I understand that client side code must be readable from the browser but I wonder (since there are too many things that I ignore) if there are ways to obfuscate to code to the end user and, if not what is the best practice to "pack" the javascript code.
views:
526answers:
9
+4
A:
Check this out.
Other than min'ing it, I don't think you can really hide js. It all goes the user's browser and there are plenty of ways of seeing it once its there.
Brian
2009-04-09 14:50:33
True, you can't *hide* it, but obfuscating and/or minifying it makes it significantly more difficult for humans to read.
Chris Ballance
2009-04-09 14:53:54
Why would you want to hide javascript from the user? If you have some kind of business logic in it you have much bigger problems.
Greg Noe
2009-04-09 14:55:20
http://malzilla.sf.net/ It's trivial to use a non-standard browser which spits the obfuscated JS code out in a non-obfuscated form. It's simply not possible to hide anything you send to the client.
ephemient
2009-04-09 14:59:17
@Chris -- There are also "Beautifiers" available to counter that end. -- Try http://jsbeautifier.org/
Jonathan Lonowski
2009-04-09 15:00:44
I'm pretty lazy myself. If I want to find out how something works, I'll use firebug to check it out - if its min'ed I usually stop there. Google or SO will turn up an answer faster than trying to work out min'ed js.
Brian
2009-04-09 15:06:15
@Brian, that's what I was going for, if you want to *discourage* reuse of your JS, you can obfuscate it.
Chris Ballance
2009-04-09 15:08:49
+6
A:
It is good practice to minify your JS with a tool such as YUI Compressor. I would not obfuscate it unless you have a specific need to do this. There are plenty of online obfuscators such as this one
See this article: http://developer.yahoo.net/blog/archives/2007/07/high_performanc_8.html
Chris Ballance
2009-04-09 14:51:19
+2
A:
See here for a Free Javascript Obfuscator.
Given that it is in fact possible, if the reason you intend to obfuscate is to protect intellectual property, you are probably trying to derive value from your work the wrong way. It's fairly easy to reverse the obfuscation, and you would probably be wasting time maintaining your code.
Focus more on what services you intend to provide to those who visit your site as a means to differentiate your site from competitors
Mystic
2009-04-09 14:52:44
I wouldn't use this, some security apps would treat javascript that looks like this as a potential hack attempt and block it
Andrew Bullock
2009-04-09 14:56:18
I never used it myself :) And I would never want to obfuscate my javascript either
Mystic
2009-04-09 14:57:49
A:
There are tools that could be used to compress javascript code and render it difficult for the end user to understand.
Darin Dimitrov
2009-04-09 14:52:46
A:
All the other answers are probably helpfull. If you just want to make it harder for ppl to get to your code, obfuscation is maybe a way to go.
I just want to add a question to it: Why would you want to obfuscate your js? If you're doing something critical, do it on the server side! I don't know about the impact on speed but I would not obfuscate my js, it feels hacky to me.
If someone has an opinion on that I would love to know it.
tharkun
2009-04-09 15:03:52
It was just out of cuoristy, all the critical part (security) is on the server side.. java is there only for AJAX and generaly improved user experience.. I just wondered what the other guys did to safely distribute their code..
0plus1
2009-04-10 09:51:24
A:
Do not put any sensitive or personal information in javascript.
Spend your time on keeping your data on the server secure.
kennebec
2009-04-09 16:08:46
A:
Step 1: Don't.
You would have to do a lot to achieve any meaningful level of obfuscation. Obfuscating the names alone is not enough, since all of the standard functions will still be there (although they may be buried in a layer of shorter/obfuscated aliases), and deriving the purpose of a particular function is easy once the code is formatted nicely again. Anybody who really wants to know what your JS code does can, and will, no matter what you do to it before their browser gets a copy of it.
If you truly have valuable business processes in your JavaScript, then you're Doing It Wrong(tm).
John Cromartie
2009-04-09 16:22:19
A:
No obfuscation is going to keep your code truly secure and it might just give you the false illusion of security (cf. security by obscurity).
If you do need to keep some portion of your code secret, consider pulling the sensitive portions into a server side script and making (say) AJAX calls to the script. Especially with the advent of JSON, communicating with server-side scripts has never been easier.
camdez
2009-04-10 20:41:48