> Actually, you kind of can I think... > > You can use a cfm file as a .js file to emulate a javascript > file. Change the extension to .cfm... Careful, cf studio > won't correctly parse it, but nonetheless it'll work... > Just tested it. > > <cfparam name="cgi.http_referer" default=""> > <cfif cgi.http_referer eq ""><cfabort></cfif> at the top. > > Then, in your script, just enter: > <script language="javascript" src="temp.cfm"></script> > > In THEORY, the .js will come up blank unless it's called > from another file on your site. > > Tweak it as you wish. It should keep prying eyes from > reading your .js file. > > This isn't 100% bulletproof, but should work for the most > part. You can of course get more anal on the file and > verify the referer more carefully.
If prying eyes are being used in concert with a brain (or just common, off-the-shelf software), this won't stop them from seeing your Javascript. > I know, you cannot for sure, 100% hide it... Cgi variables > can be spoofed. Still better than leaving it wide open if > you want to lock it down... > > It's like your house. Just because someone can break a > window doesn't mean you should leave the door unlocked. > Nothing is really 100% secure. But it protects you from > everyone but the elite hacker. This is a poor analogy. Perhaps a better one would be locking your door, but leaving the key under the mat. But that doesn't really do justice to the situation either. The simple fact is, securing your house is quite a bit different from securing application code, and you simply can't secure code that is being downloaded to the client. Any web developer with a modicum of common sense knows that for your browser to run Javascript, it has to be downloaded to the browser. If your browser can get to it, so can the web developer. Knowing this, it's pretty trivial to figure out how to do this - just send the same message to the server that your browser sends. (Or, for that matter, just fetch it from the browser cache.) You certainly don't have to be an "elite hacker" to do this. > The only way for one to do this is if they know how to pass > their own http headers. And then they need to know that you're > looking at that particular cgi variable, and they need to know > what you're comparing to as well. Too much trouble for a little > piece of javascript IMHO... It's no trouble at all. Again, the developer doesn't have to know what variable you're checking against - it really doesn't matter at all. All the developer has to do is send the same HTTP request that your browser sent. Since HTTP requests are just text, this is a very easy thing to do. Any packet sniffer or recording proxy will tell you exactly what that text is. I've recently started using EffeTech HTTP Sniffer for this sort of thing - it just does HTTP, but it will let you refetch any file automatically, among other things. But you don't have to spend $40 to do this - you can use free tools like Ethereal. Finally, keep in mind that your approach means more (unnecessary) work for your CF server, and defeats the primary purpose of using external source files in the first place - caching! Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
