Echo JS 0.11.0

<~>
sbruchmann 3404 days ago. link 1 point
I have two concerns with these kind of things (not with your project in particular):

  - Is there a performance decrease after scrambling your code?
  - Since scramblers are using `eval` most of the time, are there any security concerns?

Replies

naugtur 3404 days ago. link 2 points
Eval is not used within logic so no security concerns here. The only  issue is that it will be blocked by content security policy if you have one.

Performance will be identical after the code gets interpreted and compiled, but you lose some precious time on decoding that during page load and init.

The only valid concern is that it actually does nothing to protect your code and makes your file much bigger. Whatever is passed to eval must be valid javascript anyway. It's kinda like saying that gzip compression on http increases privacy because it gets harder to read. 

There is no obfuscation that can be applied to javascript to prevent its reading because the browser needs to read it. This will remain true as long as jit compilers for js exist.
andreas.marschke 3403 days ago. link 1 point
Thanks for clearing that up. I'll update it if the CSP I'm targeting doesn't like it. So far its just a distributed prototype that'll sit there and wait for its test run.

Code Protection isn't the goal either or I would have said that in the documentation. All it's supposed to do is scramble code to a degree thats necessairy for the targeted plattform not getting suspicious. 

Since the code is also only run in on a page that is so laden with JS before and after it, I feel like it doesn't necessairly matter that much.