javascript source map : keeping map file local only to debug production javascript

Question

I would like to debug production website, but I don't want to upload the map file on the server (for privacy reason, because it is public right ?).

Is it possible ?

What are your privacy concerns for the map file, considering all of the JavaScript code is public, anyways? — jeffjenx, Apr 02 '13 at 16:42

score 17 · Answer 1 · answered Apr 02 '13 at 16:53

17

I don't believe any browsers currently allow loading source maps ondemand from local files, so you have to put the sourcemaps online somehow.

One solution could be to create a .htaccess file (or something similar, if you aren't using Apache) that restricts access to the sourcemap (and the original source files) to clients that aren't from your local network.

You should realize though, that if you want to prevent access to the sourcemaps for security reasons, then all you will achieve is a false sense of safety. Javascript is public, and even if it is minified and encrypted, it is fairly easy to unencrypt it. Do not put any sensitive data in your javascript. Not even if you minify and encrypt it.

answered Apr 02 '13 at 16:53

AHM

5,145
34
37

1

It won't run if it is encrypted, I think you mean [obfuscated](https://en.wikipedia.org/wiki/Obfuscation_%28software%29)? – Useless Code Jul 06 '13 at 08:45
Obfuscation, of course, could be unraveled just by passing the code through a beautifier, but I guess my point is that no matter what you would think of, you would still be sending all your code and data to the client. So, even if you create some kind of amazing encryption scheme, you would still need to send the means to unencrypt it to the client because, as you say, otherwise the client won't be able to run it. All an attacker would have to do is put a breakpoint in sometime after the 'secret' data have been unencrypted. – AHM Jul 09 '13 at 09:20
1

It's not really about hiding sensitive data, it's about raising the effort required to rip off your functionality. – caesay Dec 02 '16 at 10:33

Om Shankar · Answer 2 · 2013-04-08T04:27:18.360

Following might be useful for you

Multi-level Source Maps - The CSS Ninja

The link also explains using UglifyJS2 with which an input source map can be specified. However, I have not tested with a local input source

Also, you can try hosting the file on local and changing your hosts file to point something like local.mydomain.com to localhost. And then specify local.mydomain.com/js/my-orig-js-file.js as the Source Root

score 0 · Answer 3 · answered Aug 30 '16 at 11:26

Another solution is to upload the map file and the minified js on the server and keep the original js file locally. Then modify your map file in something like this:

{
    "version":3,
    "sources":["http://localhost/library.js"],
    "names":["example","console","log"],
    "mappings":"AAAA,QAASA,YACRC,QAAQC,IAAI","file":"script.min.js"
}

javascript source map : keeping map file local only to debug production javascript

3 Answers3

Linked