Javascript Obfuscator

  1. 5 weeks ago

    Joost R

    Jul 16 Pre-Release Testers, Xojo Pro The Netherlands

    For a Xojo web-project I need to implement quite some Javascript, partially generated by on the fly since it contains real time data.
    It happens to be that this code also contains a token in order to make use of a third party service But . . . I don’t want this tokens to be seen by a curious end users taking a look into the sources. I've found “Javascript Obfuscator ” which seems to allow me to scramble a token-calculation function.
    I would like to know if anybody else is using “Obfuscator” to hash parts of scripting?

  2. @Joost R — AFAIK, you cannot really hide something completely in JS, just make it harder to analyze the code. However, is it worth it?
    1. It should be nearly impossible to spy on your JS from another process, so it should be safe as long as your users are not allowed to access your application's code/executable.
    2. The token usually belongs to the end-user, so why should you keep them from knowing it? Sure they could do some stupid things with it but they would be responsible. Also, it could be considered "personal data" for the RGPD and EU citizens should be able to access their own personal data.

  3. Greg O

    Jul 16 Xojo Inc

    @Stéphane ;Mons The token usually belongs to the end-user, so why should you keep them from knowing it? Sure they could do some stupid things with it but they would be responsible. Also, it could be considered "personal data" for the RGPD and EU citizens should be able to access their own personal data.

    The token he’s talking about is for his app to communicate with a 3rd party service, and won’t be user specific. Google Maps is like this.

    @Stéphane ;Mons It should be nearly impossible to spy on your JS from another process, so it should be safe as long as your users are not allowed to access your application's code/executable.

    But it’s not impossible for a user to open a browsers developer tools and just read the code. Additionally some browsers will attempt to un-obfuscate and uncompress JavaScript code.

  4. Greg O

    Jul 16 Xojo Inc

    @Joost R which seems to allow me to scramble a token-calculation function.

    Keep in mind that even if the function is scrambled, users can still execute the code if they can find it.

    Does the 3rd party offer any restrictions on token usage? Perhaps being able to limit them to coming from a particular domain?

  5. @Greg OLone — Well you are so much more knowledgeable than me that I won't try to argue.

    Oh and this is a compliment by the way :-)

  6. Joost R

    Jul 16 Pre-Release Testers, Xojo Pro The Netherlands

    @Greg OLone The token he’s talking about is for his app to communicate with a 3rd party service, and won’t be user specific. Google Maps is like this.

    Exactly.

    @Greg OLone But it’s not impossible for a user to open a browsers developer tools and just read the code. Additionally some browsers will attempt to un-obfuscate and uncompress JavaScript code.

    Also true.

    My script is real time generated by the Xojo web app since it has life data in it. It would be great if I had a function for real time obfuscation of the JS. Seems the algorithm scrambling JS is available, but that would take me a lot of time to implement it in Xojo, so I would encourage somebody else to do this. :)

or Sign Up to reply!