I have a private GitHub repo that is serving a GitHub Page, which loads a CSV file from the same repo using XMLHttpRequest. Right now, anybody can go to Inspect > Network and find the URL of that CSV file, copy and paste it into the browser to download the whole thing. How can I prevent visitors from being able to download this CSV file, while still being able to request that CSV to populate stuff on the page?
Asked
Active
Viewed 173 times
1 Answers
0
How can I prevent visitors from being able to download this CSV file, while still being able to request that CSV to populate stuff on the page?
You can't. The client web-browser still has to make the same request for the same resource.
A better solution would be to embed the data directly within the rendered page - you can do this with most static site generators and integrate it with your GitHub Pages build process.
Dai
- 141,631
- 28
- 261
- 374
-
That will get rid of the XMLHttpRequest, meaning the URL is not revealed on the client side? – brienna Feb 28 '21 at 01:01
-
Yes, but the data would then be embedded in the web-page and still accessible via View Source. That said, it's impossible to keep secrets from users on the web - why are you wanting to do this? – Dai Feb 28 '21 at 01:28
-
Ah, alright. I'm new to this, so I'm trying to figure out how I can "encapsulate" the data. It is proprietary, so we don't want the users to download the entire file, but we need the entire file to create the website. – brienna Feb 28 '21 at 01:57
-
"so we don't want the users to download the entire file" - remember there is zero difference between a user downloading a file compared to the user running _some program_ that downloads the file: when building distributed or network client/server applications (incl. websites) **[never trust the client](https://www.google.com/search?q=never+trust+the+client=)** – Dai Feb 28 '21 at 03:33