I was wondering whether is it possible to hide javascript files when visiting a website. In a first moment I thought it was not possible, you can obfuscate the code as much as possible but it will still be accessible to the user.
However I started reading some blog posts and sites that suggest some hacks to “try” to hide the js code. Some of the posts I read where theses:
http://www.webmasterworld.com/forum91/2713.htm
http://www.codingforums.com/archive/index.php/t-23293.html
I haven’t understood them very well. Can someone explain them to me?
And here is an example: I have been browsing this page http://www.regexbuddy.com/ and I started looking at the source code with google chrome inspector to find out how were the functions that show the menus drop-down list implemented. I could see that every menu item has an onmouseover=”showpopup(x);” event. Unfortunately I was not able to find this js function “showpopup”, neither other javascript functions used throughout the code (showmenu for example). The server sends 2 javascript files menu.js and jgsoft.js but none of these files contained the functions definitions. These functions were neither defined in the html as inline script.
The curious thing is that if in the google console I type window.showpopup I am able to read the function. So where are these functions defined? Possible hacks to “try” to hide javascript files? Ways to bypass these hacks?
In the case of regexbuddy.com – the code is all in this file, as you guessed, but it’s packed using packer. It’s probably packed to try to deliver it faster, rather than to make it difficult to read, but it could be both reasons.
You can “unpack” it by pasting the contents of jgsoft.js into this tool.
So basically- yes you can hide all of the code, but since the browser has to execute it, it will always be possible to get at.