If it's javascript, it's open for the world to see, period. If it wasn't, then the browsers wouldn't be able to execute it.
Of course, you can use any of several thousand "obfuscation" routines, where you take your JS code and encode it into a long string (which then looks like "AB54377dgfxbGADS" or whatever, just longer). Then you'd pass that string to a decoding function and either evaluate the result, or just write it to the document. But then you're still using JS to decode it, and it's easy to figure out what the "plain" code is if you want it. If someone's looking to duplicate this functionality, your code is wide open to them no matter how you encode it -- or even if you encrypt it.
(Because you have to decrypt it to run it. And it's easy enough to modify the HTML and add <textarea> tags around the decoding code to get the decoded version out.)
(This kind of encoding-the-script stuff is used by script kiddies all the time. It's their way of getting around virus scanners, because even if the decoded JS is the same, the encoded version is probably different for each kiddie -- and AFAIK most browsers don't write the decoded version out to disk. But it's still really easy to decode most of them, if you want to see what their code is really doing.)
No, the only way to completely prevent people from getting their hands on the code is to run it on the server. |
