Prev: convert VBScript into Javascript
Next: naming this thing (function(){}())
From: Mike Duffy on 13 May 2010 15:21
Johannes Baagoe <baagoe(a)baagoe.com> wrote in
news:UKadnXUPDY5TpnHWnZ2dnUVZ8mdi4p2d(a)giganews.com:

> Garrett Smith :
>
>> Encrypted strings is a different matter.
>
>> It is not possible to prevent access to publicly accessible
>> resources, such as attempted by scripts that do things like:
>
>> var pwd = prompt("enter password");
>> location.href= pwd + ".html";
>
> Quite. And of course, if *that* is what the author of the question
> had in mind, a firm advice against it is appropriate.


Why? As long as the server does not yield a list of available pages, it
should work to restrict access to people that know the password.


Of course, you do not need javascript; just tell your friends to go to

http://what.ever.com/secret_xyz.html and don't tell anyone else.
From: Evertjan. on 13 May 2010 15:49
Mike Duffy wrote on 13 mei 2010 in comp.lang.javascript:

> Johannes Baagoe <baagoe(a)baagoe.com> wrote in
> news:UKadnXUPDY5TpnHWnZ2dnUVZ8mdi4p2d(a)giganews.com:
>
>> Garrett Smith :
>>
>>> Encrypted strings is a different matter.
>>
>>> It is not possible to prevent access to publicly accessible
>>> resources, such as attempted by scripts that do things like:
>>
>>> var pwd = prompt("enter password");
>>> location.href= pwd + ".html";
>>
>> Quite. And of course, if *that* is what the author of the question
>> had in mind, a firm advice against it is appropriate.
>
>
> Why? As long as the server does not yield a list of available pages, it
> should work to restrict access to people that know the password.

Because those "friends" are just like other people, they will bookmark the
result on a computer, that is accessable to someone else, who will then use
that url as a hyperlink on a website, and then even Google will direct to
your secret page in a few weeks.

--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)
From: Mike Duffy on 14 May 2010 07:28
"Evertjan." <exjxw.hannivoort(a)interxnl.net> wrote in
news:Xns9D77DE0D9E3D5eejj99(a)194.109.133.242:

> Mike Duffy wrote on 13 mei 2010 in comp.lang.javascript:
>
>
> Because those "friends" are just like other people, they will
> bookmark the result on a computer, that is accessable to someone
> else, who will then use that url as a hyperlink on a website, and
> then even Google will direct to your secret page in a few weeks.
>

Of course, you are correct. These friends are likely the same ones that
will include my email adress in their "bulk" emailings that they make
to all of their friends every time they find a funny joke or picture
while web-surfing.

Perhaps it would be better to use this kind of page-hiding only in
those cases when you have information that you *want* to disperse, but
make it appear to be restricted:

http://stock.tips.com/secret_picks_for_friends_only.html
From: Dr J R Stockton on 15 May 2010 13:19
In comp.lang.javascript message <hsi2vs$3no$1(a)news.eternal-
september.org>, Thu, 13 May 2010 16:46:01, Garrett Smith
<dhtmlkitchen(a)gmail.com> posted:

>
>For purpose of the FAQ entry, I have shifted the focus on javascript
>being used to restrict access to a web resource.
>

Such a subject, for the readership that you should be aiming for, will
merely add further disguise to whatever other meaning the item may be
intended to convey.

For a start, who is "I"? A question such as you propose could easily be
asked by a browser user wishing to keep his history secret, or wanting
to prevent his parents reading anything about Brussels sprouts.

--
(c) John Stockton, nr London UK. ?@merlyn.demon.co.uk Turnpike v6.05 MIME.
Web <URL:http://www.merlyn.demon.co.uk/> - FAQish topics, acronyms, & links.
Proper <= 4-line sig. separator as above, a line exactly "-- " (RFCs 5536/7)
Do not Mail News to me. Before a reply, quote with ">" or "> " (RFCs 5536/7)
From: Dr J R Stockton on 18 May 2010 11:51
In comp.lang.javascript message <hsncmp$c0$1(a)news.eternal-
september.org>, Sat, 15 May 2010 17:02:30, Garrett Smith
<dhtmlkitchen(a)gmail.com> posted:

>Dr J R Stockton wrote:
>> In comp.lang.javascript message <hsi2vs$3no$1(a)news.eternal-
>> september.org>, Thu, 13 May 2010 16:46:01, Garrett Smith
>> <dhtmlkitchen(a)gmail.com> posted:
>>
>>> For purpose of the FAQ entry, I have shifted the focus on javascript
>>> being used to restrict access to a web resource.
>>>
>> Such a subject, for the readership that you should be aiming for,
>>will
>> merely add further disguise to whatever other meaning the item may be
>> intended to convey.
>> For a start, who is "I"?
>
>It is the hypothetical reader that appears in other entries, for
>example: "how do I format a Date object with javascript," "my element
>is named myselect[], how do I access it?

That is what you think it means; that is what you want it to mean. And
in that case, there is no other reasonable distinct interpretation. Of
course, the FAQ reader may not want to do it himself, but to pass the
advice on. "Formatting a Date Object" is sufficient, since it is a
JavaScript FAQ.

Indeed, consider a similar situation in a hypothetical newsgroup for
Web-only VBScript : "How do I find the offset from GMT using VBScript".
The true answer may well be "You cannot". A helpful response would be
more like "MS IE also knows JavaScript : after
<script type="text/javascript">
Offset = new Date().getTimezoneOffset()
</script>
a VBScript section can read Offset (in minutes)". That would be
appropriate in News - but in a VBScript FAQ that answer would call for a
matching Subject such as "How do I find the offset from GMT" or "Finding
the offset from GMT".

>A question such as you propose could easily be
>> asked by a browser user wishing to keep his history secret, or wanting
>> to prevent his parents reading anything about Brussels sprouts.
>>
>How so?

By speaking, in your presence, the words "How can I prevent access to a
web page by using javascript?". It's a perfectly reasonable question
from an office manager who has heard that browsers can be controlled by
script, and wishes to prevent the staff reading Dilbert when they should
be working. Your current answer would clearly be inapplicable to his
question.

----

You were asked to notify the group when new FAQ versions are produced,
with their version number and date. Please do so.

I have on my disc "Version 30, Updated 2010-05-06, by Garrett Smith".
I also have a link to <http://jibbering.com/faq/index.html> which is
"Version 30, Updated 2010-05-13, by Garrett Smith". Same number,
different date - confusing.

Both versions say :

This is the comp.lang.javascript meta-FAQ, 30. The latest
version is available at http://jibbering.com in HTML form.

The page it links to is interesting, but it is not the FAQ. While it
may be OK to have a short form for access to a page when it will have to
be re-typed, a true link should always be as full as possible. If, as I
suspect, you have access at Jibbering only into the FAQ directory, then
the link should at least be to http://jibbering.com/faq/. Using
http://www.jibbering.com/faq/ would be nicer, because of the common
expectation that Web domain names start "www.". And, if you will ise
index.html for the FAQ, the link should be to
http://jibbering.com/faq/index.html, since that is a more robust form.





The later version says

13.1 How can I prevent access to a web page by using javascript?

In practice you can't. While you could create a suitable encryption
system with a password in the page, the level of support you need to
do this means it's always simpler to do it server-side. Anything that
"protects" a page other than the current one is definitely flawed.

which says nothing about resources.

It is also wrong. It cannot be "always simpler to do it server-side",
since there may be no, or very restricted, server-side support.


The best way to prevent access to a page such as my "gullible.htm" is to
remove it from the server, returning 401. But copies should still be on
The Wayback Machine.

Encryption only prevents access to the meaning of the page, not to the
actual content of the source file. If I put up a page advertised as the
full details of Al'Quohol but actually containing 30kB of random Hex,
then all the CIA's codebreakers may download a copy every day in the
hope of cracking the code (thereby amusing the BATF), and costing all of
my bandwidth. Yet they could think that there is content hidden from
them.

I do not want you all to use my js-quick.htm direct from the server
whenever you want to so arithmetic. So I use JavaScript to prevent a
copy from my server actually doing its work. You can of course download
the page and use it locally (as it says); you can upload it to your
server, and it will work directly from there. I'm only interested in
protecting my bandwidth.


So you should now see that "prevent access" has multiple applicable
meanings.

--
(c) John Stockton, nr London UK. ?@merlyn.demon.co.uk Turnpike v6.05 MIME.
Web <URL:http://www.merlyn.demon.co.uk/> - FAQish topics, acronyms, & links.
Proper <= 4-line sig. separator as above, a line exactly "-- " (RFCs 5536/7)
Do not Mail News to me. Before a reply, quote with ">" or "> " (RFCs 5536/7)
 |  Next  |  Last
Pages: 1 2
Prev: convert VBScript into Javascript
Next: naming this thing (function(){}())