In fact, there is no way to "hide" information sent to the server, if the
user knows what they are doing.
Simply open up any half way decent telnet program, and telnet to your
server, specifying port 80
(instead of the regular telnet port). Using the GET command you can view
any file.
For example, if there is a virtual directory, "Scripts" that contains a
file "SomeJavaScript.js" you can
use the command (and case is important here) "GET
/Scripts/SomeJavaScript.js" to view the script.
You are passing data to the client - they can do whatever they want with
it. You can not give the client
data and yet not have them view it. Easily... ( You could have them
download an applet, and have
the applet download data to the client machine, but even that isn't
foolproof!)
However, the good news is that "GET /SomePage.jsp" will not display the
source code for the JSP.
When the server recognizes the file extension as something like ASP, JSP or
PL, the file is treated
differently, and the output of the resulting _program_ (in our case, a
servlet) is given to the user.
This is why data security and careful web page design is essential. Never
place sensitive data on the
client machine, because they can tamper with it.
Robert
PS. For what it's worth, I agree with Jeff: don't mess with my context
menu!! I often use the menu to navigate,
reload a frame, add bookmarks, or whatever. Please don't pretend that you
have a right to change the behaviour
of my browser.
That does NOT do the trick. You can't 100% hide client side scripts, since
they have to be downloaded to the client. They can always be read from the
cache. If you're not trying to hide them completely, I'd suggest .js
include
files to hold the functions. The file's still downloaded to the client, but
it's not directly accessible from the "view source" option.
This trapping of the right mouse click is one of the most annoying things
you can put on a web page. It prevents me, for instance, from opening a
link
in a new window using the context menu that pops up when you right click.
----- Original Message -----
From: Jacob Madsen <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, November 02, 1999 6:39 AM
Subject: Re: How to hide scriptlet code in 'view source'
> All the browser sees is the generated HTML - you JSP code is never shown.
> Only client-side scripts are visible. If you want to hide them also
> completely, do the following:
>
> Put the page into some frames. This prevents it from being saved.
> Next, create an method to catch a right mouse click on the page. I
believe
> it's called onRightMouseClick i JavaScript (maybe somebody else know it,
if
> it's wrong). This method could do this: alert("You cannot view source");
> That should do the trick.
>
> Jacob
> ----- Original Message -----
> From: Garg Sanjay <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Wednesday, November 03, 1999 12:31 AM
> Subject: How to hide scriptlet code in 'view source'
>
>
> > Hi,
> >
> > I am looking for a way to hide my java scriptlets in my JSP from
> > the browser's 'view source'. Can it be done. I remember reading
> > somewhere that it cannot be done for JavaScript code, but since
> > scriptlet is something that runs on server side I am hoping to
> > make it invisible to the world.
> >
> > I would appreciate any help.
> > Thanks,
> > Sanjay
===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
FAQs on JSP can be found at:
http://java.sun.com/products/jsp/faq.html
http://www.esperanto.org.nz/jsp/jspfaq.html
