-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Hide source code possibility #269
Comments
The users will have that container and the open source decoder (which is node-webkit) and the key (if there is a key), because node-webkit needs to open that container somehow (in order to execute its contents). How do you expect the container's contents to remain concealed then? |
@Mithgol |
Aren't executable resources even easier to read than just appending a zip file to node-webkit like it happens in the Windows deploy? |
@graphnode
Any suggestion is welcome |
I front-end dev and don't want to show my source (HTML/CSS/JS) customers up to get money.
How to create this build:
|
It should be possible to 'protect' the JS code with something based on v8 snapshot. We'll see this feature, but some contract is still suggested to protect your IP by law. I can see a standalone tool to compile the code into v8 snapshot and the support in node-webkit to load them on start. |
+1 for V8 snapshot support! |
I understand that this would just be an annoyance for someone who is truly dedicated to getting your code/source or copying the program but it would be a major roadblock for many people. It would be a big benefit for some of the applications we've been looking at using node-webkit for. +1 for me |
Please see the document here: https://github.com/rogerwang/node-webkit/wiki/Protect-JavaScript-source-code-with-v8-snapshot Comments are welcome. |
This feature was just released with 0.4.2. |
@rogerwang may I ask why it is limited to such a low amount? If it's based off V8 and using a heap snapshot should it not be limited to maximum heap snapshot size (256mb?)? |
@dubcanada it's not a hard limit and can be fixed. The reason of the current limitation is that the objects or code has to be in the same |
We are looking to use node-webkit on a application, which by nature requires the codes (some) to be compiled, specially authentication of the product limitations, etc. From the wiki; "snapshot": "mysnapshot.bin" I assume only 1 bin file? can this be "snapshot": [ "a.bin", "b.bin" ] ? and what does ~30% slower mean, assuming, the compiled js only returns js code computations or the js also touches ui staff? and the compile js can also access nodejs.require? |
@rogerwang I'd like to add such a feature to off-the-shelf command line nodejs executive so I can launch node with snapshot this way.
According to your patch, it seems that Besides loading the snapshot binary file and pass it to where nodejs initialize v8 instance, is there anything I need to take care? |
I'm thinking of migrating an intranet web application off the server and rewriting it for node-webkit. Given the baggage/limitations of nwsnapshot and the fact that anyone can read and or modify the code, how are you guys dealing with database authentication and such that requires usernames/passwords? I suppose doing something like this would also entail wrapping database access into a set of web services (and those would have to live on a server somewhere). Then the node-webkit app uses an API key assigned to each user or something to gain access. |
@frankhale Hosting the solution on IIS for an intranet application on a domain was a perfect solution for me. The login popup uses windows authentication and it worked perfectly. I don't know what your solution needs to look like though. |
@frankhale everything what is on client machine should be by definition considered untrusted. Making desktop application is nothing different in that matter, so all your sensitive data should stay on server. |
Windows authentication would certainly work and that is how it's currently On Wed, Nov 20, 2013 at 1:46 PM, Jakub Szwacz notifications@gh.neting.ccwrote:
|
I am wondering why the code runs slower. Could anybody offer an explanation? |
This just provides a false sense of security. I could see the full source code using the Dev Tools after loading the snapshot.bin file. We should just accept the fact that there's no reliable way of protecting JS source code. /cc @rogerwang |
@petejkim there is a bug introduced in 0.8.0 which makes the source code exposed. Could you please try again with 0.7.4? |
I'd also want to know. From my limited point of view, the snapshot should save loading time, as stuff doesn't need to be loaded individually and interpreted anymore, and run equally fast when loaded. But I have no idea how this actually works... so why is it 30% slower? And can anything be done about it? I'm actually not that interested in hiding the source code, but instead this seems like a nice way how to put all stuff into one nice bin file and not have it scattered everywhere, or in need of unpacking into tmp folder and running from there. This looks like the nicest way how to package apps, no? |
The temp folder of node-webkit application may have own access policies which deny any access to the user, like Windows 8 Metro-applications do. EDIT
Be careful: I occasionly killed all my code this way one day :[ Better create a copy before trying. |
@darsain the code run slower because it's compiled with the slower compiler in v8. The other (faster) one needs runtime profiling data to do better optimizations. |
I tried using enigma virtualbox for the hope of that but there are still |
Also: igorklopov/enclose#9 |
How can I hide toolbar programmatically? |
@namaljayathunga check the wiki. |
Chiming in on this topic as it's pretty interesting for me. I'm developing a (hopefully) closed source game engine with JavaScript and NodeWebkit (I'm still on For example, I have all my proprietary code concatenated to |
Having a custom snapshot does not affect other parts of V8, including compiling and running scripts. So your game.js can be included in the snapshot, but vendor.js does not need to be. However, V8 snapshot is not designed to hide source code. Chances are that the source of game.js will be serialized into the snapshot as well. Extracting it from the snapshot would be fairly easy. |
Ah right that's good to know, but as per #269 (comment), doesn't the recompilation avoidance stop the source code from being exposed or am I misunderstanding? |
Well you could definitely hack V8 to drop the source code, and make sure it's not used for display or recompilation, but V8 does not support this out of the box. Unfortunately I don't know whether nw.js has patched V8 to do that. |
@hashseed @rohan-deshpande yeah, NW supports dropping source code for source code protection, check http://docs.nwjs.io/en/latest/For%20Users/Advanced/Protect%20JavaScript%20Source%20Code/ |
Thanks @rogerwang, so let's take my example (#269 (comment)), if you used the source code protection for |
@rohan-deshpande the document said this clearly: "The compiled code runs slower than normal JS: ~30% performance according to v8bench. Other non-compiled JS source code will not be affected." |
Cool! Yes I read that just wondering if I read it correctly or not. Thanks for clearing it up :) |
@rogerwang you could give this a try: run V8 with --ignition --turbo. That forces V8 to use a different compiling pipeline. Ignition is our upcoming interpreter that compiles source to bytecode. We can then optimize from bytecode directly without having to parse from source. |
@hashseed great! will try. |
Are there any issues with source code protection mentioned here? http://docs.nwjs.io/en/latest/For%20Users/Advanced/Protect%20JavaScript%20Source%20Code/ I know a previous version had a bug and I'm wondering if my source code would be totally protected. |
@danschumann no there is no issues. |
How reliable this way to protect source code now? Is it possible to crack the javascript source code now (last ver nwjs 0.20.1)? |
Refer to the two comments above yours. |
Haha, come on, if he'd release the source code, alphasdev and all of us would be able to know. What is the point of publishing something on GitHub if you are not going to use it for SOURCE CODE ? It's not a file hosting ffs. |
@darkguy2008, off topic. |
That's not offtopic, we're talking about the code protection which we can't see if the source code is not published. It's pretty on-topic for me. |
I cannot see how someone's opinion on GitHub's purpose pertains to or aids this discussion/issue. |
Ah crap, my bad, I thought this was about that other side-project which uses nw.js and claims to be able to hide the source code but he never releases the source code because he's a jerk. Sorry about all the offtopic xD |
This should become possible soon. V8 is going to switch to a bytecode interpreter and the new optimizing compiler in the next few months. Once that's done, V8 will no longer need the source code, if everything is compiled to bytecode ahead of time. |
@hashseed isn't this topic about a similar method of protection? I open up the .bin files with a hex editor and I see a few recognizable names, including strings, but isn't the rest already some sort of byte code which cannot be turned back into readable javascript? You're just saying that they're adding it to the core V8, including web browsers soon, right? |
@danschumann the issue is that currently, in order to compile to a native V8 snapshot, run time V8 optimizations have to be sacrificed, and hence the code ends up being 30-50% slower. A bytecode compiler/interpreter would solve this problem by natively supporting compiled javascript while still being able to do run time optimizations. Thus it would be a win-win for NW.js to adopt this method of compilation vs the existing one, once @hashseed and their team get their implementation ready. |
Currently, V8 needs to include the source string for the functions it includes in the snapshot. Otherwise it cannot recompile these functions to optimized code. Afaik nw.js includes a hack to remove the source string to obscure it, but that prevents optimization. V8 will soon move to a compiler pipeline that does not need the source string to recompile to optimized code anymore. So for these, we could introduce a new option to eagerly compile functions to include the bytecode in the snapshot, and in return be able to drop the source string. |
Happy to announce that it's fixed finally, source code protection performance vastly improved: https://nwjs.io/blog/js-src-protect-perf/ |
@rogerwang Good job man. |
I am very late here, but @rogerwang my biggest respect - thank you very much! |
I mean about executable container, which not allow to show source code.
Not offer obfuscation
The text was updated successfully, but these errors were encountered: