.fromCharCode(content));
}

It will always be possible to save the page, but for non-technical guys it will be harder to make it work. There are 2 protections

  • domain name
  • converting ASCII

It's only pseudocode, but I think you get the idea.

michal kralik
A: 

I'd like to add one more method which, imho, is hard to circumvent: Ctrl+S! (for me, Apple+S)

ilya n.
A: 

how can we make is sufficiently hard for a user to save a page in a usable format such that it is not worth their while doing so

Nothing hard: add on every page: "Personal property of John Stealer, company Zetabeta, paid with credit card 756890987654, billing address ..., subscription expires 12/20".

This is an "extended text format" that I just invented... it has an amazing property: though it looks like a regular text, user is much less willing to print it out and give to others...

ilya n.
brilliant. send user's credit card info over the net with every request.
bendin
You do send pages for which they paid several hundred dollars over HTTPS, do you? So, what's with the downvote?
ilya n.
using https is somewhat better. but I don't know if I'd want my browser cache filling up with unencrypted copies of my payment information either.A less obnoxious variant of this method is used by some publishers of books-as-PDF. pragprog.com embeds your e-mail address on each page of the PDF. That's not risky and yet has much the same effect.
bendin
Any reasonable browser doesn't save documents transmitted over https. Of course, the user is able to save manually, but he won't do it for the reasons that are obvious. I believe this is what you wanted, no? Of course, just having an email might be also effective enough for you.
ilya n.
Even more, modern OSes can mark parts of cache sensitive so that not only the browsers doesn't cache them on disk, but also the OS itself never swaps the sensitive memory on the disk. If this is not how your computer works, you certainly should look into that.
ilya n.