Slashdot Mirror
JavaScript User Prohibitions Are Like Content DRM, But Even Less Effective (teleread.com)
Robotech_Master writes: It always puzzles me whenever I run across a post somewhere that uses JavaScript to try to prevent me from copying and pasting text, or even viewing the source. These measures are simple enough to bypass just by disabling JavaScript in my browser. It seems like these measures are very similar to the DRM publishers insist on slapping onto e-books and movie discs—easy to defeat, but they just keep throwing them on anyway because they might inconvenience a few people.
Damn near 1/2 the web switched on some shitty CloudFlare site blocking shit - and Tor users are being hit the worst!
No - No I will NOT turn on my javascript you fucking CloudFlare using sites. NEVER!
Nobody expects a "No Trespassing" sign to stop anybody from really doing anything they shouldn't, heck, you shouldn't expect your home locks to stop a burglar, and no, nobody thinks a "No Guns allowed" sign stops anybody with firearms.
But once you say "Stop, don't do it" then anybody making the effort to continue, no matter how trivial, has made an intentional action on their part.
Nobody who cares about security has Javascript enabled by default to begin with, given its track record so far.
I am a photographer, and I have no problem sharing this:
If you want to get around the image obfuscation used by most photo sharing sites and more and more news sites, open up firefox, and go to view -> page style -> no style. That usually gives you the actual image displayed somewhere in the resulting page. No plugins needed.
If you want to better ensure your name stays with an image, watermark it, and add meta-data. Depending on how annoying the watermark is, someone could take the time to paint it out, and meta data is trivial to strip. As the saying goes, if you can see it, you can take it. If you're that worried about it, don't show it to anyone.
... telling her how dumb this is. She knows, she didn't put those wheels into motion herself, and she sounds pretty gutted and apologetic.
Play nice.
Yeah. Scripting - it's shut off unless needed. For me to enable any scripting I really do have to want the cheese.
I'd rather find another site before any scripting is enabled in my browsers - and to accentuate my level of paranoia - I stopped loading Adobe stuff 5 years ago.
_ _ _ Go for the eyes Boo! GO FOR THE EYES!
That's why I added the update right at the top explaining about that before the story even got picked up on Slashdot.
Editor Emeritus and Senior Writer, TeleRead.org
I think you underestimate how many people this sort of thing stops. Yeah, it won't stop most techheads, but the inconvenience is enough to stop most people. Hell, most people don't even know you can turn off javascript. Most people don't even know what javascript is.
That's sufficient for their purposes, really. They can't stop everyone, no system is perfect, its enough for them to minimize it.
be to trigger the DMCA. No matter how trivial it is you just violated the law by bypassing it...
/.? Seriously, it's not even a blog post. There's no content.
Also how slow a news day does it have to be for this to make the front page of
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
Years ago, fark.com went from external images to hosted images. I didn't see the endgame.
This week, JavaScript is required to load the images. It's vendor lock in all over again. Because who uses an external host if you can just click upload?
And then I see the same advert every 5 posts.
Forbes is a white page to me, LATimes us just the menu with a word or two, and several other sites have absolute divs that cover most of the content.
Your whining about idiotic DRM is just the tip of the iceberg. Bypassing by disabling is one thing. Loading a giant page that renders illegibly requires server resources that, as long as I mostly have wi fi, I'm willing to refresh repeatedly to ensure it really is a problem with the site.
Sorry, false pedant, in this case "Javascript" is just a colloquialism for ECMAScript.
Serious question.... is it even possible to disable browser hotkeys while they are on a page so that they can't view the source code to the web page they are visiting?
File under 'M' for 'Manic ranting'
Who says you're using a browser to view or render a web page's contents?
Another possibility is they are trying to avoid getting sued by content providers- that they have applied best practices to protect media.
love is just extroverted narcissism
Even assuming that one is.... afaik, there is no way in javascript to disable menu items, or even the hotkeys to those items.... can you imagine a webpage blocking alt-f4?
File under 'M' for 'Manic ranting'
Some of the UI restrictions can be evaded just by pressing a special key like "shift" or "ctrl" while using the mouse and it does not require to disable javascript. I was so frustrated once that I copied the entire text from the page and posted it as a comment to tell them look, I can copy and paste.
I would venture to say that it inconveniences more than a few, the majority of whom have no idea there is an alternative. Typically Joe Sixpack is clueless a click bait victim and the bread and butter of 90% of content sellers.
Besides, Janice in accounting don't give a fuck!
09 F9 11 02 9D 74 E3 5B - D8 41 56 C5 63 56 88 C0 45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
Javascript is a steaming pile of shit, riddled with vulnerabilities and broken from tip to top.
So of course they try to allow some overrides:
http://stackoverflow.com/quest...
Basically, you can google anything with "javascript disable" and get developers asking how to fuck their users in the pee hole. Often, there's an answer.
It wouldn't actually prevent users from viewing source though- I'm not aware of a way to do that. However, if there is, you can find it at good old google bombing expert sex change:
http://www.experts-exchange.co...
Also note: the real workaround for this isn't globally disabling javascript, though if everyone did that the web would shape up immediately. The real workaround is the various -monkeys that let you redefine pieces of javascript locally. Many sites go through several hoops to prevent loading on a browser that won't run their shitscript, but redefining parts and/or loading your own CSS can get you around most of it.
Nope, sorry. It's called Javascript, but it has nothing to do with Java. It's a totally different, interpreted language.
I did google before I asked the question... I saw many claims, but none seem to actually work, even without disabling javascript. Nonetheless, the article at the link in the summary said that Ctrl-U hotkey was somehow disabled for them.
File under 'M' for 'Manic ranting'
Yea, like I said, I'm not aware of any way to do that. If there is one, it won't be effective in general. What they probably did was put a shit lot of linefeeds after a "Viewing source is disabled" comment at the top of the HTML- I'm not even joking, that's a real thing people do lol
But you really can intercept Ctrl-U. The thing is, most browsers simply ignore it, for obvious reasons.
You probably saw this mewling poopsack:
http://stackoverflow.com/quest...
And this dumb jive turkey:
http://www.makingdifferent.com...
There's plenty of code in there that does it. You'll also find that, in general, working around it is as trivial as not using a shitty browser that listens to bad advice like that. I don't doubt that the guy ranting ran across something that actually did what he said it did, somewhere.
Seriously, can you believe that some browsers in the modern day trust remote code? It's really dumb.
You got to realize that someone knowledgeable in physical locks can bypass them as easy as you can bypass Javascript right click popups. Yet both still reduce undesirable actions, such as your story being reposted in full on someone's blog without giving credit, link to the source or a chance for you to make money on ads.
It makes a difference when you at least communicate your wishes clearly. Not saying that copying is illegal, or implementing this behavior is best policy, just that it at least significantly reduces copying in practice. I see some other sites that automatically append a link to source to the end of copy buffer. That is probably a much wiser policy for retaining existing readers and acquiring new ones.
The only thing I understood it was possible to disable in js was direct copy/paste, by intercepting mouse clicks on the panel, and disallowing the user from selecting text in the first place . That's a pretty far cry from disabling a hotkey, let alone a program menu item (fwiw, copy paste still technically works on the pages that try to disable it too, they just don't let you select text in the first place by intercepting the mouse click, so there's never anything to copy).
File under 'M' for 'Manic ranting'
Sometimes they don't even notice.
There was this site with "lessons" in using some API or library. There were code examples. And if you tried to select and copy, to paste an example into a compiler, a dialog would pop up telling you that the content is copyrighted and you're not allowed to copy it.
And at the bottom of the page was a survey, "What can I do to improve these lessons?"
I filled it out, with my email and a sarcastic comment about the copy restriction - that maybe forcing people to retype the examples isn't the best way of teaching. The owner of the site wrote me with a solemn apology, informing me that she didn't even notice the (dis)functionality was in place, and that it just got installed with the CMS and she didn't disable it because she didn't know it was there...
So... whoops?
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
Well, in Firefox and probably others, shift-right-click bypasses all right-click javascript. So if a site disables right-clicking, you can just hold shift and still access "View Page Source" in the context menu. Or anything else - I use an addon called "Nuke Anything" that lets you remove bits of the page and right-click javascript often disables that...
Right, these assholes made everyone have workarounds. In Chrome, I have "Enable Copy" and "Enable Right Click", and if things get really rough then I go through some kinda monkey or whatever, but that's normally not an issue. I've never seen a browser in recent times that lets a website actually intercept Ctrl-U, but in strange aeons even common sense may die.
This website claims to disable Ctrl-U as well:
http://codingcrazy.com/disable...
With scripts enabled, it actually seems to disable Ctrl-U in Firefox and Palemoon (not Chrome). Obviously there are easy workarounds (addons solve it easily, but also just changing dom.event.contextmenu.enabled to false lets you happily right click). What do you see when you go there in those browsers?
The point is, obviously there are easy work arounds, and obviously most browsers ignore this crap, and obviously no users will really be stopped (the point of the top article). But, that still leaves some real questions. One, why would javascript even HAVE shit like this? This is part of my general rant about javascript being awful at every single level- in this case, the spec implies to the coder that he is in control of someone else's box. That means that the spec is implied as some kind of malicious hack that browsers and users have to work around. These commands shouldn't even exist in the first place! Two, why would anyone expect a browser to listen to this garbage, even a little? Right click is an interaction between the user and the browser, there's never a good reason to intercept that. Three, how are there coders in ANY language who don't understand this shit? Like you're writing vaguely-C-like code and you don't even understand that if you turn off a usability function, it will just make everyone pissed at you?
Sometimes they don't even notice...http://www.afu.ac.ae/en/admission/graduate-admissions/
> can you imagine a webpage blocking alt-f4
Sure, it's the onclose event. By javascript spec, any attempt to close the window should run the onclose stuff, which can simply return false, thus preventing the browser from closing.
Sample for an onclose event (this just fires an alert) is here:
http://www.htmlnest.com/javasc...
You'll notice that it doesn't actually work- not only can you alt-F4, you can also just close the damned window. This is because modern browsers no longer fully support this ludicrously awful command.
But it's still valid javascript. Because javascript is a goddamned nightmare.
..as a note, http://codingcrazy.com/disable... does seem to fuck with a default setting firefox or palemoon. Maybe it won't for you, I dunno. You don't need an addon to fix this behavior or anything, of course.
With No-Script blocking all scripting by default, it hadn't dawned on me that such activities occur.
Are sites which say enter your email address twice, but won't let me cut and paste the value from the one field to the other by trapping keyboard events. Yeah I get it, you're trying to stop email typos, but there are other, less annoying ways to deal with this problem - a confirmation email for example - and the chances are the site has one of those too.
What does ctrl-U do? I'm on a Mac and as far as I can tell there is no ctrl-U equivalent.
Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
satya nadella is that u
I googled "is google a verb" and it says yes:
https://www.google.com/?gws_rd...
Then I bung it:
http://www.bing.com/search?q=i...
So if even bing agrees that google is a verb, I guess that over rules "anonymous coward who can't capitalize for shit"
Your issue isn't that you are on a Mac, it's that you are in a version of Safari of 6 or later. In Lion and before, it was Strange Nordic Whilygig + U.
First, you could run firefox or chrome or whatever.
Second, Safari -> Preferences / Advanced Tab, ensure that the develop menu is on, then you can control click and get some options, among them view source.
This is obviously not as nice as having a keyboard shortcut like you used to have. If that's a deal, just grab a third party browser.
Ah, so ctrl-U is the short cut for "view source"? Did not get that from the comments.
Even if that is completely disabled, you could just save the page and open it in a text editor.
The developer menus are obviously always activated on my browsers :D
Thanx for the info.
Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
You overestimate the average user.
They have no idea that that stuff can be bypassed so easily.
If they did know, they'd think it's too much work.
Then they'd forget about that being possible.
Thank you, Bradley Manning, Edward Snowden and so many others, for courageously defending humanity, my freedom and more!
Copyright law is shit and should be overthrown. With JavaScript blocking the content is already on your computer. How are they going to find out that you disabled JavaScript and got full access? I guess it serves the purpose of some sort of threshold.
Thank you, Bradley Manning, Edward Snowden and so many others, for courageously defending humanity, my freedom and more!
Sorry, false pedant, in this case "Javascript" is just a colloquialism for ECMAScript.
I like this idea, but I think history says that JavaScript was coined long before Netscape handed it over to ECMA.
Some programmers weren't even born 20 years ago. New people will make old mistakes because they haven't learned about them yet.
If you need to write a "Web application" then you need access to things people expect to work, just as it works in their OS.
You can do things like block the default behavior of the hotkeys and stuff. But you basically can't stop someone from getting the source code, because the web is open.
Democracy Now! - your daily, uncensored, corporate-free
Yes, we all know that if they let you look at the page, your computer will download all the associated files and you'll have them. Just taking the files out of your Firefox cache is an obvious solution. Going in with developer tools already open is another one.
That being said, most people don't even try these measures anymore. They used to be a lot more common. But even the average web user is getting more sophisticated.
The new effort is to try to bake DRM into the browsers themselves.
Democracy Now! - your daily, uncensored, corporate-free
Comment removed based on user account deletion
Comment removed based on user account deletion
Wow... the website genuinely does block Ctrl-U, as well as other hotkeys, such as F12 to activate Firebug, which I didn't know was possible, although just clicking just once in the address bar while the page is showing, and then hitting the desired hotkey bypasses this.
Also, of course, the menu choices to access the source in this way are still enabled and work normally.
File under 'M' for 'Manic ranting'
Comment removed based on user account deletion
Javasript is the Next Flash. Its time is coming. I have to use it, and it is a nasty buggy little language with so many amateur practices built right into it I need a shower after using it.
It is a "language" developed over a weekend by a guy at Netscape to push some HTML around back in the nineties. It was meant to be a throw away effort. Built NOT to last. He called it Javascript because Java had just come out and he thought it would be cute to give it that name. Following the Law of Unintended Consequences it actually caught on.
Comment removed based on user account deletion
Nah, Slashdot couldn't be Tumblr... Tumblr has much better porn!
I've abandoned my search for truth; now I'm just looking for some useful delusions.
That's a lie, and that's bullshit. This destroys the user interface, and should never be allowed or tolerated. If these guys weren't malicious, they'd implement a little drag-down menu that would do all their things, or have a standard way of visibly showing the difference between an in-app menu and user level application menu. Even supporting this shit in the code makes developers confused, and they think they can vector hotkeys and tie them to ground.
Fucking idiots and assholes, enabled by a monumentally shitty language API.
You know you can find them whining that they can't stop the user from CLOSING THE BROWSER? After all, the "webapp" shouldn't close when the user says close, and the fact that it's somehow standing on the browsers head is something that needs to be bypassed in that stupid language. The fact that things like "onclose" stopped being implemented, and the fact that they are currently finding workarounds for "stop this page from creating additional dialogs" is a big problem.
The design is broken from head to toe.
That's nice of you, because apparently if he lost his original file, he wouldn't have a backup! You're doing the work of the gods, sir!
The website tries to own the right click key too. It tries to vector everything it can, but you'll notice that a lot of it fails to work in many browsers, and all of it is trivially able to be worked around.
Javascript is such a turd lol
> Ah, so ctrl-U is the short cut for "view source"?
It's in the links and is quite googlable, but the post I made discussing viewing source should have been the tipoff :P
> Even if that is completely disabled, you could just save the page and open it in a text editor.
Dude, if they think they can disable Ctrl-U, they ALSO think they can disable Ctrl-S and Ctrl-P. Depending on how gullible your browser is, one of the above links tries to do that too.
> The developer menus are obviously always activated on my browsers
Nice. So Safari already has a mode that steps so far above this stuff that you didn't even realize there were ANY people, ANY where, to whom it might inconvenience, because Safari makes it not even a thing. Excellent.
The article doesn't make this point much, but it should- that a lot of modern browsers ignore ALL this stuff anyway.
...in the not-too-distant future, the html document you requested will not load, and you'll be shown a short notification instead, saying "please use an OS and browser that comply with our DRM policy"? I am already seeing lots of messages of that flavor while I'm browsing the web using Linux/Firefox, tracking disabled. The claim is that I am trying to view valuable content without paying for it (pop-under windows and user tracking being the currency).
Yeah, my bad, did not notice that the title of the thread was "Re:How do you stop someone from viewing the source" ;D
Following the stack overflow links I was more wondering about the idiotic approaches many use to accomplish that goal, and I did not really figure by reading them what ctrl-U was supposed to do.
So Safari already has a mode that steps so far above ... I used to use Chrome, but it has several nasty drawbacks for me. I stopped using FireFox since it is automatically updating and you can not prevent it. Actually I wonder if I should try to write my own browser. A browser that simply does nothing as long as the user does nothing. It pisses the hell out of me that every stupid web site thinks it needs an "autoreload" Javascript and as soon as you enter a WiFi network where you have to enter credentials via a web page, all "autorelaoding tabs" lose their content.
Not sure if it is far above
Does not even need to be an autorelaod, a simple XmlHTTPRequest is enough to get the whole page redirected and the back button often does not work when you are finally connected.
Right now, besides Safari, I use Opera. The only browser that honours the "don't start flash movies automatically" setting when a tab gets "restored" after restart.
But Opera is hiding the close Icon/Button under the websites flavicon ... only a visual glitch, but why people come on those ideas ... that is beyond me.
Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
One of the big problems with writing a browser that does what the user wants is how aggressively ludicrous the javascript devs can be. For instance, many browsers have a setting that disables the ability of right click to be controlled from the HTML, but of course javascript can POLL this flag, and act on the result. The browser shouldn't be leaking user state like that, and it certainly shouldn't allow a savvy user to be asked to pull down their pants and bend over. It's totally possible to create a browser that does all this- but little flags to ignore bad-by-design features are both fiddly and doomed to failure.
Examples:
Everyone hates popups. Popup blockers became a thing, then they just were enabled by default. But then javascript offered popups, and now you can get blockers to disable them. And how many websites do you visit that look reasonable until about 10 seconds in when they suddenly overlay a gray or black box over the whole fucking screen, and force you to interact with them (and keep in mind, the fact that interacting with them removes the overlay is ENTIRELY optional!)? Savvy users will use ublock origin (or Remove it Permanently, or many other things) to eliminate shit like this. Even fucking Wikipedia does this! So there's a workaround, but not a solid generic fix for this shit. The fact is, the browser needs to be fundamentally incapable of taking remote commands like this, while ALSO appearing to take these commands from the server side, to prevent hostile devs from shitting the bed when they detect this.
The "right" answer wouldn't just stop this stuff- it would cut it all off at the source, no matter how clever or evil the javascript writers become- because at least on the evil axis, there seems to be no limit.
... Slashdot has turned me into a screener. With posts like this one, I always check if they're from our friend Bennet before I go to the comments section.
Java is to JavaScript as ham is to hamster.
Here's what the accepted answer at expert sex change says (in case anyone is interested):
PresidentUTA Accepted Solution on 2001-11-03 at 18:47:09 ID: 6616667
Well their is a way to scramble the code so it doesnt make much sense, you can find that little nifty script / prgm at - http://www.dynamicdrive.com/dy... - Not to bad, combine this with the click disabler mentioned above and you are set
Not much of an expert if you ask me.
History, or at least English, also teaches that etymology is just for nerds and is not instructive of meaning.
History, or at least English, also teaches that etymology is just for nerds and is not instructive of meaning.
I think etymology gives very clear meaning to your previous post.
Good point. And SCSI was intended to be sexy rather than scuzzy. Nerds love etymology, but they know not to honor it. ;)