Solved

Disable view-source function .

Posted on 2004-08-05
22
2,175 Views
Last Modified: 2008-02-01
How can I disable the view-source protocol to make my source code invisible to users ?
I have searched in many pages and I haven´t found a good solution.
I am working with traditional asp and javascript ; maybe there is away to detect if someone has typed in the address field something like  "view-source:http://mypage"  from asp and don´t show my real pages if that happens ; something like when I detect if a browser doesn`t have cookies enabled and I redirect the user to other page .... Well that`s an idea , but I do´nt know how to express that in code .

Maybe It´s impossible to disable this function but It would be good to detect if someone is trying to use it and show some different page .

I am sure You guys have some ideas .

thanks in advance .
0
Comment
Question by:felixyo
  • 5
  • 3
  • 2
  • +8
22 Comments
 
LVL 21

Expert Comment

by:pinaldave
Comment Utility
Hi felixyo,
you can not stop user to see the source. That is the client side code and they can always see it, somehow!

Regards,
---Pinal
0
 
LVL 36

Expert Comment

by:Zyloch
Comment Utility
Hi

Unfortunately, you can't stop that from happening. What you can do is put so many blank lines in front of your source that many people may believe it to be empty if they don't see the scrollbar. That messes up header sending, etc. so it's not a good option, but it's the only one I can think of.

Regards,
Zyloch
0
 
LVL 3

Expert Comment

by:mattfairw
Comment Utility
as they have said - there is no way to stop users from viewing source...however there are programs that encrypt the HTML to very strange values most poeple would never care to rummage through...some are free, others have free trials...but here are the results of a google search for you to browse:

http://www.google.com/search?hl=en&ie=UTF-8&q=html+encryptor

-Matt
0
 
LVL 1

Author Comment

by:felixyo
Comment Utility
What about doing something like  detecting  if someone has typed in the address field something like  "view-source:http://mypage"  from asp and don´t show my real pages if that happens ; is that possible ?
0
 
LVL 21

Expert Comment

by:pinaldave
Comment Utility
Hi felixyo,
anything before http:// can not be modified by server side or client side scripting. That is the client browser property and he/she can do that and can not be detected or modified.

Regards,
---Pinal
0
 
LVL 19

Expert Comment

by:webwoman
Comment Utility
No. And that's not how most people look at the source, anyway.
0
 
LVL 36

Expert Comment

by:Zyloch
Comment Utility
Impossible. Because the URL typed is not your page, it's just view source, your script can't detect it. View source doesn't run your script.

Regards,
${Zyloch}
0
 
LVL 36

Expert Comment

by:Zyloch
Comment Utility
Oopz, sry webwoman, stale window.
0
 
LVL 3

Expert Comment

by:mattfairw
Comment Utility
refer to this link, it has a bunch of threads and the question is the same as yours:

http://www.experts-exchange.com/Web/Web_Languages/HTML/Q_20661699.html
0
 
LVL 1

Author Comment

by:felixyo
Comment Utility
Ok this is what I understand ; for instance I can detect from which Ip the client is connecting , which Kind of Browser does he/she has , If it has cookies enabled ,  querystrings , etc  .but It`s imposiible to detect what She/he Typed in the Url before the http:// .

I think I have lost 300 points with this question ... oops ; My code doesn´t have anything special to hide ; the Thing was that I am combining the opener property and open method in javascript to open an intranet application in full screen ; without any bars or everything . I discovered I can type view-source:http://mypage and see my source code ; so in that way users can see the page I am opening with window.open in full screen and they can open that page in a normal window with bars , etc .   Since I was doing that in this way my site is not going to be seen in full screen always .  

I still can try the encripters ; thanks .
 
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 53

Accepted Solution

by:
COBOLdinosaur earned 300 total points
Comment Utility
There is no such thing as an encripter for web pages.  The best of them are encoders; all they do is character substitution.  If a web page was actually encrypeted the browser could not read it.  You could of course install a component on the browser so it would know how to decript.

Now let's get to the bottom line:

It does not matter what you disable.  If a user is browsing with Mozilla they can set an option to prevent web page from altering or disabling the context menu.  That means view source and save pages as... are ALWAYS available to Mozilla users.  

So that leaves so called encrypters.  To render the page the browser must be able to read the code and build the DOM.  The dom is available in Mozilla dom inspector, and all kinds of freewares.  No matter what the original code looked like it is there in the clear in plain text in documentElement.innerHTML...click...copy...open notepad...paste...save.

Now get back to work on improving your site instead of beating yourself up because you think someone might be interested in your code;  betcha no one is.

Cd&
0
 
LVL 1

Expert Comment

by:CBF-IT
Comment Utility
encoders work well and can be very effective, as Cobol mentioned, but there are some very good encryptors available too. I've used Codelock (http://www.codelock.co.nz/) on some of my php scripts, and I know that it also has the ability to encrypt html pages (encrypts your source code and/ also encrypts your html output.) Hope that helps you out some.
0
 
LVL 53

Expert Comment

by:COBOLdinosaur
Comment Utility
I will repeat:  YOU cannot hide source code because the browser has to be able to read it and that means you can view it easily in the DOM.  That link is for a PHP  SERVER SIDE CODE!!!!!!!!! What is does to HTML is just encoding.

I aloways find it interesting that all these sites that claim to be able to hide your code never demonstrate their product by using it on their own pages.  That is because people like me would post the code in threads like this and the gullible who might be taken in by those scams would not pay good money for swindleware.

Cd&
0
 
LVL 18

Expert Comment

by:arantius
Comment Utility
The only way to keep people from seeing the source to your web pages is to keep them from seeing the web page at all.
0
 
LVL 37

Expert Comment

by:gregoryyoung
Comment Utility
CD I love your answers ...

http://pfex.sourceforge.net/ would be an example of an algorithm but you are welcome to waste your money on a commercial product :) In fact if you'll pay money I'll write you one ...

Another mechanism which can be VERY effective if you only want to support IE is to get your html from a webservice on the client side  http://www.gotdotnet.com/playground/services/webservice_behavior.aspx

another option can be to make your entire site an activex control ...

I agree with CD on this though, any of these methods boil down to security through obscurity and should therefor NOT be relied upon.

0
 
LVL 21

Expert Comment

by:pinaldave
Comment Utility
CD's answers says all. Perfect!
Regards,
---Pinal
0
 
LVL 36

Expert Comment

by:Zyloch
Comment Utility
I was just thinking how I could probably occupy my whole life listing reasons why he's better than me.
0
 

Expert Comment

by:medwyne
Comment Utility
As others have said you cannot prevent people from viewing your source. However if you are using server side scripts like ASP then no one will be able to see your scripts because server side scripts are interpreted on the server and onle plain HTML is sent to the client's browser.

Now every developer knows that HTML does not carry much but just page formatting tags. All teh sensitive stuff and secrets of your web site are on the server side script. Hence anyone attempting to view source will see plain HTML which is actually difficult to understand coz its a result of the interpretation of the server.

You can relax knowing that no one can copy your code-just send the sensitive stuff to the server side.
0
 

Expert Comment

by:thug420
Comment Utility
The short answer to how to do this is you can't. The slightly longer answer is that you can't if your pages use HTML.

When someone views your page, their browser needs to be able to read your source code in order to be able to determine what your page contains and how to display it. The browser first copies the source from the internet to the user's Temporary Internet Files folder on their computer prior to rendering the page in their browser window. In many cases the source code for your page is still stored on their computer even after they have disconnected from the internet. Anyone with a text editor on their computer (and that's everyone with a computer) can then access your source code by editing these files that are stored on their own computer. If you stop them from being able to download your pages like this then you also stop them from being able to read your page at all so you may as well not upload it in the first place.

With HTML pages on the web, the only thing that you can do is to make things harder for novices who might want to learn from your code, anyone who wants to steal your code knows ways around all of the obstacles and will still be able to steal your page.

The most common thing that people do to discourage novices from viewing their source code is to use a Javascript to disable the menu that displays when you right click on the page. You can find scripts to do this on just about any Javascript site and there are lots available on Javascripts.com. Unfortunately, the view source option on this menu is just a shortcut to the source and does not stop the user from selecting the same option from the view menu in the browser menu bar. Also there is nothing to stop visitors to your site from turning off the Javascript support in their browser so as to bypass any scripts you might have used.

Another trick is to place a large comment (of fifty lines or so) in the top of your source that advises that your source is protected and cannot be viewed. Novices may not realize that they only have to page down to find the source code.

You can find more information about the various ways that can be used to access and view the source code of html pages regardless of what "protection" the page author has implemented on the page "Viewing Someone Else's Source". Often being able to view the source of other people's pages is a good thing because it enables us to see how other people have been able to achieve the various effects implemented in their page and thus improve our knowledge of html, javascript, etc.

Unfortunately, the way the web works, all of the images on our page are also easily accessible along with the source code so there is no way to protect these from being stolen either. The best that we can do is to embed a copyright notice into the image itself which will hopefully discourage visitors from stealing them. For information about one way to place copyright notices into your images using Photoshop see "Adding a Copyright Notice".

A Solution
The only real way to create web pages where the source cannot be viewed is to not use HTML. HTML is designed so that it can be created in a text editor and anyone with a text editor can read it.

Portable Document Format (PDF) files can also be displayed in a web browser (and display exactly as created rather than being rendered by the browser). PDFs require Adobe Acrobat to be able to create fully functional web pages and a freely available for download Acrobat Reader to be able to render them on the screen (a plug-in allows PDFs to render in browser windows).

Try to access the PDF source using a text editor and all you see is a mess of characters. Yes it is possible to extract the text from one of these files with a large amount of effort but the formatting information is in a totally unusable form. The only way to properly see the page complete with all of its formatting is to use Acrobat Reader or the full Adobe Acrobat product.

With PDF you can even build security into your page that restricts what people can do with your page (even if they have Acrobat) unless they know one of two passwords. One password is used to stop the page from being able to be opened at all by anyone who doesn't know it. The other password can be used to stop people who are viewing the page from performing one or more of the following: printing the page, changing the page, selecting text and graphics, and adding or changing note or form fields. This Acrobat Example page  cannot be printed or edited by you even if you own a copy of the full version of Acrobat.
0
 
LVL 36

Expert Comment

by:Zyloch
Comment Utility
Nice comment, thug ;)

The even shorter answer is: You can't because other people can just keep scrolling down and grabbing your screen with Print Screen or a screen capturing program. If it's more than one page long, they'd just keep scrolling down or build a macro to do it for them.

Then, they can crop the image, w/e.


The solution:
Give people who buy your stuff an encryption key. Then, you can show the encrypted version online. Of course, that'll be useless because that defies the purpose of having them view it at all. The shorter solution: show them a sample chapter that you don't care about.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Suggested Solutions

Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
Read about why website design really matters in today's demanding market.
This tutorial demonstrates how to identify and create boundary or building outlines in Google Maps. In this example, I outline the boundaries of an enclosed skatepark within a community park.  Login to your Google Account, then  Google for "Google M…
The viewer will learn how to count occurrences of each item in an array.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now