0

I got a page and the source code is encrypted. All the things are loaded from 2 different sources stored in javascript files.

My question is: Is possible to delete all the html source code for the user when the user opens the inspector ( F12 etc..)? I know that you can block out right click and so on, but I would like to completely delete all the html code if the inspector is open.

SIGSTACKFAULT
  • 919
  • 1
  • 12
  • 31
Stefano S.
  • 1
  • 1
  • 1
    No, not possible. And even if it would be, there would be other means to get that information. The HTML/JS etc need to be send to the user, and so they have access to it. Why is this source code so sensitive in the first place? – Ivar Jul 28 '18 at 23:42
  • I got a player that runs .m3u8 files but the source it's showed in the html source.. they're not able to take control of my m3u8 list but they can, for example, use the source for they're site or use it everywhere..How can i Hide that ? Can i give the source with php for example ? – Stefano S. Jul 28 '18 at 23:46
  • If you really need to use `m3u8` files, then there isn't much you can do about it. I'm not too familiar with this extension, nor do I know what you are using it for, but if you don't want people to see the content you can try to find an alternative. (Like sending the references in this file one by one from the server.) – Ivar Jul 28 '18 at 23:53
  • Actually I'm doing that: The m3u8 file source comes to my server. My server downloads all the .ts segmentations and create a new file where he plays all the .ts files in order. And my server keeps doing it so he downloads 1-2-3-4-5 files .ts, then he loads them in the .m3u8 file. Then he downloads 6-7-8-9-10 and updates the m3u8 file. – Stefano S. Jul 28 '18 at 23:59
  • But if they take my x.x.x.x./file.m3u8 link they can use it for they're site.. – Stefano S. Jul 29 '18 at 00:00
  • Modern browsers wont allow that if the CORS settings on the server that serves that file are set correct. Only if they download it and host it on their own server, but you simply can't prevent that. – Ivar Jul 29 '18 at 00:17
  • Best way to protect your source code is to not let the client download it in the first place – Krease Jul 29 '18 at 18:38

2 Answers2

-2

No.

Well, you can, probably, using breakpoints or something. But it wouldn't help much.

Reasons to not do this:

  1. #gnudawn
  2. The client has to run the code on their local machine. That means they have to download it.
  3. If they can download-and-run it, they can download-and-not-run it.

e.g., if your top-secret-competitors-must-not-see code is hosted at https://site.xz/topsecret.js, then anyone can trivially download it and look at it, without activating any protection mechanisms on the page:

curl 'https://site.xz/topsecret.js' > topsecret.js

What you really want to do is to obfuscate your code.

SIGSTACKFAULT
  • 919
  • 1
  • 12
  • 31
  • As a side exercise, here's YouTube user [LiveOverflow reverse-engineering a popunder which was really, really obfuscated.](https://www.youtube.com/watch?v=y6Uzinz3DRU) – SIGSTACKFAULT Aug 07 '18 at 20:10
-2

"oncontextmenu="return false" onkeydown="return false;" onmousedown="return false; This will disable any user from inspecting your source code. You need to put this excerpt in the starting html tag.

FatJuker
  • 21
  • 3