Making a file readable only by JavaScript and/or Flash

Question

I'm a bit new to web development so forgive the slightly beginner question. Can anyone give me some general pointers on how to prevent downloading of files while displaying content with JavaScript/Flash widgets?

The basic dilemma is making files playable by page widgets while preventing direct downloads of the source media. However, since JavaScript and Flash are browser-side instead of server-side, I'm not sure how I can do this.

Obfuscating the source file name is another option, but I'm not sure what a good way to do this would be. Maybe hiding with an algorithm in the .swf files? Not sure how immune to reverse compilation .swf is though.

Thanks a bunch.

score 1 · Accepted Answer · answered Jun 06 '11 at 22:00

1

In fact, you can't. There are two types of downloads; normal (direct) one and the one via streaming.

I would advise you to use the direct one but passing an authorization key with it.

An example of such a URL would look like:

/download?file=134&auth=A34C56E4FCD3908DA
    ^         ^          ^
    |         |          '- The predefined access token
    |         '- The requested file
    '- Gateway script

Don't forget that you must store the sensitive files somewhere outside of your document root.

The gateway script would look like (pseudo-code):

if( validate_token( get('auth') ){

    file_id = get('file');
    file_name = get_file_name( file_id );
    data = file_read_all( file_name );

}

answered Jun 06 '11 at 22:00

Christian

27,509
17
111
155

Thanks for looking over my question. I take it the gateway download script "fileserver" would be something like php code? Is there any way to make PHP (or some other server-side language) appear as a file? – j.i.h. Jun 06 '11 at 22:11
Yes, it can be PHP, or a flash server. Anything that can be execute don the server. I'm not sure what you mean by "appear as a file". If you want to camouflage the script, you can use Apache ReWrite Engine using `.htaccess` files. – Christian Jun 06 '11 at 22:15
I'm looking over PHP functions and it looks like fpassthru() might be what I need. Basically have fpassthru() act as the intermediary to serve files. – j.i.h. Jun 06 '11 at 22:16
Ah, right, that's what you need. You can use `readfile()` as well, but I hear `fpassthru()` works better. Also, you will want to to a `header('Content-Type: ');` to make this work better. Substitute with the one associated to your file type. – Christian Jun 06 '11 at 22:18
Thanks a bunch. I'm going to use time-sensitive encrypted tokens and force the files to start loading as soon as the page loads. – j.i.h. Jun 06 '11 at 22:23
OK. Don't forget to mark my answer as the right one if it helped! – Christian Jun 06 '11 at 22:28

score 1 · Answer 2 · answered Jun 06 '11 at 22:00

if your intention is to prevent somebody stole your source code, you can't do anything, because javascript NEED to be downloaded by browser. you can translate your critical code to some server-side language and pass to brwoser (or flash) only his output. Or try some server-side javascript engine

Making a file readable only by JavaScript and/or Flash

2 Answers2