2

I came across this great online tool. It has options to compress and obfuscate JS. I am wondering if it is possible to do that on the site on the fly. I know it will slightly slow-down the client, but in my case it is acceptable. I am more concerned about proprietary code I use.

I use PHP and jQuery mainly.

dkellner
  • 8,726
  • 2
  • 49
  • 47
santa
  • 12,234
  • 49
  • 155
  • 255

5 Answers5

2

You can use minify, which is based on Yahoo's YUI-Compressor.

It combines multiple CSS or Javascript files, removes unnecessary whitespace and comments, and serves them with gzip encoding and optimal client-side cache headers.

To get obfuscation, you can set nomunge => false

sshow
  • 8,820
  • 4
  • 51
  • 82
2

Are you talking about doing this on the client side? This defeats the purpose entirely. Sending the unobfuscated, uncompressed code to the client defeats both of the important elements of this process:

  • bandwidth/time savings of sending compressed
  • obfuscating can help make it harder to reverse engineer your code (but doesn't make it impossible by any means)

Short story: do it on the server side.

joeslice
  • 3,454
  • 1
  • 19
  • 24
1

Minify does compress and minify (but not obfuscate) on the fly. It will cache the result until the files change. There might be a way to obfuscate as well.

Ryan Doherty
  • 38,580
  • 4
  • 56
  • 63
1

If you're concerned about protecting proprietary code, I would move whatever proprietary operations you have to server side (as @DA pointed out). Anybody can run your js through JS beautifier and get readable code regardless of how obfuscated it is.

JS Obfuscation/compression is best used to make the js smaller to consume less bandwidth when a client loads your page. What you're suggesting might be useful when trying to stop an xss attack which is spreading through your site - by renaming a variable which a malicious script is attempting to exploit - but outside of that I don't see any reason or benefit of implementing re-obfuscation with each request.

Dave
  • 6,141
  • 2
  • 38
  • 65
0

If you are concerned about proprietary code you don't want others to see, then don't use JavaScript or any client-side language for that matter. JS obfuscation isn't security...just a scam to sell obfuscation software.

As for compressing, yes, you can do that server side. As stated, YUI-Compressor is a good option.

DA.
  • 39,848
  • 49
  • 150
  • 213
  • I realize that anything can be reversed-engineered. I am not trying to fool the pros, but rather discourage low- to mid-level curiosity. :) – santa Jun 22 '11 at 18:10
  • 1
    Why? Note that obfuscation is likely going to produce a larger file download than the unobfuscated minimized JS. That's going to penalize your site visitors. It's also pretty trivial to poke through the client side source code even if obfuscated with all the browser tools out there. – DA. Jun 22 '11 at 18:16