PDA

View Full Version : Disable "File, Save As" Coding Needed



Dragonfly
09-22-2005, 09:22 PM
Hi, I'm new to this board, and fairly new to website design but have done a couple of basic sites that I think look good and work well.

Now I have a more complicated site I'm working on with a lot of artwork that I don't want copied. I have the coding for "no right click", and also to disable the IE6 picture toolbar, and the coding works just fine.

What I also need and can't find anywhere, is specific coding to prevent someone from clicking on "File, Save As".

I realize that if someone really wants your work and has enough knowledge they can still take it - but I don't want to make it easy for them.

Can anyone help? I'm kind of under a deadline here.
Thanks,
Dragonfly

cr3ative
09-23-2005, 06:37 PM
Sorry, you can't remove browser options.

You also can't disable everyone's right-click.
You also can't even start to stop people copying images.

Watermark them. It's the only safe way.

cr3

Twey
09-23-2005, 06:42 PM
Is this for the internet or an intranet? It is possible to disable some of IE's features using Windows server versions, I believe. I wouldn't know how, though. If they are on the internet, there is no way.

blm126
09-24-2005, 09:57 PM
You could put the artwork in a pop up and disable the menu bar using javascript. It's kind of pointless though because no matter what you do they can just take a screen shot.

foxpro
10-17-2005, 06:26 AM
Now listen to me, do this:

1°Create a *.Js file with the scripts:

var myVar='<img src="myimg.jpg" galleryimg="no">'
document.write(myVar)

2° In your html put your script:

<html>
<head>
</head>
<body>
<blabla />
<script src="myscript.js"></script>
</body>
</html>

Whith this:
Your image donot will to show the icon "save as" and, when you save the page, the brouse (IE) save the all the page without your img.!
Join this!

FOX pro ®

Twey
10-17-2005, 03:29 PM
Clever, if it works.

mwinter
10-17-2005, 08:13 PM
Your image donot will to show the icon "save as" and, when you save the page, the brouse (IE) save the all the page without your img.!Who cares when the user can just right click and select "Save as..."? Or take a screen shot. Or look in the script file and obtain the URL. Moreover, your suggestion will mean that users that have client-side scripting disabled won't get an image at all. What a great idea! :rolleyes:

The average user really doesn't care about saving your content. Even if they did, it would be for personal use only which is not something to be concerned about. People that actually go looking for content to steal (whether to sell or use in their own site) will not be bothered by anything you try.

You secure nothing, but do manage to obstruct visitors from using their browser properly. That is hardly something to be proud about.

Mike

simonf
11-01-2005, 04:56 AM
Mike is 100% correct.. as per the norm :)

Wedgy
11-04-2005, 03:20 AM
sorry, the next post has the complete message:

Wedgy
11-04-2005, 03:38 AM
The attitudes here seem awfully defeatist. The general question is a fair one, and a common one. It is easily solved, and it breaks down into several parts. As always, there are legitimate reasons for wanting to disable copying, and there are effective methods to do so, but it is a multi-step process:

(1) How to remove the idiotic mini-Toolbar.


It is reasonable to remove this when it serves no real useful purpose, and it looks ugly, distracting the viewer from the graphic design.

(a) You can put this in your head section:

<meta http-equiv="imagetoolbar" content="no" />
however, as the Mad Professor pointed out,

That is actually not a good way to do it.
It is not widely known but, I have discovered that using:

<meta http-equiv="imagetoolbar" content="no" />

can and usually does create memory leaks. If you use this a lot on your site or if the page gets refreshed often, it will eat up memory like nobody's business until all instances of the browser are closed. Better to use the less convenient:


<img galleryimg="no" src="some.jpg">

option on just those images that are large enough to require it (below a certain size, images will not display that toolbar anyway).
This solves the first problem, the toolbar. But it doesn't stop people right-clicking on the pictures and saving them.

2) How to Stop the Right-Click

This again is not unreasonable. It allows you to stop honest viewers from just taking your pictures, and gives you an opportunity to display copyright in a separate window,
only when needed, without cluttering up the (lovely) visual design of the page.

You can disable IE by having a popup window show up when they right-click, but in Firefox this doesn't stop them from getting to a 'save menu'.

For IE put this in a file called copyright.js:



// copyright notice script
var message="Copyright 2000,2001,2002,2003,2004,2005 by (your company name here). WARNING! All content on this site is protected by copyright laws. Unauthorized use of our material is strictly prohibited.";

function click(e) {
if (document.all) {if (event.button==2||event.button==3)
{ alert(message); return false;}}
if (document.layers) {if (e.which == 3) { alert(message); return false;}}
}// --------- end function

if (document.layers) { document.captureEvents(Event.MOUSEDOWN);}
document.onmousedown=click;
//


Then hook it into your webpage HEAD section like this:


<!--================= COPYRIGHT NOTICE =====-->
<script language="javascript" src="copyright.js"></script>


This is a friendly way to deal with 'honest viewers' who might assume the pictures are free to use in any way they wish.

For Firefox, you can intercept the 'right-click' with a bit of Javascript:
(in the HEAD section:)



<script type="text/javascript" language="JavaScript">
<!--
function initPage(objectID) {
var object = document.getElementById(objectID);
object.onmousedown = findMouseButton;
}

function findMouseButton(evt) {
evt = ( evt ) ? evt : ((window.event) ? event : null);
if (typeof evt.button != 'undefined') {
alert('Mouse Button Value = ' + evt.button);
}
}
//-->
</script>

<style type="text/css" media="screen">
<!--
#object1 {
visibility: visible;
position: absolute;
top: 50px;
left: 100px;
width: 410px;
border: solid 2px gray }
-->
</style>

and in the body put this:


<body onload="initPage('object1')">

Click me and I will tell you which mousebutton you pressed:<br/>

<div id="object1">
<img src="yourpic.jpg" alt="pic" />
</div>

This you can modify to deal with people right-clicking in Firefox.

3) Stopping people saving the page with pictures to disk

As pointed out, next you'd like to stop people saving the page with graphics.
I don't know if the suggestion above works or not, but it looks interesting.

4) Stopping people doing a screen capture

The intelligent suggestion combines previous point with another.
Watermark important images with your identity and copyright notice,
and encode the same into the image itself invisibly.
Finally, don't use resolutions higher then what is absolutely necessary to
give a reasonable screen image (72 dpi) but is not good enough for
high quality printing. This has the added benefit of keeping the download
time for the webpages short and the experience for the viewer a fast loading page.

5) preventing robot harvestors from just raping you.

Store your pictures in a database, and only pull them out as needed to
build your pages and graphics on the fly, instead of leaving them sitting
in folders to be sucked up by robots. This has to be done on the server-side, but if your images are important, contact your service provider and arrange it.

Put key graphics in that has to be manually seen in order to type a response
to enter a site. This also stops webcrawling bots dead.

Use of Flash can also defeat amateur copiers from grabbing your stuff.

Please note that although any set of precautions can be 'defeated' by the
clever and the stubborn, you have to treat the job as a statistical problem.
Just as cops enforce speeding laws by catching a certain minimum percentage of speeders, and thus cause most drivers to more or less obey rules, it is a law of diminishing returns. A certain number of speeders will
always speed, even if their chance of getting caught is nearly 100%!
That hard-core 2%er group can't be deterred by radar traps.

Likewise, it is perfectly realistic to stop most users from taking your pictures,
however, you can't stop everyone. But the point is, you've stopped most
of them, and that is a useful and reasonable goal.

Twey
11-04-2005, 03:49 AM
(sigh)
It's still not efficient. It is very easy to disable all these measures. In fact, users without Javascript won't even know they're there.

Wedgy
11-04-2005, 03:58 AM
(sigh)
It's still not efficient. It is very easy to disable all these measures. In fact, users without Javascript won't even know they're there.
I agree with you wholeheartedly.
However, radar traps stop most speeders, who aren't race-drivers.
The question is, how effective are the techniques in reality?

I would say that 60% to 80% of viewers are honest and will not be
overly offended by a copyright reminder, especially if its out of sight
when normally viewing.

Twey
11-04-2005, 04:58 AM
I disagree. Your copyright "reminder" disables an important feature of their browser. This is very offensive indeed. The best course of action is to watermark the images. Failing that, you can put a small copyright notice at the bottom of every page, visible but unintrusive.

Wedgy
11-04-2005, 06:50 PM
When you disagree, do you mean 60% of viewers aren't honest, or will be offended? :)

Your solution seems inadequate for two reasons:

(1) a copyright notice on the page at all times is just needless clutter and an ugly eyesore.

(2) No one will read it. After Pavlovian programming which causes viewers to entirely ignore (and be annoyed by) anything that looks like advertizing or self-serving crap, its a virtual guarantee that viewers won't even be aware a small copyright notice exists, even after staring at it repeatedly for hours. Only conscious interaction can hope to make any effective communication on the web.

Your argument that my integrated solution "disables an important feature of their browser" seems ridiculous to me. Why is it important, and what can they use it for? Stealing your pictures. A properly designed clean webpage with important but copyrighted graphics also means removing any need for 'right-clicking' in the given context. If 'right-clicking' is needed, the page is poorly designed.

Will most users be 'offended'? Not unless they are hypersensitive effeminate clods who haven't taken their meds. Most people are familiar with and accept copyright notices as a matter of course. It is a courtesy NOT to put one in someone's face unless they are actually in the activity of breaking a reasonable copyright request. This parallels the case of NOT stopping and strip-searching shoppers unless you've seen them putting something into their pocket absentmindedly, and forgetting to pay for it at the cash register. No one should be offended when a polite security guard or store manager taps them on the shoulder and says,
"Excuse me sir, didn't you intend to pay for that item?"
An intelligent shopper appreciates being given the benefit of the doubt, and should respond,
"Yes, thank you. I absentmindedly put it in my pocket out of habit. Sorry."

Twey
11-04-2005, 07:44 PM
hypersensitive effeminate clods who haven't taken their meds.
Thanks a lot. Any self-respecting web designer, for a start, would make a small moue of disgust at such poor design.
Anyway.

a copyright notice on the page at all times is just needless clutter and an ugly eyesore.
This is not true. A properly styled copyright notice - for example, just slightly smaller than the main text, with slightly more contrast against the background - will stand out without appearing to intrude on the content. Quite besides this, it gives you more legal rights if someone does cause you harm by means of reusing one of your images. Also, I find it rather amusing that you, who would make the notice totally invisible to non-JS users, are arguing that it would be too difficult to notice (and too unnoticeable at the same time; not quite sure how you work that one...) a small polite text.

what can they use it for? Stealing your pictures.It's rather arrogant to apparently assume that browser manufacturers build in right-click functionality purely so that users can steal your images. Other things I personally might use right-click for:
Accessing various Firefox extensions that put their features there for easy access Quick back/forward Removing an obstruction that prevents me from seeing the content (Show Only This Frame and family) Mouse gestures, which could do anything from going back to enlarging text Bookmarking the page Viewing page info and cookies that have been set by the page.

Wedgy
11-04-2005, 11:30 PM
First thank you for your friendly and balanced response.

Your points raise a few interesting and pertinent questions:

(1) "non-JS users". Who are these people? What percentage of the website viewing population would they represent? 30%...3%? If 60-80% of browsers are still I.E., how many do you feel actually operate I.E. with javascript turned off as a rule?

I know a few 'firewall' applications for Mozilla/Firefox turn off Javascript, and make you manually turn Javascript ON once you go to a website and discover half of its features disabled, and key information unavailable. But even a paranoid by habit like myself found this idea endlessly annoying.

(2) Please note that I never advocated hijacking the 'right-click' button during the viewer's entire visit, but rather on a need-only basis, with key pages and content, which are assumed to be designed with the feature in mind. Presumablly if a viewer has wandered into a key area containing exciting copyrighted artistic material, he knows what he is getting into, and can expect normal precautions and notices.

Some of your concerns don't arise on a well-designed page, being visited with deliberate intent by a real (desired) viewer, such as 'removing an obstruction' or 'Frames' which shouldn't even be used at all according to good web design theory.
And accommodating Firefox 'special features' you will presumably concede is a 'subset of a subset' of web users, which I can't imagine to be more than 5% of the population.

warm regards, Wedgy.

mwinter
11-05-2005, 03:14 AM
The attitudes here seem awfully defeatist.Considerate and realisitic would be my assessment. But then again, as I've already presented my opinion here, so I would be rather biased. :D


The general question is a fair one, and a common one.Annoyingly so. However, deluding authors into thinking that these attempts actually work against the people that they should be defending themselves is not helpful.


It is easily solved [...]If that were true, I and many others, in this forum and elsewhere, would not have said on many occasions that it is not.


As always, there are legitimate reasons for wanting to disable copyingAbsolutely, but an understanding of the way in which the Web works quickly reveals that it just isn't possible. Yes, you can stupify the average user into thinking that nothing can be taken, but it isn't the average user that will make a habit of stealing copywritten material with any aim beyond personal use. And, if the user does just want to use an image for their desktop (for instance), what's the harm in that? If the author is concerned, the more important thing they should ponder is why exactly a desktop-sized, high quality image is available from the site in the first place.


(1) How to remove the idiotic mini-Toolbar.That can be done in the preferences for IE. Even though I don't use IE, I have it disabled because I agree: it is a waste of space. Still, that wouldn't stop me if I did use IE.


[...] distracting the viewer from the graphic design.Don't you mean content? ;)


2) How to Stop the Right-Click

This again is not unreasonable.Yes, it is. The UI and chrome should be off-limits to all Web authors. They have no business attempting to do anything with either. Their domain is the viewport.


[Some IE/NN4 blocking code]Easily removed with a very simple bookmarklet:



javascript:void(document.onmousedown=null);



[Some Fx blocking code]Blocked with another simple bookmarklet:



javascript:document.addEventListener('mousedown',function(e){if(e.button){e.stopPropagation()}},true);



3) Stopping people saving the page with pictures to disk

As pointed out, next you'd like to stop people saving the page with graphics.
I don't know if the suggestion above works or not, but it looks interesting.It does, but it will save the script, so I'll know exactly where to look to find the images. But, of course, I don't need to because I can just right-click.


4) Stopping people doing a screen capture

[Watermark the images]No disagreement there.


5) preventing robot harvestors from just raping you.

Store your pictures in a database, and only pull them out as needed to
build your pages and graphics on the fly, instead of leaving them sitting
in folders to be sucked up by robots.I don't see how that stops them at all. A bot obtains images by examining the markup for URLs. If you're serving the image at all, you'll have to include a URL so that a browser can download it, so the bot can do exactly the same thing.


Please note that although any set of precautions can be 'defeated' by the clever and the stubborn [...]As I said earlier, it's the clever and the stubborn that are the problem. If anyone makes a habit out of stealing material, they'll either invest time learning how to avoid these little annoyances (because that's all they are) or, if they have half a brain cell, they'll find out from something or someone else.

Script kiddies don't have the ability to hack networks themselves, but they know where to find tools that can.



(1) "non-JS users". Who are these people? What percentage of the website viewing population would they represent?As I said elsewhere, there is no specific number as it will vary based on the audience that a site will attract. However, there are few reasons why a user should ever be ignored just because they have client-side scripting disabled.

Incidentially, one (or one type) of these users are search engine robots. A very important visitor by most people's standards.

If you want to continue this topic, could you choose between this thread and the other one (http://www.dynamicdrive.com/forums/showthread.php?p=20314#post20314).

Mike

Wedgy
11-05-2005, 07:24 AM
Well, this one looks like it has the most interesting stuff in it, both as to code examples (and their flaws), and the philosophy behind various options.

So lets continue this thread. I at least am thoroughly enjoying this discussion.
And I am also modifying my opinion as I listen to various arguments here.
Note how important this topic is: the other thread got 70 viewers,
whereas this thread has over 1300 viewers!

But picking up from the other thread, isn't it fair to say that:

(1) Javascript *used to be* (thought of as) a 'security risk' and so people were advised to turn it off a few years ago.

(2) But this is no longer the case. Javascript is hardly a serious security risk, being totally client-side, and unable to penetrate servers.

(3) On the contrary, it turns out that Javascript has become an integral part of DHTML, and DHTML can hardly be conceived of without it.

(4) Finally, given the overwhelming number of sites (commercial, graphics, etc.) that use Javascript, and the wide and numerous applications it has, surely it is stupid to turn off Javascript.

-----
Part II:

Regarding the 'clever' minority of hackers etc. who can easily defeat all your precautions, this is just an example of the general case, that smart people make the best criminals, and can hardly be stopped. But that doesn't equate to banks just leaving your money on the counter, because embezzlement and fraud by a few arch-criminals is rampant and unstoppable. On the contrary, banks still put your money in a safe and employ security guards and ensure valuables, because it is still practical, even if The Canadian Liberals can steal hundreds of millions and get re-elected rather than go to jail, and George Bush can call for 'reform' after profiting from the biggest stock frauds in history. Some people can just screw everyone, but most people can't.

The CIA can read my Email, but most people can't. I can still use it.

A gun is ineffective against a bazooka, but it still kills people.

My point is, you CAN stop the majority of people from stealing your art if you want to, by making it reasonably inconvenient to do so. A few commercial theives will steal it anyway, but that has always been true.

There could be a calendar being sold in Mexico or Japan right now with your naked behind on it because you thought you were sunbathing on a private beach somewhere. But most of your friends probably won't see the calendar, or recognize your bum.

I find it defeatist to suggest you should do nothing, just because you can't do everything about theft.


I also find it disingenious to say 'statistics on the internet are useless' just because there are wide variations in key situations. This really is silly.

Everybody should know that 60-80% of browsers are Internet Explorer users, and while Firefox Fans may hate these statistics, they are quite real, and quite accurate when it comes to website hits, which are random but statistically very stable! It doesn't really depend on the site at all, or any other factor.

You can depend on the fact that 60% of your (real) hits will be by Internet Explorer from a PC or clone. End of story. We can ignore webcrawlers, but we don't ignore statistics when they are inconvenient for Firefox. If the statistics were the other way, you can bet that Firefox fans would be shouting about how important and accurate those statistics were!

Again, its a form of defeatism to view statistics or even estimates as hopelessly inaccurate and unreliable, when in fact they are quite useful. Web designers don't think such statistics are worthless, even when they personally hate Microsoft. Commercial sites have to accomodate I.E., because the statistics are accurate and useful. end of story.

Twey
11-05-2005, 01:27 PM
accommodating Firefox 'special features' you will presumably concede is a 'subset of a subset' of web users, which I can't imagine to be more than 5% of the population.

Other things I personally might use right-click for:These are my uses only. Other users are likely to use right-click for different things; however, they most certainly will use it in some way.
You can depend on the fact that 60% of your (real) hits will be by Internet Explorer from a PC or clone.But that doesn't mean you should neglect the other 40%, which is a considerable percentage even by your guesswork.

(1) Javascript *used to be* (thought of as) a 'security risk' and so people were advised to turn it off a few years ago.

(2) But this is no longer the case. Javascript is hardly a serious security risk, being totally client-side, and unable to penetrate servers.Not so. There are still a few Javascript flaws out there, quite capable of crashing the browser (and operating system, if the browser happens to be IE). In a more extreme case (this has happened), a Javascript flaw can be used to write a file (such as a program) to the user's hard drive, which could then be used to attack the user's computer from within or infect any other machines it comes into contact with - for example, Windows servers.

(3) On the contrary, it turns out that Javascript has become an integral part of DHTML, and DHTML can hardly be conceived of without it.Certainly Javascript is an integral part of DHTML, but, again, just because the majority of people will have it enabled, that's not to say that you should ignore the rest. The best thing to do is to create a DHTML page that degenerates nicely.
(4) Finally, given the overwhelming number of sites (commercial, graphics, etc.) that use Javascript, and the wide and numerous applications it has, surely it is stupid to turn off Javascript.Not really, considering the security risks above, little annoyances such as pop-in, pop-up or pop-under ads, and various other things. Sometimes the browser will not support Javascript. Consider, for example, a user who has a PC only capable of supporting Windows 3.1. Further, sometimes the user will not want to use a Javascript-enabled browser. I quite frequently boot up the computer just to check a piece of information. For this purpose, I can't be bothered to boot into a graphical environment, and just use a text-mode browser (ELinks (http://elinks.or.cz/)) in a virtual console. This browser does not support Javascript, but it is capable of displaying a well-designed site very well. If I were to come across a badly-designed site, I would simply leave it and go onto the next Google result.
There could be a calendar being sold in Mexico or Japan right now with your naked behind on it because you thought you were sunbathing on a private beach somewhere. But most of your friends probably won't see the calendar, or recognize your bum.I love your analogies. :D
My point is, you CAN stop the majority of people from stealing your art if you want to, by making it reasonably inconvenient to do so. A few commercial theives will steal it anyway, but that has always been true.Indubitably. Watermark your images, or show lower-quality previews. Make it inconvenient to the thieves, but don't inconvenience and annoy the casual user.
I also find it disingenious to say 'statistics on the internet are useless' just because there are wide variations in key situations. This really is silly."Key situations?" There are wide variations in all situations. For example, if you have a Linux-oriented website, you can almost guarantee that people won't be using Internet Explorer. If you offer Mac-oriented downloads on your site, a fair amount of people will be using Safari. If you offer information or products to people that are entirely computer-unrelated, you should cater to as many browsers as possible (not that you shouldn't do this anyway).

mwinter
11-05-2005, 01:51 PM
[...] isn't it fair to say that:

(1) Javascript *used to be* (thought of as) a 'security risk' and so people were advised to turn it off a few years ago.Many security vulnerabilities have traditionally been related to scripting (though not exclusively so), especially for IE and in combination with ActiveX. However, to think that these risks are a thing of the past is to ignore the updates that Microsoft keep releasing on a regular basis.


(2) But this is no longer the case. Javascript is hardly a serious security risk, being totally client-side, and unable to penetrate servers.The risk was never to servers. They have their own problems.


(3) On the contrary, it turns out that Javascript has become an integral part of DHTML, and DHTML can hardly be conceived of without it.DHTML is a buzz word, not a concept. However, using client-side scripting to manipulate the document tree obviously isn't much without the scripting. :rolleyes:


(4) Finally, given the overwhelming number of sites (commercial, graphics, etc.) that use Javascript, and the wide and numerous applications it has, surely it is stupid to turn off Javascript.Whether you consider a user's choice to be stupid is irrelevant as it's the user's choice to make. It's the author's responsibility to cope with the possible choices that users make. Still, as I said before, no script support isn't the only reason to design scripts that degrade gracefully and, if that controlled degradation is implemented, the question of script support becomes null and void.

One reason that you don't seem to have considered is that some people don't like the effects that some authors produce. A user doesn't need to worry about that annoying in-window pop-up, or the distracting dancing penguin in the corner, if scripts don't run to produce those effects.

For clarity, what sort of uses are you considering? Navigation? Decorative effects? Validation?


Regarding the 'clever' minority of hackers etc. who can easily defeat all your precautions [...] that doesn't equate to banks just leaving your money on the counter, because embezzlement and fraud by a few arch-criminals is rampant and unstoppable.Of course, but that's because cash is arguably more valuable. Moreover, for criminals not to be caught, they really do need to be smart. That isn't necessarily true here.


My point is, you CAN stop the majority of people from stealing your art if you want to, by making it reasonably inconvenient to do so.And you seem to be consistently missing my point: the average user isn't the problem, either because they couldn't care less about taking the content, or because if they did it would be for personal use only, not redistribution and resale.

If you painted something beautiful, or composed an emotive musical piece, and I decided to download it so I don't have to keep going back to your site to see or hear it, where's the harm? It's exactly the same as going back each time, but without the bandwidth drain. If your answer is lost revenue, then the problem is that this content is of sufficient quality to replace the purchased item, not that I didn't purchase it.

Content samples should just be samples. Music should be short and, optionally, of low quality. Images should be small and, again (optionally), of low quality. Additionally, an intrusive copyright notice or logo should be included in a way that would be difficult to either ignore or remove.

In other words, measures should be taken that actively depreciate the quality and desirability of the item. A user should be able to appreciate what the finished product would be like, and therefore decide whether they'd want it, but that's all.


I also find it disingenious to say 'statistics on the internet are useless' just because there are wide variations in key situations.At most, Web statistics show trends. Browsers routinely misrepresent themselves, so attempting to garner anything more is pointless. More to the point, there isn't really any need for them: an author should be developing for the user, not the browser. What they are using is immaterial because the site should address as many potential users as feasible, and therefore any viable user agent they might be using.

Mike

Wedgy
11-05-2005, 07:09 PM
First, Thank you again for your balanced and detailed responses.
You can take it that if I don't challenge one of your points I can concede the essential content, or recognize the balance is better including your side of the argument.

For instance,

But that doesn't mean you should neglect the other 40%...
The best thing to do is to create a DHTML page that degenerates nicely.
...Watermark your images, or show lower-quality previews.
Make it inconvenient to the thieves,
but don't inconvenience and annoy the casual user.


vulnerabilities...especially for IE and in combination with ActiveX...
...client-side scripting ... isn't much without the scripting.(!)
...some people don't like the effects that some authors produce.
...criminals...really do(n't) need to be smart.

These are all good counterpoints, guidelines and sentiments.

I would only add following qualifiers:

(1) Pragmatically speaking, by all means don't ignore the <40% but still, you have to favour the majority of users.

(2) Most hackers/the best hackers aren't interested in crashing IE browsers, they want to penetrate servers. So although I don't doubt someone could find yet another 'hole' to poke IE with, the security issue is extremely low priority.

(3) The issue really is around Active-X, (or I.E. flaws) not Javascript. Otherwise Firefox would be in equal jeopardy.

(4) The solution for annoying popups and animations is to encourage better site design, via competative market forces, not by the extreme last resort of recommending people shut off Javascript. You will have more effect Emailing an offending website to complain than by shutting off your browser.

(5) The "who does it harm?" argument is bogus. Time is money is pain. While dipping into the potential profits of large corporations isn't a crime, its a critical market-force preventing excess greed, small businesses and starving artists can and should be assisted to protect their economic interests, which may mean the difference between gainful employment and starving to death.

(6) While one cannot apply general statistical trends to special cases (like the ones you keep listing - Linux sites etc.), they still have real bite in the uncontrolled traffic of the internet. Only base (repeat) customers will begin to form a special demographic. The majority of new users will reflect general population statistics.

still thinking, Wedgy.

Twey
11-06-2005, 10:10 AM
(1): certainly, but you are doing exactly that.
(2): I disagree. Hackers love to find browser-crashing holes. It's a great pastime. As you say, however, they won't actually be interested in crashing the browser. There are plenty of sites that will crash a browser, if you search on the web; some of them won't be so nice as to tell you so.
(3): Yes, but Javascript is frequently used to get around what "security" the ActiveX system has.
(4): I agree whole-heartedly. However, no-one is recommending people to shut off Javascript; I was merely stating a few reasons why they might shut off Javascript.
(5): You miss the point. If it will cost time or money, then yes, these are reasonable grounds for protecting images with a watermark or low-quality preview. However, in most cases, it isn't necessary. If you have a low-quality preview image, and somebody steals it, where is the loss? The problem would arise if that person stole the full-quality image, in which case the only real culprit is you, for leaving such valuable content lying in an accessible position.
(6): Agreed, but you must be aware that a very considerable portion of the Internet is made up of "special cases."

mwinter
11-06-2005, 03:12 PM
Twey has pretty much made the points that I would want to, but I may as well weigh in myself.


(1) Pragmatically speaking, by all means don't ignore the <40% but still, you have to favour the majority of users.I don't like your choice of wording, but I essentially agree. I recently made a similar statement on Usenet:


The average type of visitor, whatever that might be, is going to be the most frequently encountered and so a site must render well for them. However, that shouldn't mean summarily dismissing everyone else [...].


(2) Most hackers/the best hackers aren't interested in crashing IE browsers, they want to penetrate servers.The best hackers probably aren't interested in either. The motivation is knowledge in general, as well as knowing that they have the power to break into a system. There will be some malicious hackers, of course, but a lot of that activity is also performed by those that learn the hackers' methods second-hand.


So although I don't doubt someone could find yet another 'hole' to poke IE with, the security issue is extremely low priority.To you, perhaps, but maybe not to a company that uses IE in office machines on its network.


(3) The issue really is around Active-X, (or I.E. flaws) not Javascript.Both are at issue.


Otherwise Firefox would be in equal jeopardy.Only if the Mozilla teams developed the same vulnerabilities. Whilst Fx will inevitably have its own flaws (Mozilla have released new versions for security purposes), they are unlikely to be as severe as those for IE, especially due to the latter's integration within the operating system and some of its questionable 'features'.


(4) The solution for annoying popups and animations is to encourage better site design, via competative market forces, not by the extreme last resort of recommending people shut off Javascript.Of course, which is why I didn't make such a recommendation.


You will have more effect Emailing an offending website to complain than by shutting off your browser.That's very unlikely. Many are frustratingly intransigent. A large number of complaints may effect change, but you won't have much luck otherwise.


(5) The "who does it harm?" argument is bogus.I get the feeling you didn't read my argument properly.

If a user can download material that is of high-enough quality that they needn't buy it, then obviously some loss of revenue will result (some will still buy). That is why I recommended that high-quality material shouldn't be made publically available in the first place. You cannot protect it, so it shouldn't exist on the Web. The Web is, after all, all about sharing information.

Mike

Wedgy
11-06-2005, 10:27 PM
Again, I feel compelled to refine some statements, as you also have:


If you have a low-quality preview image, and somebody steals it, where is the loss? It is all a question of degree. If the low-res image is just good enough to satisfy the user's needs, a sale is lost. Because of a nail, a horseshoe was lost. Because of a horseshoe a rider was lost...


The motivation is knowledge in general, as well as knowing that they have the power to break into a system. This seems generously naive to a dangerous fault. The majority of important and successful hacking isn't motivated by ideological abstractions. Its motivated by greed. People steal personal info, credit card numbers, complete I.D.s, because there are 150 different wars taking place on the planet at any time, and its a multi-million dollar industry (fraud and theft).

Welcome to the real world, outside the ivory towers University Professors hide in, where people shoot each other in the back of the head over a fistful of dollars.


You will have more effect Emailing an offending website to complain than by shutting off your browser. That's very unlikely. Many are frustratingly intransigent. A large number of complaints may effect change, but you won't have much luck otherwise.Of course you only have one opinion, so you should only have about one vote.
That is just exactly as it should be. But don't burn your ballot.

But most commercial businesses have the brains to know that one registered complaint probably represents anywhere from 10 to 100 unhappy customers that havent the time or motivation to stop and tell you what's wrong with your website. Just as every newspaper editor and pollster knows, you have to treat every complaint by multiplying it by a large factor, and assume you are dealing with a group of unsatisfied users.

Any website manager who ignores even a few emails containing constructive complaints is a complete fool.
If commerce is involved, he's an even bigger fool.

mwinter
11-06-2005, 11:33 PM
If the low-res image is just good enough to satisfy the user's needs, a sale is lost.If that's the case, then yes, revenue will be lost but nothing short of removing the image entirely will stop that.



The motivation is knowledge in general, as well as knowing that they have the power to break into a system.This seems generously naive to a dangerous fault.Only when you misrepresent what I wrote, as you have done.

Hacking isn't the sole preserve of the criminal, you know.



A large number of complaints may effect change, but you won't have much luck otherwise.Of course you only have one opinion, so you should only have about one vote.
That is just exactly as it should be.A fact is a fact. It doesn't matter whether one, ten, or a thousand state it. The exception, of course, is with a layman who may see weight of numbers as proof, which is generally reasonable.

Mike

Wedgy
11-07-2005, 05:08 AM
A fact is a fact. It doesn't matter whether one, ten, or a thousand state it. The exception, of course, is with a layman who may see weight of numbers as proof, which is generally reasonable.
And in an ideal world facts would be self-evident, or simply established for all.
In this world, even science must rely ultimately upon concensus of peers and painstaking double-checking, with certainty a widely variable quantity, rarely scoring beyond a weak probability.

When you find that most 'facts' aren't scientific, but rather a blend of common experience, perception and opinion, it is even more important for fairness,
establishing the stability of convention, and the sharing of power that you rely upon voting systems, spreading control "among many counsellors" as the Bible says.

Such is the case here too. It is a question of degree and perhaps even 'style' how far we take copy-protection or information management. And since many variations would perhaps function equally well, and many people's opinions vary as to where to draw lines in gray zones, consultation, concensus, and even a little freedom to experiment is quite reasonable.

Only fundamentalists possess 'facts' on stone tablets.

Twey
11-07-2005, 11:16 AM
Only fundamentalists possess 'facts' on stone tablets.Yes, OK, if you want to get all philosophical about it we can't really prove anything. However, if you go to validate a site with the W3C validator, and it says in big bold letters "THIS SITE DOES NOT VALIDATE," it's a fairly safe bet to say that the site doesn't validate with the W3C validator. If you open a site up with a non-JS browser, and you can't see any of the vital images because some smart alec has decided to protect them all with an elaborate Javascript protection scheme, you can be pretty sure that the site has been badly designed, and doesn't cater acceptably to all browsers, as it should.

Wedgy
11-13-2005, 12:36 AM
I have to agree with you.

We'd like to avoid 'dogmatic', but we have to be practical.

The two most useful things I have gotten out of this thread so far,
have been the advice on watermarking, of which I needed reminding,
and the trick of including a setting in the IMG tag, to turn off the
annoying boxes in the corner of an image in I.E.

Thanks to everyone for a wonderful thread and discussion.

- Wedgy.

LasVegasPapillon
11-17-2005, 11:01 AM
not sure if this has been said already.. but as far as keeping whats yours, yours.. there really is no way unless you watermark, and even this isnt tricky. all it takes to steal a watermarked image with no right-click-to-save ability, is the print screen button and adobe photoshop.

Wedgy
11-17-2005, 02:07 PM
oh yeah I forgot about the (ctrl- shft-) Printscrn button. I forget what combo actually saves your screen to a RAM cut n paste area, from which you can import it to photoshop or whatever.

I had noticed in the past that doing this for Word 97 results in blank pictures (annoying) when you reload the Word file. (no picture is saved to disk with your wordfile).
So I stopped using that feature a long time ago. I found that you had to import an actual file from disk if you wanted Word not to lose track of it.

nicola
12-01-2005, 03:08 PM
Very interesting thread, sound like most of you can get your issues resolved with the simple HTML Protector tool (made by antssoft). This will protect your pages and graphics and content and source codes and saving sites etc...

it has many options....

- Compatibility with All Popular Web Browsers
- Encrypt E-mail Address Links to Reduce Spam
- Protect Your Website from Automated Downloading Programs
- Encrypt the HEAD and BODY Section of Your HTML Source Code
- Flexible Encryption Options
- Exclude parts of the code from being encrypted as you specified
- Disable the Image Toolbar and Smart Tags
- Disable Right Click Abilities on Pages or Graphics
- Disable the Ability to Select Text and Copy to the Clipboard
- Disable the Ability to View Your Pages Offline
- Have Link Addresses Not Appear in the Status Bar
- Disable Page Printing
- Disable Clipboard and Print Screen
- Disable Drag and Drop
- Disable Adobe Acrobat Web Capture
- Disable Opera Browser users
- Prevent Other Websites from Framing Your Web Page
- Ensure your web page is being visited normally from a specific domain/URL location
- Ensure your web page is being visited normally from a specific domain/URL referrer
- Protect image on page by using server-side script (PHP, Perl and ASP)
- Protect image on page by converting it into Flash movie
- Protect image on page by splitting it into pieces
- Protect image on page by adding text-base or image-based watermark to it
- Insert a Copyright String into the HTML Code

all of which are customizable and optional....

hope this info helps you all!

nicola

nicola
12-01-2005, 03:10 PM
oops, forgot to give you address of tool...
antssoft.com/htmlprotector

Twey
12-01-2005, 03:59 PM
"Disable Opera Browser users?" What the heck? That's a FEATURE?! And viewing the demo page (http://antssoft.com/htmlprotector/protected_sample.htm) in Firefox, Konqueror, and Opera, certainly "popular browsers," redirects me to about:blank. Nice software. It reminds me a lot of HTMLBlock's piece of... erm... rubbish, down to and including the name of the decryption function, "hp_d01."

It can't be done.
Let it be.

cr3ative
12-01-2005, 04:07 PM
"Disable Opera Browser users?" What the heck? That's a FEATURE?! And viewing the demo page (http://antssoft.com/htmlprotector/protected_sample.htm) in Firefox, Konqueror, and Opera, certainly "popular browsers," redirects me to about:blank. Nice software. It reminds me a lot of HTMLBlock's piece of... erm... rubbish, down to and including the name of the decryption function, "hp_d01."

It can't be done.
Let it be.

Redirects to about:blank here too.
*prays we don't have another HTMLBlock on our hands*

Twey
12-01-2005, 04:27 PM
After deciphering the source, I've worked out why we get about:blank redirects: as a sample page, it redirects to about:blank if the URI doesn't contain "www.antssoft.com". Add the www in and all is OK (cough cough).
Page source, after "decryption" (which took me about fifteen minutes):

<!--hppage status="protected"-->
<html>
<head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"><SCRIPT LANGUAGE="JavaScript"><!--
hp_ok=true;
function hp_d01(s){
if(!hp_ok) return;
var o="", ar=new Array(), os="", ic=0;
for(i=0;i<s.length;i++){
c=s.charCodeAt(i);
if(c<128) c=c^2;os+=String.fromCharCode(c);
if(os.length>80){
ar[ic++]=os;os=""
}
}
o=ar.join("")+os;
document.write(o)
}//-->
</SCRIPT>
<SCRIPT LANGUAGE="JavaScript"><!--
function hp_ne(){return true}
onerror=hp_ne;
function hp_dn(a){return false}
function hp_cm(){
alert("\u0054\u0068\u0069\u0073\u0020\u0070\u0061\u0067\u0065\u0020\u0068\u0061\u0073\u0020\u0062\u0065\u0065\u006E\u0020\u0070\u0072\u006F\u0074\u0065\u0063\u0074\u00 65\u0064\u002E\u0020\u0050\u0072\u0065\u0076\u0069\u0065\u0077\u0020\u006F\u006E\u006C\u0079\u002E"); // "This page has been protected. Preview only."
return false
}
function hp_de(e){
return(e.target.tagName!=null&&e.target.tagName.search('^(INPUT|TEXTAREA|BUTTON|SELECT)$')!=-1)};
function hp_md(e){
mac=navigator.userAgent.indexOf('Mac')!=-1;
if(document.all){
if(event.button==2||(mac&&(event.ctrlKey||event.keyCode==91))){
alert("\u0054\u0068\u0069\u0073\u0020\u0070\u0061\u0067\u0065\u0020\u0068\u0061\u0073\u0020\u0062\u0065\u0065\u006E\u0020\u0070\u0072\u006F\u0074\u0065\u0063\u0074\u00 65\u0064\u002E\u0020\u0050\u0072\u0065\u0076\u0069\u0065\u0077\u0020\u006F\u006E\u006C\u0079\u002E"); // "This page has been protected. Preview only."
return(false)
}
} else {
if(e.which==3||(mac&&(e.modifiers==2||e.ctrlKey))){
alert("\u0054\u0068\u0069\u0073\u0020\u0070\u0061\u0067\u0065\u0020\u0068\u0061\u0073\u0020\u0062\u0065\u0065\u006E\u0020\u0070\u0072\u006F\u0074\u0065\u0063\u0074\u00 65\u0064\u002E\u0020\u0050\u0072\u0065\u0076\u0069\u0065\u0077\u0020\u006F\u006E\u006C\u0079\u002E"); // Guess.
return false
} else if(e.which==1){
window.captureEvents(Event.MOUSEMOVE);
window.onmousemove=hp_dn
}
}
}
function hp_mu(e){
if(e.which==1){
window.releaseEvents(Event.MOUSEMOVE);
window.onmousemove=null
}
}
if(navigator.appName.indexOf('Internet Explorer')==-1||(navigator.userAgent.indexOf('MSIE')!=-1&&document.all.length!=0)){
if(document.all){
mac=navigator.userAgent.indexOf('Mac')!=-1;
version=parseFloat('0'+navigator.userAgent.substr(navigator.userAgent.indexOf('MSIE')+5),10);
if(!mac&&version>4){
document.oncontextmenu=hp_cm
}else{
document.onmousedown=hp_md;
document.onkeydown=hp_md;
}
document.onselectstart=hp_dn
}else if(document.layers){
window.captureEvents(Event.MOUSEDOWN|Event.modifiers|Event.KEYDOWN|Event.MOUSEUP);
window.onmousedown=hp_md;
window.onkeydown=hp_md;
window.onmouseup=hp_mu
}else if(document.getElementById&&!document.all){
document.oncontextmenu=hp_cm;
document.onmousedown=hp_de
}
}
if(window.location.href.substring(0,4)=="file") window.location="about:blank";
function hp_nls(){
window.status="";
setTimeout("hp_nls()",10)
}
hp_nls();
function hp_dp1(){
for(i=0;i<document.all.length;i++){
if(document.all[i].style.visibility!="hidden"){
document.all[i].style.visibility="hidden";document.all[i].id="hp_id"
}
}
};
function hp_dp2(){
for(i=0;i<document.all.length;i++){
if(document.all[i].id=="hp_id") document.all[i].style.visibility=""
}
};
window.onbeforeprint=hp_dp1;
window.onafterprint=hp_dp2;
document.write('<style type="text/css" media="print"><!--body{display:none}--></style>');
function hp_dc(){
hp_ta.createTextRange().execCommand("Copy");
setTimeout("hp_dc()",300)
}
if(navigator.appName.indexOf('Internet Explorer')==-1||(navigator.userAgent.indexOf('MSIE')!=-1&&document.all.length!=0)){
if(document.all&&navigator.userAgent.indexOf('Opera')==-1){
document.write('<div style="position:absolute;left:-1000px;top:-1000px"><input type="textarea" name="hp_ta" value=" " style="visibility:hidden"></div>');
hp_dc()
}
}
function hp_ndd(){return false}
document.ondragstart=hp_ndd;
if(navigator.appName.indexOf('Internet Explorer')!=-1&&(navigator.userAgent.indexOf('MSIE')==-1||document.all.length==0)) hp_ok=false;
if(document.all) document.write('<link rel=stylesheet type="text/css" href="hp_null.css">');
if(frames){
if(top.frames.length>0) top.location.href=self.location;
}
if(window.location.href.indexOf("http://www.antssoft.com/")==-1) window.location="about:blank";
//--></SCRIPT>
<META HTTP-EQUIV="Expires" CONTENT="0"><META HTTP-EQUIV="ImageToolbar" CONTENT="No">
<title>Sample page protected by HTMLProtector</title>

<STYLE type=text/css>
<!--

body, p, td, dd, dt, ul, ol, li, blockquote {font-family: "verdana", "arial", "sans-serif"; font-size: 9pt; color: 111111;}
div.sidebar {font-size: 8pt; margin: 0}
h1, div.title {color: 000079; font-size: medium; font-weight: bold; margin-bottom: 0}
h2 {color: 000079; font-size: small; font-weight: bold; margin-bottom: 0}
dt {color: 000079; font-weight: bold; margin-bottom: 0.5em; margin-top: 2em}

A:aalink {font-weight:bold; text-decoration: none}
-->
</STYLE>
</head>

<BODY><NOSCRIPT>To display this page you need a browser with JavaScript support.</NOSCRIPT><body bgcolor="#FFFFFF" text="#000000">
<h1 align="center">Sample page protected by HTMLProtector<br>
<br>
</h1>
<table width="100%" border="0">
<tr>
<td width="120">
<div align="center"><!--hpbackupstart type="0" data="2W5pn9+EsovULLdpqojmraiKiG3e5VoGqkqHfsXcsTghiHfPn1Bw/d20JDo9"--><table border="0" cellpadding="0" cellspacing="0"><tr><td><img src="b9509bd90c98ebc3cfae7b82240758b5.jpg" hspace="0" vspace="0" width="40" height="40"></td><td><img src="8c356f8d82b111ca30a7d132a4ed3019.jpg" hspace="0" vspace="0" width="40" height="40"></td></tr><tr><td><img src="d36c8f474aa3b3eab6760fc229c9b00f.jpg" hspace="0" vspace="0" width="40" height="40"></td><td><img src="415011285b1989079a6ef32b794911d7.jpg" hspace="0" vspace="0" width="40" height="40"></td></tr></table><!--hpbackupend--></div>
</td>
<td width="874">
<p align="center">It's a sample text paragraph.<br>
<a href="/htmlprotector/index.htm">It's a sample link</a>.<br>
<a href="mailto:support@antssoft.com">It's a sample email link</a>.</p>
</td>
</tr>
</table>
<p>This page has been protected by HTMLProtector with follow features:</p>
<ul>
<li>Protect BODY section</li>
<li>Make page expire immediately</li>
<li>Disable Internet Explorer 6 image toolbar</li>
<li>Disable right mouse button</li>
<li>Disable text select</li>
<li>Disable off-line viewing</li>
<li>Don't display links in status bar</li>
<li>Disable page printing</li>
<li>Disable clipboard and printscreen</li>
<li>Disable drag and drop</li>
<li>Disable adobe acrobat web capture</li>
<li>Kill frame</li>
<li>Location lock</li>
<li>Protect image by splitting it into pieces</li>
</ul>
<p>Please take a look on what HTMLProtector can do for you!</p>
</body></BODY>
</html>Not particularly neat code, as we can see.

/EDIT: I've cleaned up the Javascript a little, and I find it rather amusing that it took me longer to do this than to "decrypt" the code. Would you trust your site to this?
/FURTHER EDIT: Looking at it, being as the functions are all named hp_*, I deduce that this was probably AntsSoft's code before HTMLBlock got his little hands on it.

mwinter
12-01-2005, 06:52 PM
Page source, after "decryption" (which took me about fifteen minutes):That long? :D Undoubtedly, I just took an easier route: open the page in Firefox, open the DOM Inspector from the Tools menu, right-click on the HTML node and select Copy XML from the context menu.

Such excellent protection there... :rolleyes:

I'm sure that when this last came up, I posted a bookmarklet that disabled virtually every feature that 'service' was supposed to provide. Well, here is is again: :D



javascript:void(hp_dc=hp_nls=function(){});void(onmousemove=document.onmousedown=document.onkeydown=document.ondragstart=document.onselectstart= document.oncontextmenu=onafterprint=null);void(onbeforeprint=function(){var c=document.styleSheets,s,r;if(c){for(var i=0;i<c.length;++i){if('print'==(s=c[i]).media){for(var j=0;j<s.rules.length;++j){if('body'==(r=s.rules[j]).selectorText.toLowerCase()&&'none'==r.style.display){void(s.disabled=true);}}}}}});
That will not restore printing in Firefox (I think I wrote it originally for IE), but will do pretty much everything else.

Mike

Twey
12-01-2005, 07:06 PM
... open the page in Firefox, open the DOM Inspector from the Tools menu, right-click on the HTML node and select Copy XML from the context menu.Unfortunately, this is foiled by hp_d01. :( Coupled with the about:blank thing, which meant I couldn't view it in a Javascript-enabled browser, I was slowed down a little. In the end I used Links to save a copy to my hard drive, and added "document.write()" calls to insert <textarea> and </textarea> tags around the "encrypted" source :)

document.onconte xtmenu=onWhen spaces attack!

mwinter
12-01-2005, 07:45 PM
Unfortunately, this is foiled by hp_d01. :( :confused: Not here, though the output isn't quite the same as the 'decoding' scripts remain encoded. Programs like Notepad will also make a hash of things because they don't respect the line breaks (though my editor's fine with them).


In the end I used Links to save a copy to my hard drive, and added "document.write()" calls to insert <textarea> and </textarea> tags around the "encrypted" source :)I think I've overrode the document.write method in the past to replace < characters with &lt&#59; entities before calling the original write method, causing the output to be treated more like plain text. Haven't tried it here, though.


When spaces attack!That was caused by the forum software objecting to the unbroken sequence of assignments. I included a space before the preceeding assignment operator, and the existing whitespace seems to have sufficed for the rest. Good catch, though.

Mike

Twey
12-01-2005, 08:05 PM
Not hereHm? My output from that includes:

&lt;!--
hp_d01(unescape(&quot;&gt;QAPKRV%22NCLEWCEG? HctcQapkrv %3C&gt;#//dwlavkml%22jr]lg*+ypgvwpl%22vpwg%7Fmlgppmp?jr]lg9dwlavkml%22jr]fl*c+ypgvwpl%22dcnqg%7Fdwlavkml%22jr]ao*+ycngpv* ^w2276^w224:^w224;^w2251^w2202^w2252^w2243^w2245^w2247^w2202^w224:^w2243^w2251^w2202^w2240^w2247^w2247^w224G^w2202^w2252^w2250^w224D^w2256^w2247^w2241^w2256^w22 47^w2246^w220G^w2202^w2272^w2250^w2247^w2254^w224;^w2247^w2255^w2202^w224D^w224G^w224A^w225;^w220G +9pgvwpl%22dcnqg%7Fdwlavkml%22jr]fg*g+ypgvwpl*g,vcpegv,vceLcog#?lwnn$$g,vcpegv,vceLcog,qgcpaj*%25%5C*KLRWV~VGZVCPGC~@WVVML~QGNGAV+&amp;%25+#?/3+%7F9dwlavkml%22jr]of*g+yoca?lctkecvmp,wqgpCeglv,klfgzMd*%25Oca%25+#?/39kd*fmawoglv,cnn+ykd*gtglv,`wvvml??0~~*oca$$*gtglv,avpnIg{~~gtglv,ig{Amfg??;3+++ycngpv* ^w2276^w224:^w224;^w2251^w2202^w2252^w2243^w2245^w2247^w2202^w224:^w2243^w2251^w2202^w2240^w2247^w2247^w224G^w2202^w2252^w2250^w224D^w2256^w2247^w2241^w2256^w22 47^w2246^w220G^w2202^w2272^w2250^w2247^w2254^w224;^w2247^w2255^w2202^w224D^w224G^w224A^w225;^w220G +9pgvwpl*dcnqg+%7F%7Fgnqgykd*g,ujkaj??1~~*oca$$*g,omfkdkgpq??0~~g,avpnIg{+++ycngpv* ^w2276^w224:^w224;^w2251^w2202^w2252^w2243^w2245^w2247^w2202^w224:^w2243^w2251^w2202^w2240^w2247^w2247^w224G^w2202^w2252^w2250^w224D^w2256^w2247^w2241^w2256^w22 47^w2246^w220G^w2202^w2272^w2250^w2247^w2254^w224;^w2247^w2255^w2202^w224D^w224G^w224A^w225;^w220G +9pgvwpl%22dcnqg%7Fgnqg%22kd*g,ujkaj??3+yuklfmu,acrvwpgGtglvq*Gtglv,OMWQGOMTG+9uklfmu,mlomwqgomtg?jr]fl%7F%7F%7Fdwlavkml%22jr]ow*g+ykd*g,ujkaj??3+yuklfmu,pgngcqgGtglvq*Gtglv,OMWQGOMTG+9uklfmu,mlomwqgomtg?lwnn%7F%7Fkd*lctkecvmp,crrLcog,klfgzMd*%25Klvgplgv%22Gzrnmpgp%25+??/3~~*lctkecvmp,wqgpCeglv,klfgzMd*%25OQKG%25+#?/3$$fmawoglv,cnn,nglevj#?2++ykd*fmawoglv,cnn+yoca?lctkecvmp,wqgpCeglv,klfgzMd*%25Oca%25+#?/39tgpqkml?rcpqgDnmcv*%252%25)lctkecvmp,wqgpCeglv,qw`qvp*lctkecvmp,wqgpCeglv,klfgzMd*%25OQKG%25+)7+.32+9kd*#oca$$tgpqkml%3C6+yfmawoglv,mlamlvgzvoglw?jr]ao%7Fgnqgyfmawoglv,mlomwqgfmul?jr]of9fmawoglv,mlig{fmul?jr]of9%7Ffmawoglv,mlqgngavqvcpv?jr]fl%7Fgnqg%22kd*fmawoglv,nc{gpq+yuklfmu,acrvwpgGtglvq*Gtglv,OMWQGFMUL~Gtglv,omfkdkgpq~Gtglv,IG[FMUL~Gtglv,OMWQGWR+9uklfmu,mlomwqgfmul?jr]of9uklfmu,mlig{fmul?jr]of9uklfmu,mlomwqgwr?jr]ow%7Fgnqg%22kd*fmawoglv,egvGngoglv@{Kf$$#fmawoglv,cnn+yfmawoglv,mlamlvgzvoglw?jr]ao9fmawoglv,mlomwqgfmul?jr]fg%7F%7Fkd*uklfmu,nmacvkml,jpgd,qw`qvpkle*2.6+?? dkng +uklfmu,nmacvkml? c`mwv8`ncli 9dwlavkml%22jr]lnq*+yuklfmu,qvcvwq? 9qgvVkogmwv* jr]lnq*+ .32+%7Fjr]lnq*+9dwlavkml%22jr]fr3*+ydmp*k?29k&gt;fmawoglv,cnn,nglevj9k))+ykd*fmawoglv,cnnYk_,qv{ng,tkqk`knkv{#? jkffgl +yfmawoglv,cnnYk_,qv{ng,tkqk`knkv{? jkffgl 9fmawoglv,cnnYk_,kf? jr]kf %7F%7F%7F9dwlavkml%22jr]fr0*+ydmp*k?29k&gt;fmawoglv,cnn,nglevj9k))+ykd*fmawoglv,cnnYk_,kf?? jr]kf +fmawoglv,cnnYk_,qv{ng,tkqk`knkv{? %7F%7F9uklfmu,ml`gdmpgrpklv?jr]fr39uklfmu,mlcdvgprpklv?jr]fr09fmawoglv,upkvg*%25&gt;qv{ng%22v{rg? vgzv-aqq %22ogfkc? rpklv %3C&gt;#//`mf{yfkqrnc{8lmlg%7F//%3C&gt;-qv{ng%3C%25+9dwlavkml%22jr]fa*+yjr]vc,apgcvgVgzvPcleg*+,gzgaAmooclf* Amr{ +9qgvVkogmwv* jr]fa*+ .122+%7Fkd*lctkecvmp,crrLcog,klfgzMd*%25Klvgplgv%22Gzrnmpgp%25+??/3~~*lctkecvmp,wqgpCeglv,klfgzMd*%25OQKG%25+#?/3$$fmawoglv,cnn,nglevj#?2++ykd*fmawoglv,cnn$$lctkecvmp,wqgpCeglv,klfgzMd*%25Mrgpc%25+??/3+yfmawoglv,upkvg*%25&gt;fkt%22qv{ng? rmqkvkml8c`qmnwvg9ngdv8/3222rz9vmr8/3222rz %3C&gt;klrwv%22v{rg? vgzvcpgc %22lcog? jr]vc %22tcnwg? %22 %22qv{ng? tkqk`knkv{8jkffgl %3C&gt;-fkt%3C%25+9jr]fa*+%7F%7Fdwlavkml%22jr]lff*+ypgvwpl%22dcnqg%7Ffmawoglv,mlfpceqvcpv?jr]lff9kd*lctkecvmp,crrLcog,klfgzMd*%25Klvgplgv%22Gzrnmpgp%25+#?/3$$*lctkecvmp,wqgpCeglv,klfgzMd*%25OQKG%25+??/3~~fmawoglv,cnn,nglevj??2++jr]mi?dcnqg9kd*fmawoglv,cnn+fmawoglv,upkvg*%25&gt;nkli%22pgn?qv{ngqjggv%22v{rg? vgzv-aqq %22jpgd? jr]lwnn,aqq %3C%25+9kd*dpcogq+ykd*vmr,dpcogq,nglevj%3C2+vmr,nmacvkml,jpgd?qgnd,nmacvkml9%7Fkd*uklfmu,nmacvkml,jpgd,klfgzMd* jvvr8--uuu,clvqqmdv,amo- +??/3+uklfmu,nmacvkml? c`mwv8`ncli 9--//%3C&gt;-QAPKRV%3C&quot;));//--&gt; </SCRIPT>
<SCRIPT language="JavaScript">
&lt;!--
hp_d01(unescape(&quot;&gt;`mf{%22`eamnmp? !DDDDDD %22vgzv? !222222 %3C&gt;j3%22cnkel? aglvgp %3CQcorng%22rceg%22rpmvgavgf%22`{%22JVONRpmvgavmp&gt;`p%3C%22%22&gt;`p%3C&gt;-j3%3C&gt;vc`ng%22ukfvj? 322' %22`mpfgp? 2 %3C%22%22&gt;vp%3C%22%22%22%22%22&gt;vf%22ukfvj? 302 %3C%22%22%22%22%22%22%22&gt;fkt%22cnkel? aglvgp %3C&gt;#//jr`caiwrqvcpv%22v{rg? 2 %22fcvc? 0U7rl;)GqmtWNNfrsmhopckIkE1g7TmEsisJdqZaqVejkJdRl3@u-f02HFm; //%3C&gt;vc`ng%22`mpfgp? 2 %22agnnrcffkle? 2 %22agnnqrcakle? 2 %3C&gt;vp%3C&gt;vf%3C&gt;koe%22qpa? `;72;`f;2a;:g`a1adcg5`:006257:`7,hre %22jqrcag? 2 %22tqrcag? 2 %22ukfvj? 62 %22jgkejv? 62 %3C&gt;-vf%3C&gt;vf%3C&gt;koe%22qpa? :a174d:f:0`333ac12c5f310c6gf123;,hre %22jqrcag? 2 %22tqrcag? 2 %22ukfvj? 62 %22jgkejv? 62 %3C&gt;-vf%3C&gt;-vp%3C&gt;vp%3C&gt;vf%3C&gt;koe%22qpa? f14a:d656cc1`1gc`4542da00;a;`22d,hre %22jqrcag? 2 %22tqrcag? 2 %22ukfvj? 62 %22jgkejv? 62 %3C&gt;-vf%3C&gt;vf%3C&gt;koe%22qpa? 6372330:7`3;:;25;c4gd10`5;6;33f5,hre %22jqrcag? 2 %22tqrcag? 2 %22ukfvj? 62 %22jgkejv? 62 %3C&gt;-vf%3C&gt;-vp%3C&gt;-vc`ng%3C&gt;#//jr`caiwrglf//%3C&gt;-fkt%3C%22%22%22%22&gt;-vf%3C%22%22%22%22&gt;vf%22ukfvj? :56 %3C%22%22%22%22%22%22%22&gt;r%22cnkel? aglvgp %3CKv%25q%22c%22qcorng%22vgzv%22rcpcepcrj,&gt;`p%3C%22%22%22%22%22%22%22%22&gt;c%22jpgd? -jvonrpmvgavmp-klfgz,jvo %3CKv%25q%22c%22qcorng%22nkli&gt;-c%3C,&gt;`p%3C%22%22%22%22%22%22%22%22&gt;c%22jpgd? ocknvm8qwrrmpvBclvqqmdv,amo %3CKv%25q%22c%22qcorng%22gockn%22nkli&gt;-c%3C,&gt;-r%3C%22%22%22%22&gt;-vf%3C%22%22&gt;-vp%3C&gt;-vc`ng%3C&gt;r%3CVjkq%22rceg%22jcq%22`ggl%22rpmvgavgf%22`{%22JVONRpmvgavmp%22ukvj%22dmnnmu%22dgcvwpgq8&gt;-r%3C&gt;wn%3C%22%22&gt;nk%3CRpmvgav%22@MF[%22qgavkml&gt;-nk%3C%22%22&gt;nk%3COcig%22rceg%22gzrkpg%22koogfkcvgn{&gt;-nk%3C%22%22&gt;nk%3CFkqc`ng%22Klvgplgv%22Gzrnmpgp%224%22koceg%22vmmn`cp&gt;-nk%3C%22%22&gt;nk%3CFkqc`ng%22pkejv%22omwqg%22`wvvml&gt;-nk%3C%22%22&gt;nk%3CFkqc`ng%22vgzv%22qgngav&gt;-nk%3C%22%22&gt;nk%3CFkqc`ng%22mdd/nklg%22tkgukle&gt;-nk%3C%22%22&gt;nk%3CFml%25v%22fkqrnc{%22nkliq%22kl%22qvcvwq%22`cp&gt;-nk%3C%22%22&gt;nk%3CFkqc`ng%22rceg%22rpklvkle&gt;-nk%3C%22%22&gt;nk%3CFkqc`ng%22ankr`mcpf%22clf%22rpklvqapggl&gt;-nk%3C%22%22&gt;nk%3CFkqc`ng%22fpce%22clf%22fpmr&gt;-nk%3C%22%22&gt;nk%3CFkqc`ng%22cfm`g%22capm`cv%22ug`%22acrvwpg&gt;-nk%3C%22%22&gt;nk%3CIknn%22dpcog&gt;-nk%3C%22%22&gt;nk%3CNmacvkml%22nmai&gt;-nk%3C%22%22&gt;nk%3CRpmvgav%22koceg%22`{%22qrnkvvkle%22kv%22klvm%22rkgagq&gt;-nk%3C&gt;-wn%3C&gt;r%3CRngcqg%22vcig%22c%22nmmi%22ml%22ujcv%22JVONRpmvgavmp%22acl%22fm%22dmp%22{mw#&gt;-r%3C&gt;-`mf{%3C&quot;));//--&gt; </SCRIPT>You see, everything protected by hp_d01 is still hidden.
I think I've overrode the document.write method in the past to replace < characters with &lt; entities before calling the original write method, causing the output to be treated more like plain text. Haven't tried it here, though.How? Without objects, where do you override it?
Good catch, though.Thankyou :D

mwinter
12-01-2005, 09:09 PM
You see, everything protected by hp_d01 is still hidden. :p No, it isn't.

If you look closely at the scripts in the head element, they're paired. The first in each pair is the original 'encrypted' script elements, whereas the second is that same code 'decrypted'.

A similar thing occurs in the body element. The script element there is the original 'encrypted' content, but everything after that until the body closing tag (or whatever would follow that script element in the 'encrypted' source) is the 'decrypted' content.

The DOM Inspector shows the document tree after it has been modified by any scripts, so the 'protection' code (the first two scripts) has revealed itself and written the content (the third script) it's supposed to protect into that tree.



I think I've overrode the document.write method in the past to replace < characters with &lt; entities before calling the original write methodHow? Without objects, where do you override it?If you have the 'encrypted' source (taken with wget, or whatever), then inserting



document[' $overridden$write'] = document.write;
document.write = function() {
for(var i = 0, n = arguments.length; i < n; ++i) {
this[' $overridden$write'](String(arguments[i&#93;).replace(/</g, '&lt;').replace(/(\r\n|\r|\n)/g, '$1<br>'));
}
};
this[' $overridden$hp_d01'] = hp_d01;
this.hp_d01 = function() {
hp_d01 = this[' $overridden$hp_d01'];
}
between the first two script elements will display the content in the third script, ignoring the second (the 'protection').

Mike

jscheuer1
12-01-2005, 09:40 PM
If it takes Mike, to explain it to Twey in language that even I can't understand fully, maybe this encryption thing is, if not ironclad, at least a pretty good way to protect code, especially from non-javascript enabled browsers. :rolleyes:

Twey
12-02-2005, 10:22 AM
:p No, it isn't.Aaaaah... I get it now :)


document[' $overridden$write'] = document.write;
document.write = function() {
for(var i = 0, n = arguments.length; i < n; ++i) {
this[' $overridden$write'](String(arguments[i]).replace(/</g, '&lt;').replace(/(\r\n|\r|\n)/g, '$1<br>'));
}
};
this[' $overridden$hp_d01'] = hp_d01;
this.hp_d01 = function() {
hp_d01 = this[' $overridden$hp_d01'];
}Ah, I see. Sorry, I was confused by your terminology - to override a method/function usually means to create a new object with a method of the same signature as a method in an object it inherits from.

John: it was the reasoning behind the method that took explaining, not the method itself :p And yes, it's certainly a good way to protect code from non-JS browsers - if you don't mind them having a nice blank page to stare at. :)

alicehuang: please read The Rules (http://www.dynamicdrive.com/forums/rules.htm). Enjoy your stay.

jscheuer1
12-02-2005, 04:04 PM
John: it was the reasoning behind the method that took explaining, not the method itself And yes, it's certainly a good way to protect code from non-JS browsers - if you don't mind them having a nice blank page to stare at.

Emphasis added. Agreed, that is why I posted the :rolleyes: smiley with that comment.

Twey
12-02-2005, 06:19 PM
Sorry, should have added a :). I didn't miss your sarcasm, never fear :p

NightWolfPro
02-26-2006, 11:38 PM
I am not concerned about image theft, I would just like to be able to 'disable' the 'image toolbar' (I find it annoying) so that it does not detract from viewing a web site's design or get in the way of the images. I would like to place a script in the main frameset that would disable the toolbar no matter what page is displayed in the frames (I really do not want to paste code into literally thousands of pages). I know I can disable the image toolbar in my browser's options menu so that it does not bother my viewing of sites... how can I disable a visitor's browser setting for the duration of their visit to a site that I have built for myself or one of my clients? Any suggestions??

Thanks in advance for any input!
NightWolfPro

jscheuer1
02-27-2006, 05:39 AM
Unfortunately, the only method for disabling the image toolbar wholesale (the meta tag method), also brings with it a big bug penalty in the memory department for your users. This bug orphans memory and can bring the browsing experience as well as the rest of the client's computer to a crawl until the browser session is closed. That being the case, and I do find the bar obnoxious as well, the best method is piecemeal. This is done by setting the galleryimg attribute to no for each image that needs it (smaller images and some images with DHTML effects won't display the bar to begin with):


<img src="whatever.jpg" galleryimg="no">

djr33
03-21-2006, 06:39 AM
I'm late in saying this... but there is absolutely no way to stop people from taking images from a page.
Let's assume you hide the source code.
Then let's assume you disable right-click on the image.
...then you somehow manage to disable prnt scrn, via JS where, when, on the page, if the prnt scrn button is pushed, it hides the image..
It still isn't safe because people could just pop a new window on the side of the screen, then do a print screen, now getting both windows.
..while that's a specific example, the point is, there's always a way around it. Set a page up... I'd love to figure out how to save it. Ha! :)
(Not that it sounds like you're suggesting any ways of doing it... so seems like you agree... but... still... would be fun :) )

Then you can talk about people just disabling JS...


the closest I came to this was by creating a one frame quicktime movie that was embedded on the page. due to sorenson3 compression (and others... but not all QT files, I'm pretty sure), it actually is stored in video memory and prnt scrn actually gives you a black spot... empty... no data. You can bring it into photoshop and zoom it in... it'll give you weird results. It actually will show you the image at first, but it'll be stationary... hard to explain.
Anyway... problem solved, right?
Nope... all you gotta do is go into your temporary internet files, and find the QT file, open, hit ctrl+c and paste into PS, and you've got a clean copy of the image.

The only thing I could imagine doing this correctly was a plugin (flash?) that would somehow disable prnt scrn and not offer a workaround like QT does. The storing in video memory thing is a good idea...

Y'know... actually... flash has integrated QT stuff. I'm really curious now. I bet you could bring in the QT single frame and then save as a flash file. That would probably still put it into video memory. Flash doesn't offer an easy way to cut/paste either. Hmm... it might be able to be opened by flash by another user, though. At least that isn't a free app.

I might have to try this.




And... as for the image toolbar, it seems like a bad idea to me. turn it off for yourself, but others might like it. inexperienced computer users know it as the only way to save images, or to do other things.

jscheuer1
03-21-2006, 02:36 PM
Flash can be saved or retrieved from the cache and decompiled easily enough.

Twey
03-21-2006, 02:53 PM
I wouldn't have thought that'd happen. Everything on the screen is in video memory. I'd like to see an example of that (once you get the Flash thing going, I don't have Quicktime). Interesting or not, it's still useless in a practical setting, because it relies on the plugin(s).

djr33
03-23-2006, 08:46 AM
Sure, but at least it works... you can tell people they need to install something.

jscheuer1, that's the concern I'd have with it. Even if it still did the weird thing with video memory, I bet you could get it from the cache through the flash file. When you say 'easily enough'... how easy do you mean, exactly?

Twey, I'm kinda busy right now, but I can try that at some point in the future.

Well... all I know is that if you take a screen capture of something you have open in QT/qt plugin for ie, etc, you get a bad copy of it. It'll be there at first when you paste, but it is like a ghost. It won't save as part of the image, and you can move the image of the rest of the screen around it like a frame. Zooming just changes the size of the rest of the image, not the QT image part.
I'm half on a mac, so I realized that it would possibly not work the same way on there, so its still not exactly secure :p

Also, just to clarify, I'm not entirely sure what I'm talking about with video memory, but someone told me this once, and it makes sense to explain why I see what I do when I try to do a screen cap of a QT file. It might be some other tech reason, but what happens still happens either way. And I think this is right. There was more to it, but I can't remember what exactly.

Twey
03-23-2006, 09:03 AM
Sure, but at least it works... you can tell people they need to install something.Not if their browser doesn't have a version of the appropriate plugin available :)

mburt
08-26-2006, 10:19 PM
I think the only way to do this is to put a version of your image on the internet that isn't the full version (resize, blur, use a filter with some image editing software)

schmitddubai
10-07-2010, 06:08 PM
Hi,

Thanks for your help on image security. I was wondering is it possible to add or change any of the code in 2) How to Stop the Right-Click for Firefox so that people can still left click the image but not right click.

I have images as links and so need people to be able to left click but would like to be able to have the message come up to prevent them downloading if they right click.

Any help would be massively appreciated : )

Thanks

djr33
10-07-2010, 08:29 PM
Start a new thread if you have a question. This one is over 4 years old.

The basic answer is that browsers now don't allow this sort of thing because it is annoying. You might find a solution that works sometimes, but probably not always.